Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Title Page Copyright and Credits
Implementing Splunk 7 Third Edition
Packt Upsell
Why subscribe? PacktPub.com
Contributors
About the author About the reviewer Packt is searching for authors like you
Preface
Who this book is for What this book covers To get the most out of this book
Download the example code files Conventions used
Get in touch
Reviews
The Splunk Interface
Logging in to Splunk The home app The top bar The Search & Reporting app
Data generator The Summary view Search Actions Timeline The field picker
Fields
Search results
Options Events viewer
Using the time picker Using the field picker The settings section Splunk Cloud Try before you buy A quick cloud tour The top bar in Splunk Cloud Splunk reference app – PAS Universal forwarder eventgen Next steps Summary
Understanding Search
Using search terms effectively Boolean and grouping operators Clicking to modify your search
Event segmentation Field widgets Time
Using fields to search
Using the field picker
Using wildcards efficiently
Supplementing wildcards in fields
All about time
How Splunk parses time How Splunk stores time How Splunk displays time How time zones are determined and why it matters Different ways to search against time
Presets Relative Real-time
Windowed real-time versus all-time real-time searches
Date range Date and time range Advanced
Specifying time in-line in your search
_indextime versus _time
Making searches faster Sharing results with others
The URL Save As Report Save As Dashboard Panel Save As Alert Save As Event Type
Searching job settings Saving searches for reuse Creating alerts from searches
Enable Actions Action Options Sharing
Event annotations
An illustration
Summary
Tables, Charts, and Fields
About the pipe symbol Using top to show common field values
Controlling the output of top
Using stats to aggregate values Using chart to turn data Using timechart to show values over time
The timechart options
Working with fields
A regular expression primer Commands that create fields
eval rex
Extracting loglevel
Using the extract fields interface Using rex to prototype a field Using the admin interface to build a field Indexed fields versus extracted fields
Indexed field case 1 - rare instances of a common term Indexed field case 2 - splitting words Indexed field case 3 - application from source Indexed field case 4 - slow requests Indexed field case 5 - unneeded work
Chart enhancements in version 7.0
charting.lineWidth charting.data.fieldHideList charting.legend.mode charting.fieldDashStyles charting.axis Y.abbreviation
Summary
Data Models and Pivots
What is a data model? What does a data model search?
Data model objects
Object constraining Attributes
Acceleration in version 7.0 Creating a data model
Filling in the new data model dialog Editing fields (attributes)
Lookup attributes
Children
What is a pivot?
The Pivot Editor Working with pivot elements
Filtering pivots
Split (row or column)
Column values
Pivot table formatting
A quick example Sparklines Summary
Simple XML Dashboards
The purpose of dashboards Using wizards to build dashboards
Adding another panel
A cool trick
Converting the panel to a report
More options
Back to the dashboard
Add input Editing source Edit UI
Editing XML directly UI examples app Building forms
Creating a form from a dashboard Driving multiple panels from one form Post-processing search results Post-processing limitations
Features replaced Autorun dashboard Scheduling the generation of dashboards Summary
Advanced Search Examples
Using subsearches to find loosely related events
Subsearch Subsearch caveats Nested subsearches
Using transaction
Using transaction to determine session length Calculating the aggregate of transaction statistics Combining subsearches with transaction
Determining concurrency
Using transaction with concurrency Using concurrency to estimate server load Calculating concurrency with a by clause
Calculating events per slice of time
Using timechart Calculating average requests per minute Calculating average events per minute, per hour
Rebuilding top Acceleration
Big data – summary strategy Report acceleration Report acceleration availability
Version 7.0 advancements in metrics
Definition of a Splunk metric Using Splunk metrics
Creating a metrics index Creating a UDP or TCP data input
Summary
Extending Search
Using tags to simplify search Using event types to categorize results Using lookups to enrich data
Defining a lookup table file Defining a lookup definition Defining an automatic lookup Troubleshooting lookups
Using macros to reuse logic
Creating a simple macro Creating a macro with arguments
Creating workflow actions
Running a new search using values from an event Linking to an external site Building a workflow action to show field context
Building the context workflow action Building the context macro
Using external commands
Extracting values from XML
xmlkv XPath
Using Google to generate results
Summary
Working with Apps
Defining an app Included apps Installing apps
Installing apps from Splunkbase
Using Geo Location Lookup Script Using Google Maps
Installing apps from a file
Building your first app Editing navigation Customizing the appearance of your app
Customizing the launcher icon Using custom CSS Using custom HTML
Custom HTML in a simple dashboard Using server-side include in a complex dashboard
Object permissions
How permissions affect navigation How permissions affect other objects Correcting permission problems
App directory structure
Adding your app to Splunkbase
Preparing your app Confirming sharing settings Cleaning up our directories
Packaging your app Uploading your app
Self-service app management Summary
Building Advanced Dashboards
Reasons for working with advanced XML Reasons for not working with advanced XML Development process Advanced XML structure Converting simple XML to advanced XML Module logic flow Understanding layoutPanel
Panel placement
Reusing a query Using intentions
stringreplace addterm
Creating a custom drilldown
Building a drilldown to a custom query Building a drilldown to another panel Building a drilldown to multiple panels using HiddenPostProcess
Third-party add-ons
Google Maps Sideview Utils The Sideview search module
Linking views with Sideview Sideview URLLoader Sideview forms
Summary
Summary Indexes and CSV Files
Understanding summary indexes
Creating a summary index
When to use a summary index When to not use a summary index Populating summary indexes with saved searches Using summary index events in a query Using sistats, sitop, and sitimechart How latency affects summary queries How and when to backfill summary data
Using fill_summary_index.py to backfill Using collect to produce custom summary indexes
Reducing summary index size
Using eval and rex to define grouping fields Using a lookup with wildcards Using event types to group results
Calculating top for a large time frame
Summary index searches
Using CSV files to store transient data
Pre-populating a dropdown Creating a running calculation for a day
Summary
Configuring Splunk
Locating Splunk configuration files The structure of a Splunk configuration file The configuration merging logic
The merging order
The merging order outside of search The merging order when searching
The configuration merging logic
Configuration merging – example 1 Configuration merging – example 2 Configuration merging – example 3 Configuration merging – example 4, search
Using btool
An overview of Splunk.conf files
props.conf
Common attributes
Search-time attributes Index-time attributes Parse-time attributes Input-time attributes
Stanza types Priorities inside a type Attributes with class
inputs.conf
Common input attributes Files as inputs
Using patterns to select rolled logs Using blacklist and whitelist Selecting files recursively Following symbolic links Setting the value of the host from the source Ignoring old data at installation When to use crcSalt Destructively indexing files
Network inputs Native Windows inputs Scripts as inputs
transforms.conf
Creating indexed fields
Creating a loglevel field Creating a session field from the source Creating a tag field Creating host categorization fields
Modifying metadata fields
Overriding the host Overriding the source Overriding sourcetype Routing events to a different index
Lookup definitions
Wildcard lookups CIDR wildcard lookups Using time in lookups
Using REPORT
Creating multivalue fields Creating dynamic fields
Chaining transforms Dropping events
fields.conf outputs.conf indexes.conf authorize.conf savedsearches.conf times.conf commands.conf web.conf
User interface resources
Views and navigation Appserver resources Metadata
Summary
Advanced Deployments
Planning your installation Splunk instance types
Splunk forwarders Splunk indexer Splunk search
Common data sources
Monitoring logs on servers Monitoring logs on a shared drive Consuming logs in batch Receiving syslog events
Receiving events directly on the Splunk indexer Using a native syslog receiver Receiving syslog with a Splunk forwarder
Consuming logs from a database Using scripts to gather data
Sizing indexers Planning redundancy
The replication factor
Configuring your replication factors
Syntax
Indexer load balancing Understanding typical outages
Working with multiple indexes
Directory structure of an index When to create more indexes
Testing data Differing longevity Differing permissions Using more indexes to increase performance
The life cycle of a bucket Sizing an index Using volumes to manage multiple indexes
Deploying the Splunk binary
Deploying from a tar file Deploying using msiexec Adding a base configuration Configuring Splunk to launch at boot
Using apps to organize configuration
Separate configurations by purpose
Configuration distribution
Using your own deployment system Using the Splunk deployment server
Step 1 – deciding where your deployment server will run Step 2 - defining your deploymentclient.conf configuration Step 3 - defining our machine types and locations Step 4 - normalizing our configurations into apps appropriately Step 5 - mapping these apps to deployment clients in serverclass.conf Step 6 - restarting the deployment server Step 7 - installing deploymentclient.conf
Using LDAP for authentication Using single sign-on Load balancers and Splunk
web splunktcp deployment server
Multiple search heads Summary
Extending Splunk
Writing a scripted input to gather data
Capturing script output with no date Capturing script output as a single event Making a long-running scripted input
Using Splunk from the command line Querying Splunk via REST Writing commands
When not to write a command When to write a command Configuring commands Adding fields Manipulating data Transforming data Generating data
Writing a scripted lookup to enrich data Writing an event renderer
Using specific fields A table of fields based on field value Pretty printing XML
Writing a scripted alert action to process results Hunk Summary
Machine Learning Toolkit
What is machine learning?
Content recommendation engines Natural language processing Operational intelligence
Defining the toolkit
Time well spent Obtaining the Kit
Prerequisites and requirements Installation
The toolkit workbench Assistants Extended SPL (search processing language)
ML-SPL performance app
Building a model
Time series forecasting Using Splunk Launching the toolkit
Validation
Deployment Saving a report Exporting data
Summary
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion