Splunk Power User Bootcamp

Instructor

Jessica Villela

Martin Boemer

Splunk Fundamentals 1

Splunk Enhanced Solutions

IT Service Intelligence (ITSI) - focused on services and their monitoring

Enterprise Security (ES) - focused on security and events corellation (rules)

User Beahavior Analysis (UBA) - focused on user behavior, highlights anomalies in user behavior

Search, Fields and Indexing

When data arrives into Indexer only fields created (parsed) are host, source and sourcetype. There also exists _time and _raw fields. Other fields are processed in time of search. That means that parsing of fields are done in this time.

Search best practices

time is best filter, specify index, use host or source type. Use most efficient keyword, it is better to use OR instead of wildcard, search phrases using double quotes

User > Preferences > SPL Editor > Check (Advanced Editor, Line Numbers, Search auto-format). For better reading, less mistakes.

Time picker

Mark on timeline will filter events, no new search. Zoom to Selection will Zoom into time frame. Zoom Out will step back from picked time frame.

Jobs

Activity > Jobs; overview of executed jobs

Fields

index time - host, source, sourcetype, time and raw

search time

Interesting fields values are present at least in 20% of searched data

Forcing field values case sensitivity with CASE function; CASE(keyword)

SPL

dedup, use it as soon as possible - more efficient search

If there is more fields in table which contains duplicates only one dedup could be wrong. We have to specify two or more fields, depends on the case. Eg. dedup <field1> <field2>

If we specify fields in search it could faster our search.

To remove from table fields without values we have to specify field as field=*

SPL support CIDR notation. Do not forget use double quotes, eg. "192.168.1.0/24"

!= vs. NOT

NOT just removes values which contains specified value but if the value of field is missing it will be in result

field != value specified that this would not be in results, also if the value of field is missing.

Could be better use != instead of using NOT.

Dashboards & Reports

To add drilldown just edit Dashboard > Edit Drilldown

On Panel, if the panel is powered by Report we can edit only source Report. It means we can edit Report on one place, results will be propagated to the Panel(s).

Indexes

How to find what indexes and sourcetypes we have

| tstats values(sourcetype) as "Source Types" by index

Useful links

Splunk Centre of Excelence, best practises by Splunk

Splunk Splexicon, explains Splunk terms

PreviousSplunk 101NextSplunk Analytics and Data Science