getting started with splunk enterprise
TRANSCRIPT
![Page 1: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/1.jpg)
Copyright © 2015 Splunk Inc.
Getting Started with Splunk EnterpriseHands-On Tour
Brian GreppiSplunk Sr. Sales Engineer
![Page 2: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/2.jpg)
2
Download Splunk Enterprise for your OS and Architecture.
![Page 3: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/3.jpg)
3
Download tutorialdata.zip
![Page 4: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/4.jpg)
4
Text
For OSX (from terminal): mkdir /opt/splunk_live_boscd /opt/splunk_live_bos
Tar-xzvf ~/Downloads/splunk-6.4.1-debde650d26e-darwin-64.tgz
cd splunk/bin
For WIN: Install MSI
For OSX: Start Splunk via ./splunk start
For WIN: Services -> Splunk -> Start
![Page 5: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/5.jpg)
5
Starting Splunk, Accept License.
![Page 6: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/6.jpg)
6
TextWith Firefox, Chrome, or Safari – head to http://127.0.0.1:8000 . User=admin password=changeme
![Page 7: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/7.jpg)
7
You’ve successfully installed Splunk, and logged in! Let’s add the tutorialdata.zip via “Add Data”
![Page 8: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/8.jpg)
8
You can also “Add Data” from Settings at the top.
![Page 9: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/9.jpg)
9
Click on upload.
![Page 10: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/10.jpg)
10
Let’s drag tutorialdata.zip into “Drop your data file here”.
![Page 11: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/11.jpg)
11
Click Next
![Page 12: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/12.jpg)
12
Splunk can auto detect the sourcetype. Lets change host field to buttercup-web01, and then click Review.
![Page 13: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/13.jpg)
13
Looks good, click Submit.
![Page 14: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/14.jpg)
14
Let’s Start Searching our data.
![Page 15: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/15.jpg)
15
We’re brought into a search with filters applied to search the data we just uploaded.
![Page 16: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/16.jpg)
16
Let’s type “buttercupgames” in the search bar, and double click into a bar on the histogram.
![Page 17: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/17.jpg)
17
Notice the time picker changed with our drill into the histogram bar.
![Page 18: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/18.jpg)
18
Given that this data is web access, lets do a string search for 400, which is a “Bad Request” code.Notice that there’s 188 events returned. (number will vary for you).
![Page 19: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/19.jpg)
19
Lets also add 300 into the mix, and notice that my event count is higher now.
![Page 20: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/20.jpg)
20
We can see the 400 status codes, but not 300’s. That’s because the string search of 300 doesn’t explicitlysearch for status code of 300 – it’ll string match any event that contains “300”.
![Page 21: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/21.jpg)
21
Lets explicitly search for status codes equaling values we want to see returned.
![Page 22: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/22.jpg)
22
Great, we’re now returned all the events containing the two status codes we searched for.Click on “Top values by time”, which will build out a timechart for us.
![Page 23: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/23.jpg)
23
Notice how our search query changed, there’s a | (pipe), and a timechart command added.The pipe followed by a command allows further operation on your filtered data set.
![Page 24: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/24.jpg)
24
Let’s change our search to: buttercupgames status=*And – drill into one bar on the histogram.
![Page 25: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/25.jpg)
25
Click on “top values by time” under the status field on the left, which will produce the timechart above.
![Page 26: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/26.jpg)
26
Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
![Page 27: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/27.jpg)
27
After changing from Line to Column, lets Stack the results (middle stack under Stack Mode). Much better!
![Page 28: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/28.jpg)
28
Lets now save this to a dashboard, a place we can go to view this search without having to rememberwhat we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then View dashboard.
![Page 29: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/29.jpg)
29
Click on Search to get us back to our search bar, and lets key in: buttercupgames.Development wants to know which web browsers are being used to access the site, but no fields currently exist. No problem – lets extract the browser field.Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time”.The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
![Page 30: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/30.jpg)
30
Click Regular Expression (Splunk will build a regular expression to extract our fields), and click next.Highlight the value of the field you’d like to create, and lets name the field: browser_typeClick Add Extraction.
![Page 31: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/31.jpg)
31
Let’s verify that the extracted field contains values that are indeed types of browsers.Good, click next to proceed.Now, open the permissions to “App” which will allow users of the App the ability to leverage this extraction.Click Next.
![Page 32: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/32.jpg)
32
Success, Let’s explore the fields just created in search, by clicking the link.
![Page 33: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/33.jpg)
33
You’ll now be taken to search, with the filter set to the sourcetype to which the field extraction has been applied. Note – field extractions are coupled to a sourcetype.Click on “Top values”.
![Page 34: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/34.jpg)
34
Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to Pie.
![Page 35: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/35.jpg)
35
Lets add this search to our dashboard, and then view the dashboard.Click Edit -> Edit Panels to drag the different panels to different positions.
![Page 36: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/36.jpg)
36
Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful. Add the stats and where clause above, to return when there’s more than 100 unsuccessful status codes.
![Page 37: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/37.jpg)
37
Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression (Instead of 48, change to minutes a few ahead of your current time. Ie. If it’s 9:00am, change to 05.
![Page 38: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/38.jpg)
38
Add to Triggered Alerts, and Save.
![Page 39: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/39.jpg)
39
You should see an alert trigger once your scheduled search runs at the cron expression you defined.*Note – alerts will work until the trial license expires.
![Page 40: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/40.jpg)
40
Let’s go back to search and: buttercupgames status=* | iplocation clientipWe want to lookup the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
![Page 41: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/41.jpg)
41
Now, business is interested in seeing plots on a map of web users and what they’re doing with the website.Lets append a geostats command that counts the events by the values of the action field. Pretty cool! This is definitely dashboard worthy! Lets add to dashboard.
![Page 42: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/42.jpg)
42
Awesome! Now we have a single pane of glass that Operations, Development, and Business all care about – from one data source! Talk about value!
![Page 43: Getting Started with Splunk Enterprise](https://reader034.vdocuments.site/reader034/viewer/2022052705/586fb2cd1a28abe57d8b69f7/html5/thumbnails/43.jpg)
43
Thank You