splunk enterprise for it troubleshooting hands-on
TRANSCRIPT
![Page 2: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/2.jpg)
2
SafeHarborStatementDuringthecourseofthispresentation,wemaymakeforward-lookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyouthatsuchstatementsreflectourcurrentexpectations and estimates basedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-lookingstatements,pleasereviewourfilings withtheSEC. Theforward-lookingstatementsmadeinthispresentationarebeingmadeasofthetimeanddateofitslivepresentation. If reviewedafter itslivepresentation, thispresentationmaynotcontaincurrentoraccurateinformation. Wedonotassumeanyobligationtoupdateanyforward-lookingstatementswe may make. Inaddition,anyinformationaboutour roadmapoutlinesourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice. It isforinformationalpurposesonlyandshallnot beincorporatedintoanycontractorothercommitment. Splunkundertakesnoobligationeithertodevelopthefeaturesorfunctionalitydescribed ortoincludeanysuchfeatureorfunctionalityinafuturerelease.
![Page 3: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/3.jpg)
3
Agenda1. SplunkEnterpriseOverview2. TroubleshootingwithSplunk(LiveDemo/
Walkthrough)• Installing&SettingupanApp• LogginginandSearching• ExtractingFields• TroubleshootingInfrastructure• TroubleshootingApplications• CreatinganAlert• CreatingReportsandDashboards
3. WrapUp4. Q&A
![Page 4: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/4.jpg)
4
EscalatingITComplexity…
SaaS/PaaS
IaaS
VIRTUALIZATION
STORAGE
PACKAGEDAPPLICATIONS
CUSTOMAPPLICATIONS
HR
Finance
AppSvrDB
WebSvr
INFRASTRUCTUREAPPLICATIONS
VPN
IPPhoneIdentify
SERVERS NETWORKING
4
![Page 5: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/5.jpg)
5
…PlaguingITOperations
SaaS/PaaS
IaaS
VIRTUALIZATION
STORAGE
PACKAGEDAPPLICATIONS
CUSTOMAPPLICATIONS
HR
Finance
AppSvrDB
WebSvr
INFRASTRUCTUREAPPLICATIONS
VPN
IPPhoneIdentify
SERVERS NETWORKING
Complex,silo-basedtechnologies
Disconnectedandoutdatedpointsolutions
Reactivebrute-forceproblemresolution
Over80%oftimeonmaintaining,notinnovating
5
![Page 6: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/6.jpg)
6
EnterpriseScalability
Industry-LeadingPlatformforMachineDataAnyMachineData OperationalIntelligence
OnlineServices Web
Services
ServersSecurity GPS
Location
StorageDesktops
Networks
PackagedApplications
CustomApplicationsMessaging
TelecomsOnline
ShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
RFID
PrivateCloud
PublicCloud
SearchandInvestigation
ProactiveMonitoring
OperationalVisibility
Real-TimeBusinessInsights
6
Datacenter
Containers
![Page 7: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/7.jpg)
7
EnterpriseScalability
AnyMachineData OperationalIntelligence
OnlineServices Web
Services
ServersSecurity GPS
Location
StorageDesktops
Networks
PackagedApplications
CustomApplicationsMessaging
TelecomsOnline
ShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
RFID
Datacenter
PrivateCloud
PublicCloud
Containers
SearchandInvestigation
ProactiveMonitoring
OperationalVisibility
Real-TimeBusinessInsights
Industry-LeadingPlatformforMachineData
Anyamount,anylocation,anysource
Schema-on-the-fly
Universalindexing
NobackendRDBMS
Noneedtofilterdata
7
![Page 8: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/8.jpg)
8
TheFocus
ApplicationDelivery
ITOperations
Security,ComplianceandFraud
BusinessAnalytics
InternetofThingsandIndustrialData
DeveloperPlatform(RESTAPI,SDKs)
8
![Page 9: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/9.jpg)
9
TurningMachineDataIntoOperationalIntelligence
Reactive
Proactive
9
ProactiveMonitoringandAlerting
Real-TimeBusinessInsightOperational
Visibility
Searchand
Investigate
![Page 10: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/10.jpg)
10
IndexandAnalyzeDataAcrossYourTechnologyStackSplunkAdd-Ons,TemplatesandAppsAccelerateValueFromMachineData
Norigidschemas– addindatafromanyothersource.
APISDKs UI
Server,Storage,Network
Virtualization,Containers
OperatingSystems+Databases
CustomApplications
BusinessApplications CloudServices
WebIntelligence
MobileApplications
Stream
OperationsandServiceDesks
AppPerformanceMonitoring
DBConnect
10
![Page 11: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/11.jpg)
11
InstallSplunkandAppØ InstallSplunk(installersonUSBkeys)Ø StartSplunk
Ø splunk start--accept-license--answer-yes--no-prompt
Ø LoginØ http://localhost:8000Ø Defaultcredentials:admin/changeme
Ø InstallappØ Clickthewidgetnextto“Apps”Ø InstallappfromfileØ ChoosetheappfromtheUSBkey
Ø RestartSplunk
![Page 12: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/12.jpg)
12
SplunkDemoEnvironment- CloudØ GotooneofthefollowingURLs:
Ø https://od-sl-longbeach-itops-01.splunkoxygen.comØ https://od-sl-longbeach-itops-02.splunkoxygen.comØ https://od-sl-longbeach-itops-03.splunkoxygen.com
Ø LogintoSplunkusingthefollowingcredentials:– User:user[1-10]@buttercupgms.com– Password:Changeme[1-10]
![Page 13: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/13.jpg)
13
LogintoSplunk
ClickSearch&ReportingtogetstartedusingSplunk!
![Page 14: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/14.jpg)
14
SearchingwithSplunk
Startbytyping*inthesearchbar!
![Page 15: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/15.jpg)
15
SearchResults
Exploretheresults!
ClickonhostClickonsourcetype
Lookattheotherfields
Next,we’llextractnewfields!
![Page 16: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/16.jpg)
16
ExtractingFields
16
Startwiththissearch:sourcetype=customlog
ThenscrolldownandclickonExtractNewFields atthebottomofthefieldlist.
![Page 17: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/17.jpg)
17
ExtractingFields
Clickonanyeventinthelist
Fieldsthatarealreadybeingextractedarehighlighted.
ClickNexttocontinue
![Page 18: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/18.jpg)
18
ExtractingFields
Choose RegularExpression
Don’tworry– wewon’tbewritinganyregexes!
ClickNext
![Page 19: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/19.jpg)
19
ExtractingFields
Clickanddragtohighlightthelastfield(itwillbeOKorNSF)
Typestatus_descriptionintheFieldNamebox
ClickAddExtraction
![Page 20: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/20.jpg)
20
ExtractingFields
20
Checkoutthestatus_descriptioncolumn!
ClickNext
![Page 21: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/21.jpg)
21
ExtractingFields
21
NoticethePermissions
(Youdon’tneedtochangeanythingnow,butyoumayneedtolookthisupondocs.splunk.comlaterifyouhavetrouble!)
ClickFinish
YournewfieldisnowEXTRACTED!
![Page 22: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/22.jpg)
22
TroubleshootingInfrastructureWehavereportsofproblemsonthewebsite,solet’ssearchsourcetype=access*
Lookattheavailablefields–feelfreetoexplore!
Clickonthestatus fieldtoseethetopvalues
ClickonTopvaluesbytime
![Page 23: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/23.jpg)
23
ExtractingFields
23
ClickonExplorethefieldsIjustcreatedinSearch
Whenyoursearchresultsshowup,expandaneventbyclickingon the>
Checkoutyournewfield!
![Page 24: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/24.jpg)
24
TroubleshootingInfrastructure
24
ChangethegraphfromaLine toaColumn
ChangeFormat toStacked
Nowwecanseethedistributionofstatuscodesoverthelasthour!
Clickon503 inthelegendonthefarright
![Page 25: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/25.jpg)
25
TroubleshootingInfrastructure
25
Nowwecanseealltheeventswitha503status!
Add |statscountbyhosttoyoursearchtoseehowmany503statuscodeseachserverhas
sourcetype=access*status=503|statscountbyhost
Nowwecanseethatwebserver-01hasmoreerrors!
Click webserver-01thenclickNewSearch
![Page 26: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/26.jpg)
26
TroubleshootingInfrastructure
26
Noticethatyoursearchisnow*host=“webserver-01”
Clickonsourcetype toseewhatkindsofdatawehave
Let’sstartbycheckingfordiskspaceproblems– clickondf
![Page 27: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/27.jpg)
27
TroubleshootingInfrastructure
27
Noticethatyoursearchisnow*host=“webserver-01”sourcetype=df
Scrolldownandclick on thefieldPercentUsedSpace
ClickonMaximumvalueovertime
Thiswillhelpusseeifwehaveadiskfullproblem!
![Page 28: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/28.jpg)
28
TroubleshootingInfrastructure
28
Nodiskspaceissueshere– themaximumdoesn’tgomuchover70%!
Let’schangeoursearchtolookforadifferentsourcetype– modifythesearchtolookforCPUdata
Yoursearchshouldlooklikethis:*host=“webserver-01”sourcetype=cpu
![Page 29: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/29.jpg)
29
TroubleshootingInfrastructure
29
ScrolldownandclickonthefieldPercentUserTime,thenclickonMaximumvalueovertime
Itlookslikewefoundtheproblem! TheCPUismaxedout.
![Page 30: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/30.jpg)
30
TroubleshootingApplications
30
Nowsearch for error
Manyresultsarecomingfromatestmachine– onanyeventwherehost=test-01,click test-01,thenclickExcludefromsearch
Yoursearchwillnowbeerrorhost!=“test-01”
TheeventsthatremainindicateaproblemwithoneoftheMySQLservers–whichone?
![Page 31: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/31.jpg)
31
TroubleshootingApplications
31
Itlookslikemysql-02istheserverhavingissues
Theerrorsshowaproblemwritinglogfiles,solet’scheckfordiskspaceissues
Search for host=mysql-02sourcetype=df
Click on PercentUsedSpace andchoose Maximumvalueovertime
![Page 32: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/32.jpg)
32
CreatinganAlert
32
Wefoundtheproblem– afulldisk!
Butwouldn’tanalertbebetter?
Timechart isgreatfordataovertime,butlet’schangethesearchtousestats,whichwillgiveusasinglenumberontheStatisticstab
Tomakeiteasiertoread,we’llrenamethefieldmax(PercentUsedSpace)tomaxused byaddingasmaxused totheendyoursearch
Nowyoursearchshouldbehost=mysql-02sourcetype=df |statsmax(PercentUsedSpace)asmaxused
![Page 33: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/33.jpg)
33
CreatinganAlert
33
Click SaveAsandchoose Alert tobringupthesettings
Add a Title
Set a scheduleor choose Real-time
Set TriggerConditions– use themaxused field thatwecreated
Throttlealertstoreducenoise
Set anActionforthealert
That’sit!
![Page 34: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/34.jpg)
34
CreatingReports
34
Startwiththesamesearchasforthealert:host=mysql-02sourcetype=df |statsmax(PercentUsedSpace)asmaxUsed
OntheVisualization tab,choose RadialGaugeasthecharttype
Youcanchangethecolorthresholdsbychoosing ColorRangesunderFormat
Click SaveAsandchoose Report
![Page 35: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/35.jpg)
35
CreatingaDashboard
35
Fromyourreport,click AddtoDashboard tocreateanewdashboard
Click Editsowecanaddmoreinformationtothisdashboard
Click AddPanel,thenchoose ASamplePanelfromAddPrebuiltPanel
Thispanelshowsthediskspaceforanotherserver– mysql-03
Rearrangepanelsbydragginganddropping
![Page 36: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/36.jpg)
36
UsingDashboards
36
Click on Dashboards andthenchoose WebsiteHealth
Thisdashboardletsusseethattherearesomespikesin503errorsandthatwebserver-01hasthemosterrors– easierthanallthesearcheswestartedwith!
Click onthepiechartinthepanellabeledErrorsbyServer
![Page 37: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/37.jpg)
37
UsingDashboards
37
ThisdashboardshowsussomeOSstatistics,andwecanseetheCPUissuewithwebserver-01intheMaximumCPUbyServeroverTimepanel
Dashboardsletustroubleshootcommonproblemsfaster!
![Page 38: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/38.jpg)
38
DramaticResults,RapidROI
38
99.7%Uptime
Acceleratedfrommonthlyreleasesto900deploysperday
Incidentreductionby90%
95%reductioninMTTR30%accelerationinSDLC
![Page 39: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/39.jpg)
39
Nowwhat?
39
Full-featuredplatformforreal-timeOperationalIntelligenceDownloadSplunk Enterpriseforfree!
SplunkEnterpriseasacloudserviceTryoutSplunk Cloud withafreetrial!
FeelfreetokeepworkingwiththedatafromyourUSBkey!
LearnmorewithSplunk Education!
![Page 40: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/40.jpg)
Copyright©2015SplunkInc.
• 5,000+ITandBusinessProfessionals• 175+Sessions• 80+CustomerSpeakers
PLUSSplunk University• Threedays:Sept23-25,2017• GetSplunk CertifiedforFREE!• GetCPEcreditsforCISSP,CAP,SSCP
SEPT25-28,2017WalterE.WashingtonConventionCenterWashington,D.C.CONF.SPLUNK.COM
The8th AnnualSplunkWorldwideUsers’Conference
![Page 41: Splunk Enterprise for IT Troubleshooting Hands-On](https://reader034.vdocuments.site/reader034/viewer/2022052318/586e7e3f1a28aba0038b492b/html5/thumbnails/41.jpg)
41
ThankYou