Splunk Operational Intelligence Cookbook - Second Edition
By Josh Diakun, Paul R Johnson and Derek Mock
5/5
()
About this ebook
- This is the most up-to-date book on Splunk 6.3 and teaches you how to tackle real-world operational intelligence scenarios efficiently
- Get business insights using machine data using this easy-to-follow guide
- Search, monitor, and analyze your operational data skillfully using this recipe-based, practical guide
TThis book is intended for users of all levels who are looking to leverage the Splunk Enterprise platform as a valuable operational intelligence tool. The recipes provided in this book will appeal to individuals from all facets of business, IT, security, production, marketing, and many more!
Related to Splunk Operational Intelligence Cookbook - Second Edition
Related ebooks
Splunk Operational Intelligence Cookbook Rating: 3 out of 5 stars3/5JavaScript JSON Cookbook Rating: 0 out of 5 stars0 ratingsAdvanced Splunk Rating: 5 out of 5 stars5/5Splunk Developer's Guide Rating: 0 out of 5 stars0 ratingsSplunk Essentials - Second Edition Rating: 0 out of 5 stars0 ratingsMastering Splunk Rating: 0 out of 5 stars0 ratingsSplunk Best Practices Rating: 0 out of 5 stars0 ratingsSplunk Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsSplunk Developer's Guide - Second Edition Rating: 0 out of 5 stars0 ratingsImplementing Splunk: Big Data Reporting and Development for Operational Intelligence Rating: 4 out of 5 stars4/5Implementing Splunk - Second Edition Rating: 0 out of 5 stars0 ratingsHow to Defeat Advanced Malware: New Tools for Protection and Forensics Rating: 0 out of 5 stars0 ratingsSplunk A Complete Guide - 2021 Edition Rating: 4 out of 5 stars4/5Splunk A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsSplunk A Complete Guide - 2019 Edition Rating: 2 out of 5 stars2/5Splunk Certified Study Guide: Prepare for the User, Power User, and Enterprise Admin Certifications Rating: 0 out of 5 stars0 ratingsVagrant Virtual Development Environment Cookbook Rating: 5 out of 5 stars5/5Learning Splunk Web Framework Rating: 0 out of 5 stars0 ratingsLogRhythm A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsPractical Splunk Search Processing Language: A Guide for Mastering SPL Commands for Maximum Efficiency and Outcome Rating: 0 out of 5 stars0 ratingsSecurity Operations Center - Analyst Guide: SIEM Technology, Use Cases and Practices Rating: 4 out of 5 stars4/5Learning PowerShell DSC Rating: 0 out of 5 stars0 ratingsCentOS High Availability Rating: 5 out of 5 stars5/5Mastering Python Forensics Rating: 4 out of 5 stars4/5Learning RHEL Networking Rating: 0 out of 5 stars0 ratingsGoogle Cloud Platform A Complete Guide - 2021 Edition Rating: 0 out of 5 stars0 ratingsThreat Forecasting: Leveraging Big Data for Predictive Analysis Rating: 0 out of 5 stars0 ratingsSecuring the Cloud: Cloud Computer Security Techniques and Tactics Rating: 5 out of 5 stars5/5The Cloud Security Ecosystem: Technical, Legal, Business and Management Issues Rating: 0 out of 5 stars0 ratings
Data Modeling & Design For You
The Secrets of ChatGPT Prompt Engineering for Non-Developers Rating: 5 out of 5 stars5/5Supercharge Power BI: Power BI is Better When You Learn To Write DAX Rating: 5 out of 5 stars5/5Mastering Agile User Stories Rating: 4 out of 5 stars4/5Data Analytics for Beginners: Introduction to Data Analytics Rating: 4 out of 5 stars4/5Raspberry Pi :Raspberry Pi Guide On Python & Projects Programming In Easy Steps Rating: 3 out of 5 stars3/5What Makes Us Smart: The Computational Logic of Human Cognition Rating: 0 out of 5 stars0 ratingsThinking in Algorithms: Strategic Thinking Skills, #2 Rating: 5 out of 5 stars5/5Data Visualization: a successful design process Rating: 4 out of 5 stars4/5Think Like a Data Scientist: Tackle the data science process step-by-step Rating: 0 out of 5 stars0 ratingsGraph Databases in Action: Examples in Gremlin Rating: 0 out of 5 stars0 ratingsPython Data Science Essentials - Second Edition Rating: 4 out of 5 stars4/5WordPress For Beginners - How To Set Up A Self Hosted WordPress Blog Rating: 0 out of 5 stars0 ratingsR: Data Analysis and Visualization Rating: 5 out of 5 stars5/5Spreadsheets To Cubes (Advanced Data Analytics for Small Medium Business): Data Science Rating: 0 out of 5 stars0 ratingsDAX Patterns: Second Edition Rating: 5 out of 5 stars5/5AutoCAD® Pocket Reference Rating: 0 out of 5 stars0 ratingsLiving in Data: A Citizen's Guide to a Better Information Future Rating: 4 out of 5 stars4/5Bayesian Analysis with Python Rating: 5 out of 5 stars5/5150 Most Poweful Excel Shortcuts: Secrets of Saving Time with MS Excel Rating: 3 out of 5 stars3/5A Concise Guide to Object Orientated Programming Rating: 0 out of 5 stars0 ratings20 Most Powerful Conditional Formatting Techniques Rating: 0 out of 5 stars0 ratingsPython: Master the Art of Design Patterns Rating: 4 out of 5 stars4/5Reinforcement Learning Algorithms with Python: Learn, understand, and develop smart algorithms for addressing AI challenges Rating: 0 out of 5 stars0 ratings
Reviews for Splunk Operational Intelligence Cookbook - Second Edition
1 rating0 reviews
Book preview
Splunk Operational Intelligence Cookbook - Second Edition - Josh Diakun
Table of Contents
Splunk Operational Intelligence Cookbook Second Edition
Credits
About the Authors
About the Reviewer
www.PacktPub.com
eBooks, discount offers, and more
Why subscribe?
Instant updates on new Packt books
Preface
What this book covers
What you need for this book
Who this book is for
Sections
Getting ready
How to do it…
How it works…
There's more…
See also
Conventions
Reader feedback
Customer support
Downloading the example code
Downloading the color images of this book
Errata
Piracy
Questions
1. Play Time – Getting Data In
Introduction
Indexing files and directories
Getting ready
How to do it…
How it works…
There's more…
Adding a file or directory data input via the CLI
Adding a file or directory input via inputs.conf
One-time indexing of data files via the Splunk CLI
Indexing the Windows event logs
See also
Getting data through network ports
Getting ready
How to do it…
How it works…
There's more…
Adding a network input via the CLI
Adding a network input via inputs.conf
See also
Using scripted inputs
Getting ready
How to do it…
How it works…
See also
Using modular inputs
Getting ready
How to do it…
How it works…
There's more…
See also
Using the Universal Forwarder to gather data
Getting ready
How to do it…
How it works…
There's more…
Add the receiving indexer via outputs.conf
Loading the sample data for this book
Getting ready
How to do it…
How it works…
See also
Defining field extractions
Getting ready
How to do it…
How it works…
See also
Defining event types and tags
Getting ready
How to do it…
How it works…
There's more…
Adding event types and tags via eventtypes.conf and tags.conf
See also
2. Diving into Data – Search and Report
Introduction
Making raw event data readable
Getting ready
How to do it…
How it works…
There's more…
Tabulating every field
Removing fields, then tabulating everything else
Finding the most accessed web pages
Getting ready
How to do it…
How it works…
There's more…
Searching for the top 10 accessed web pages
Searching for the most accessed pages by user
See also
Finding the most used web browsers
Getting ready
How to do it…
How it works…
There's more…
Searching for the web browser data for the most used OS types
See also
Identifying the top-referring websites
Getting ready
How to do it…
How it works…
There's more…
Searching for the top 10 using stats instead of top
See also
Charting web page response codes
Getting ready
How to do it…
How it works…
There's more…
Totaling success and error web page response codes
See also
Displaying web page response time statistics
Getting ready
How to do it…
How it works…
There's more…
Displaying web page response time by action
See also
Listing the top viewed products
Getting ready
How to do it…
How it works…
There's more…
Searching for the percentage of cart additions from product views
See also
Charting the application's functional performance
Getting ready
How to do it…
How it works…
There's more…
See also
Charting the application's memory usage
Getting ready
How to do it…
How it works…
See also
Counting the total number of database connections
Getting ready
How to do it…
How it works…
See also
3. Dashboards and Visualizations – Making Data Shine
Introduction
Creating an Operational Intelligence dashboard
Getting ready
How to do it…
How it works…
There's more…
Changing dashboard permissions
Using a pie chart to show the most accessed web pages
Getting ready
How to do it…
How it works…
There's more…
Searching for the top 10 accessed web pages
See also
Displaying the unique number of visitors
Getting ready
How to do it…
How it works…
There's more…
Coloring the value based on ranges
Adding trends and sparklines to the values
See also
Using a gauge to display the number of errors
Getting ready
How to do it…
How it works…
There's more…
See also
Charting the number of method requests by type and host
Getting ready
How to do it…
How it works…
See also
Creating a timechart of method requests, views, and response times
Getting ready
How to do it…
How it works…
There's more…
Method requests, views, and response times by host
See also
Using a scatter chart to identify discrete requests by size and response time
Getting ready
How to do it…
How it works…
There's more…
Using time series data points with a scatter chart
See also
Creating an area chart of the application's functional statistics
Getting ready
How to do it…
How it works…
See also
Using a bar chart to show the average amount spent by category
Getting ready
How to do it…
How it works…
See also
Creating a line chart of item views and purchases over time
Getting ready
How to do it…
How it works…
See also
4. Building an Operational Intelligence Application
Introduction
Creating an Operational Intelligence application
Getting ready
How to do it…
How it works…
There's more…
Creating an application from another application
Downloading and installing a Splunk app
See also
Adding dashboards and reports
Getting ready
How to do it…
How it works…
There's more…
Changing permissions of saved reports
See also
Organizing the dashboards more efficiently
Getting ready
How to do it…
How it works…
There's more…
Modifying the Simple XML directly
See also
Dynamically drilling down on activity reports
Getting ready
How to do it…
How it works…
There's more…
Disabling the drilldown feature in tables and charts
See also
Creating a form for searching web activity
Getting ready
How to do it…
How it works…
There's more…
Adding a Submit button to your form
See also
Linking web page activity reports to the form
Getting ready
How to do it…
How it works…
There's more…
Adding an overlay to the Sessions Over Time chart
See also
Displaying a geographical map of visitors
Getting ready
How to do it…
How it works…
There's more…
Adding a map panel using Simple XML
Mapping different distributions by area
See also
Scheduling PDF delivery of a dashboard
Getting ready
How to do it…
How it works…
See also
5. Extending Intelligence – Data Models and Pivoting
Introduction
Creating a data model for web access logs
Getting ready
How to do it…
How it works…
There's more…
Searching data models using the search interface
See also
Creating a data model for application logs
Getting ready
How to do it…
How it works…
See also
Accelerating data models
Getting ready
How to do it…
How it works…
There's more…
Viewing data model and acceleration summary information
Advanced configuration of data model acceleration
See also
Pivoting total sales transactions
Getting ready
How to do it…
How it works…
There's more…
Pivot searching using the pivot command and search interface
See also
Pivoting purchases by geographic location
Getting ready
How to do it…
How it works…
See also
Pivoting slowest responding web pages
Getting ready
How to do it…
How it works…
See also
Pivot charting top error codes
Getting ready
How to do it…
How it works…
See also
6. Diving Deeper – Advanced Searching
Introduction
Calculating the average session time on a website
Getting ready
How to do it…
How it works…
There's more…
Starts with a website visit, ends with a checkout
Defining maximum pause, span, and events in a transaction
See also
Calculating the average execution time for multi-tier web requests
Getting ready
How to do it…
How it works…
There's more…
Calculating the average execution time without using a join
See also
Displaying the maximum concurrent checkouts
Getting ready
How to do it…
How it works…
See also
Analyzing the relationship of web requests
Getting ready
How to do it…
How it works…
There's more…
Analyzing relationships of DB actions to memory utilization
See also
Predicting website traffic volumes
Getting ready
How to do it…
How it works…
There's more…
Predicting the total number of items purchased
Predicting the average response time of function calls
See also
Finding abnormally-sized web requests
Getting ready
How to do it…
How it works…
There's more…
The anomalies command
The anomalousvalues command
The anomalydetection command
The cluster command
See also
Identifying potential session spoofing
Getting ready
How to do it…
How it works…
There's more…
Creating logic for urgency
See also
7. Enriching Data – Lookups and Workflows
Introduction
Looking up product code descriptions
Getting ready
How to do it…
How it works…
There's more…
Manually adding the lookup to Splunk
See also
Flagging suspect IP addresses
Getting ready
How to do it…
How it works…
There's more…
Modifying an existing saved search to populate a lookup table
See also
Creating a session state table
Getting ready
How to do it…
How it works…
There's more…
Use the Splunk KV store to maintain the session state table
See also
Adding hostnames to IP addresses
Getting ready
How to do it…
How it works…
There's more…
Enabling automatic external field lookups
See also
Searching ARIN for a given IP address
Getting ready
How to do it…
How it works…
There's more…
Limiting workflow actions by event types
See also
Triggering a Google search for a given error
Getting ready
How to do it…
How it works…
There's more…
Triggering a Google search from the chart drilldown options
See also
Creating a ticket for application errors
Getting ready
How to do it…
How it works…
There's more…
Adding a workflow action manually in Splunk
See also
Looking up inventory from an external database
Getting ready
How to do it…
How it works…
There's more…
Use DB Connect for direct external DB lookups
See also
8. Being Proactive – Creating Alerts
Introduction
Alerting on abnormal web page response times
Getting ready
How to do it…
How it works…
There's more…
Viewing triggered alerts in Splunk's Alert manager
See also
Alerting on errors during checkout in real time
Getting ready
How to do it…
How it works…
There's more…
Building alerts via a configuration file
Editing alert configuration attributes using Advanced edit
Identify the real-time searches that are running
See also
Alerting on abnormal user behavior
Getting ready
How to do it…
How it works…
There's more…
Alerting on abnormal user purchases without checkouts
See also
Alerting on failure and triggering a scripted response
Getting ready
How to do it…
How it works…
There's more…
See also
Alerting when predicted sales exceed inventory
Getting ready
How to do it…
How it works…
There's more…
Adding an RSS feed notification action to an alert
See also
9. Speeding Up Intelligence – Data Summarization
Introduction
Calculating an hourly count of sessions versus completed transactions
Getting ready
How to do it…
How it works…
There's more…
Generating the summary more frequently
Avoiding summary index overlaps and gaps
See also
Backfilling the number of purchases by city
Getting ready
How to do it…
How it works…
There's more…
Backfilling a summary index from within a search directly
See also
Displaying the maximum number of concurrent sessions over time
Getting ready
How to do it…
How it works…
There's more…
Viewing the status of an accelerated report
See also
10. Above and Beyond – Customization, Web Framework, REST API, HTTP Event Collector, and SDKs
Introduction
Customizing the application navigation
Getting ready
How to do it...
How it works...
There's more…
Adding a force-directed graph of web hits
Getting ready
How to do it...
How it works...
There's more…
Changing the time range on the search manager
See also
Adding a calendar heatmap of product purchases
Getting ready
How to do it...
How it works...
See also
Adding cell highlighting of average product price
Getting ready
How to do it...
How it works...
There's more…
See also
Remotely querying Splunk's REST API for unique page views
Getting ready
How to do it...
How it works...
There's more…
Authenticating with a session token
See also
Creating a Python application to return unique IP addresses
Getting ready
How to do it...
How it works...
There's more...
Paginating the results of your search
See also
Creating a custom search command to format product names
Getting ready
How to do it...
How it works...
See also
Collecting data from remote scanning devices
Getting ready
How to do it...
How it works...
See also
Index
Splunk Operational Intelligence Cookbook Second Edition
Splunk Operational Intelligence Cookbook Second Edition
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: October 2014
Second edition: June 2016
Production reference: 1310516
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78528-499-1
www.packtpub.com
Credits
Authors
Josh Diakun
Paul R Johnson
Derek Mock
Reviewer
Jose Hernandez
Commissioning Editor
Veena Pagare
Acquisition Editor
Vinay Argekar
Content Development Editor
Sumeet Sawant
Technical Editor
Mohita Vyas
Copy Editors
Vikrant Phadke
Alpha Singh
Project Coordinator
Shweta H. Birwatkar
Proofreader
Safis Editing
Indexer
Monica Ajmera Mehta
Production Coordinator
Conidon Miranda
Cover Work
Conidon Miranda
About the Authors
Josh Diakun is an IT operations and security specialist with a focus on creating data-driven operational processes. He has over 10 years of experience managing and architecting enterprise-grade IT environments. For the past 7 years, he has been architecting, deploying and developing on Splunk as the core platform for organizations to gain security and operational intelligence. Josh is a founding partner at Discovered Intelligence, a company specializing in data intelligence services and solutions. He is also a co-founder of the Splunk Toronto User Group.
I would first like to thank my co-authors, Derek Mock and Paul Johnson, for their support, endless effort, and those many late nights that led to this book becoming a reality. To my partner, Rachel, an endless thank you for being my biggest supporter and making sure I always remembered to take a break. To my mother, Denyce, and sister, Jessika, thank you for being the two most amazing people in my life and cheering me on as I wrote this book. Finally to my late father, John, who was always an inspiration and brought the best out of me. Without this, I would not be where I am today.
Paul R Johnson has over 10 years of data intelligence experience in the areas of information security, operations, and compliance. He is a partner at Discovered Intelligence, a company specializing in data intelligence services and solutions. Paul previously worked for a Fortune 10 company, leading IT risk intelligence initiatives and managing a global Splunk deployment. Paul co-founded the Splunk Toronto User Group and lives and works in Toronto, Canada.
I would like to thank my fellow authors, Josh Diakun and Derek Mock, for their support and collaborative efforts in writing this book. Thanks guys for giving up nights, days, and weekends to get it completed! I would also like to thank my wife, Stacey, for her continuous support, for keeping me focused, and for her great feedback and patience.
Derek Mock is a software developer and big data architect who specializes in IT operations, information security, and cloud technologies. He has 15 years' experience developing and operating large enterprise-grade deployments and SaaS applications. He is a founding partner at Discovered Intelligence, a company specializing in data intelligence services and solutions. For the past 6 years, he has been leveraging Splunk as the core tool to deliver key operational intelligence. Derek is based in Toronto, Canada, and is a co-founder of the Splunk Toronto User Group.
I could not have asked for better co-authors than Josh Diakun and Paul Johnson, whose tireless efforts over many late nights brought this book into being. I would also like to thank my mentor, Dave Penny, for all his support in my professional life. Finally, thanks to my partner Alison, and my children, Sarah and James, for cheering me on as I wrote and for always making sure I had enough coffee.
About the Reviewer
Jose Hernandez is currently the director of security solutions at Zenedge Inc. with a vast experience in security analytics. He started his professional career at Prolexic Technologies (now Akamai) in DDOS, fighting attacks from Anonymous and LulzSec against Fortune 100 companies. While working at Splunk Inc. as a security architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. In the past, he has helped build security operation centers as well as run a public threat intelligence service. Jose is originally from Miami, Florida, where he completed his master's degree in information security from Nova Southeastern University. He also received two undergraduate bachelor degrees from Florida International University in the field of management of information systems and information technologies. Although security information has been the focus of his career, Jose has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote-controlled vehicle called the SensorSub, which was used to test and measure the toxicity in Miami's waterways.
His e-mail is <josehelps@gmail.com>, Twitter handle is divious_1, and GitHub profile is divious1.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why subscribe?
Fully searchable across every book published by Packt
Copy and paste, print, and bookmark content
On demand and accessible via a web browser
Instant updates on new Packt books
Get notified! Find out when new books are published by following @PacktEnterprise on Twitter or the Packt Enterprise Facebook page.
Preface
Splunk makes it easy for you to take control of your data, and with Splunk Operational Cookbook, you can be confident that you are taking advantage of the Big Data revolution and driving your business with the cutting edge of operational intelligence and business analytics.
With more than 70 recipes that demonstrate all of Splunk's features, not only will you find quick solutions to common problems, but you'll also learn a wide range of strategies and uncover new ideas that will make you rethink what operational intelligence means to you and your organization.
What this book covers
Chapter 1, Play Time – Getting Data In, introduces you to the many ways in which you can get data into Splunk, whether it is collecting data locally from files and directories, receiving it through TCP/UDP port inputs, directly from a Universal Forwarder, or simply utilizing Scripted and Modular Inputs. Regardless of how Operational Intelligence is approached, the right data at the right time is pivotal to success; this chapter will play a key role in highlighting what data to consider and how to efficiently and effectively get that data into Splunk. It will also introduce the data sets that will be used throughout this book and where to obtain samples that can be used to follow each of the recipes as they are written.
Chapter 2, Diving into Data – Search and Report, introduces you to the first set of recipes in the book. Leveraging the data now available as a result of the previous chapter, the information and recipes will guide you through searching event data using Splunk's SPL (Search Processing Language); applying field extractions; grouping common events based on field values; and then building basic reports using the table, top, chart, and stats commands.
Chapter 3, Dashboards and Visualizations – Make Data Shine, guides you through building visualizations based on reports that can now be created as a result of this chapter. The information and recipes provided in this chapter will empower you to take their data, and reports, and bring it to life through the powerful visualizations provided by Splunk. Visualizations introduced will include single values, charts (bar, pie, line, and area), scatter charts, and gauges.
Chapter 4, Building an Operational Intelligence Application, builds on the understanding of visualizations that you gained as a result of the previous chapter to introduce the concept of dashboards. Dashboards provide a powerful way to bring visualizations together and provide the holistic visibility required to fully capture the operational intelligence that is most important. The information and recipes provided in this chapter will outline the purpose of dashboards, how to properly utilize dashboards, using the dashboard editor to build a dashboard, building a form for searching event data, and much more.
Chapter 5, Extending Intelligence – Data Models and Pivoting, covers one of the newest and most powerful features found in the latest release of Splunk Enterprise, the ability to create data models, and the introduction of the pivot tool. This chapter will take readers deeper into the data by introducing transactions, subsearching, concurrency, associations, and more advanced search commands. Through the information and recipes provided in this chapter readers will harness the ability to coverage data from different sources and understand or build relationships between the events.
Chapter 6, Diving Deeper – Advanced Searching, helps you harness the ability to coverage data from different sources and understand or build relationships between the events. By now you will have an understanding of how to derive operational intelligence from data by using some of Splunk's most common features. This chapter will introduce the concept of lookups and workflow actions for the purpose of augmenting the data being analyzed. The recipes provided will enable readers to apply this functionality to further enhance their understanding of the data being analyzed.
Chapter 7, Enriching Data – Lookups and Workflows, enables you to apply this functionality to further enhance their understanding of the data being analyzed. As illustrated in the preceding chapters, event data, whether from a single tier or multi-tier web application stack, can provide a wealth of operational intelligence and awareness. That intelligence can be further enriched through the use of lookups and workflow actions. This chapter will introduce readers to this concept, the benefits of proactive alerts and provide context of when alerts are best applied. The recipes provided will guide readers through creating alerts based on the knowledge gained from previous chapters.
Chapter 8, Being Proactive – Creating Alerts, guides you through creating alerts based on the knowledge gained from previous chapters. A key asset to complete operational intelligence and awareness is the ability to be proactive through scheduled or real-time alerts. This chapter will introduce readers to the concept of summary indexing for the purposes of accelerating reports and speeding up the time it takes to unlock business insight. The recipes in this chapter will provide readers with a short introduction to common situations where summary indexing can be leveraged to speed up reports or preserve focused statistics over long periods of time.
Chapter 9, Speed Up Intelligence – Data Summarization, provides you with a short introduction to common situations where summary indexing can be leveraged to speed up reports or preserve focused statistics over long periods of time. With big data being just that, big, it can sometimes be very time consuming searching massive sets of data and costly to store the data for long periods of time. This chapter will introduce readers to the concept of building data models and using the pivot tool to quickly design reports based on the data sets used within this book. With such powerful features now available, this chapter will enable readers to apply their extended knowledge of their data to empower non-traditional users to build intelligent operational reports through the use of data models and pivoting.
Chapter 10, Above and Beyond – Customization, Web Framework, REST API, HTTP Event Collector, and SDKs, introduces you to four very powerful features of Splunk, some of which are new to the latest release. These features provide the ability to create a very rich and powerful interactive experience with Splunk. This will open you up to the possibilities beyond core Splunk Enterprise and show you a method in order to create your own operational intelligence application that includes powerful D3 visualizations. It will also provide a recipe for querying Splunk's REST API and a basic Python application leveraging Splunk's SDK to execute a search.
What you need for this book
You'll need Splunk Enterprise 6.4 (or greater).
Who this book is for
This book is intended for users of all levels who are looking to leverage the Splunk Enterprise platform as a valuable operational intelligence tool. The recipes provided in this book will appeal to individuals from all facets of business, IT, security, product, marketing, and many more!
Also, existing users of Splunk who want to upgrade and get up and running with Splunk 6.4 will find this book invaluable.
Sections
In this book, you will find several headings that appear frequently (Getting ready, How to do it, How it works, There's more, and See also).
To give clear instructions on how to complete a recipe, we use these sections as follows:
Getting ready
This section tells you what to expect in the recipe, and describes how to set up any software or any preliminary settings required for the recipe.
How to do it…
This section contains the steps required to follow the recipe.
How it works…
This section usually consists of a detailed explanation of what happened in the previous section.
There's more…
This section consists of additional information about the recipe in order to make the reader more knowledgeable about the recipe.
See also
This section provides helpful links to other useful information for the recipe.
Conventions
In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.
Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: Alternatively, if we want to search only for Windows logon events, we will search for eventtype=windows_logon.
A block of code is set as follows:
[WinEventLog://Application]
disabled = 0
[WinEventLog://Security]
disabled = 0
[WinEventLog://System]
disabled = 0
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
index=main sourcetype=access_combined
| eval firsttime=_time | eval lasttime=_time | fields JSESSIONID firsttime lasttime | inputlookup session_state.csv append=true | stats last(firsttime) as firsttime, first(lasttime) as lasttime by JSESSIONID | outputlookup createinapp=true session_state.csv
Any command-line input or output is written as follows:
[monitor://c:\filelocation\cp01_messages.log] sourcetype = linux_messages
New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: Modular inputs are bundled as Splunk apps and, once installed, contain all the necessary configuration and code to display them in the Data inputs section of Splunk.
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <feedback@packtpub.com>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of