- Index data. It is the heart (collects data from any source)
- Search & investigate.
- Add Knowledge.
- Monitor & Alert.
- Report & analyses.
El indexador analiza el flujo entrante. Cuando encuentra un match con un modelo de datos de una fuente lo etiqueta con el sourcetype. Conocido el sourcetype, descompone el flujo de datos en evento únicos al que se les pone un timestampo normalizado según la zona horaria del usuario de la cuenta.
Los evento se guardan en el index donde pueden ser investigados con el Splunk Search Language. Haremos queries. A los eventos se les puede añadir etiquetas y aportarles conocimiento del dominio de negocio para ayudar a interpretarlos.
Se pueden poner alertas de monitoreso que disparen acciones.
- Install apps.
- Ingest data.
- Create Knowledge objects for all users.
- Defines apps other users can see.
- Create Knowledge objects for users of an app.
- Do real-time searches.
- See only knowledge objects shared with him.
- two default apps:
Home app: (sets a custom dashboard as a default dashboard) andSearch and reporting app - SplunkBase has hundreds of them
- We can create our own apps.
menus to navigate
Keyword plus time filter.
There is a save as menu to save the search as a knowledge object.
Breaks down data by Host (IP, FQDN, or Hostname), Source or Source type. The source is the data's file or directory path
Allows data study without Splunk Search Processing language.
To view and rerun past searches
Limiting a search by time is key to faster results and it is a good practice.
When the search is sent to Splunk, becomes a search job.
whit the result we got:
Allows us to save the search as a knowledge object
If the search command does not generate statistics or visualizations nothing shows here aside from the 3 default links. Commands that generate statistics or visualizations are called transforming commands. Transform event data into data tables
Edit job, send it to the background, inspect, delete, Pause, stop, share, print, export (Raw, CSV, XML, JSON)
When sharing a search we get a link.
By default, a search job will remain active for 10 minutes. After 10 minutes Splunk needs to run it again to return results. A shared search remains active for seven days. Anyone I shared the job with will see the same result I saw the first time I ran it. If the job is not accessed in the specified time period the job is removed.
-
Fast: Field discovery off. Only return information on default fields and fields required to fulfill the search.
-
Verbose: Field discovery on. Returns as many fields and even data as possible.
-
Smart: toggle mode depending search type we are running.
Where it is possible to drill into the time axis. clicking and dragging filter results.
In reverse chronological order. Time is normalized in the index to a consistent format based on the time zone settled in the user account.
For each event, we visualize the default fields (host, source & source type)
Easily we can add more fields to search and launch a new search
Shows all fields extracted
Wildcards accepted. search terms are not case sensitive. (FAILED, failed, FaiLeD give same results) 3 uppercased boolean operators with this precedence order 1.-NOT 2.-OR & 3.-AND. Parenthesis can change such precedence order. When the boolean operator is not explicit AND is implicit. Use quotes for exact search. Escape a quote with a backslash if it is part of an exact search.
-
Search terms ==> query events
-
Commands ==> What to do with the results: Charts, computing statistics & formatting
-
Functions ==> how we want to chart, evaluate or compute the results
-
Arguments ==>Variables to apply in functions
-
Clauses ==> Group results
Commands, functions, and clauses are not case sensitive. If a command references a specific value, such value will be case-sensitive.
Filtering fields before the first pipe produces better results Using time is the most efficient way of filtering The fewer data to search the faster Default fields extracted at indexing time that do not need to be extracted at search time:
- time
- index
- host
- source
- source type
The more you tell the search engine, the more likely it is that you get good results.
Is better to search failed password than password.
Inclusion is better than exclusion.
Searching for "access denied" is better than searching for NOT "access granted".
When possible use the OR or IN operator instead of wildcards.
Apply filtering commands as early as possible in your search limits the number of events, making future data manipulation faster.
Created by one user and shared with other users. Saved and reused by multiple people or in multiple apps. Can be used in a search. Became powerful tools for Splunk deployment.
A knowledge manager has to take care of general policies that rule the creation of knowledge objects. the aim of such rules is to create a clean and efficient toolbox.
- Oversee Knowledge object creation and usage.
- implement a naming convention.
- Normalize event data.
- Create data models for Pivot users.
It is convenient that all Splunk users are aware of the 5 categories.
-
Data Interpretation: Depending on source type, some fields are automatically extracted from data, but we can extract more manually. it is possible to set calculated field on previous ones.
-
Data Classification: Event types allow to categorize events. A transaction is any group of conceptually-related events that spans time, such as a series of events related to the online reservation of a hotel room by a single customer.
-
Data Enrichment: Lookups add other fields and data to the event not included in the indexed data. Workflow actions are links within events that interact with external resources (Use the field values in an HTTP error event to create a new entry in an external issue management system) or narrow or search.
-
Data Normalization: Tags or descriptive names for key-value pairs. We can search on tags. you could have an IP address related to your main office with the value 192.168.1.2. Tag that IPaddress value as "mainoffice". Field aliases normalize data over multiple sources. One data model might have a field called
http_referrer. This field might be misspelled in your source data ashttp_referer. Use field aliases to capture the misspelled field in your original source data and map it to the expected field name. -
Data Models (Search-time mapping of Knowledge): are hierarchically structured datasets (events, search or transactions)
Before start saving reports define a naming convention.
Saving and sharing searches is easy with reports. We can do it in the save as menu.
The option to display a report in all apps is available only to admin role users.
By default, the report will be available only to the owner who created it.
Power users are granted read & write permission on the report.
Changing the setting to App, a report can be shared with all users of the app in which the report was created.
The run as dialog has to be treated carefully in case the report shows sensitive data.
If not all users can see it, is better to execute the repost as a user. in this way, only the data right for the level of authorization of the user will be shown
A report can be scheduled to be executed at regular time triggering different events.
All reports are available from de reports tab in the application menu.
Any search that returns statistical values can be seen as a chart. Charta can be based on numbers, time, and location.
Charts are interactive allowing one to hover over the details or drill down to the events behind. Any chart can be saved as a dashboard.
A dashboard is a collection of reports.