1002 Flashcards
Case sensitive
Field values from lookups Field values from eval, where Tags Dataset name Reg ex Boolean
Can choose values to be case insensitive when creating lookup tables
Admin role
Buckets
Raw data
Index data to find qualifying events
Time range to choose which buckets to search
Hot- writable - rolls when max time is reached , indexer restarted
Warm-read only , named by time stamps
Of first and last events in the bucket
Cold - diff location - slower , cost effective
Configurable by admin- max size , max time span
Execution costs
Any job that has not expired can be inspected 10,000-20,000 events per second
Chart command
By - y axis
Over - x axis
Any stats function can be applied to chart command
If 2 clauses are used - first field will be used as over clause : over , by
Usenull=f
Useother=f
Usefield=f
NOT usefill
Timechart
_time Statistical aggregations over time Single or multi series Time range can be adjusted using span= Line ,area ,chart Limit=0 useother=f usenull=f
Can add a sparkline and trend
Sparkline - in-line char display time based trends
Trend - directions in which values are moving (right side of value )
7 chart types
Line Area Column Bar Scatter - 2 data values
Chart overlay- one series of data over another visualisation
Trellis - multiple charts based on one result set , only run once
Stats command
See the result of calculation or group of events on a field value
2 or more fields
Doesn’t need to be time based
OR
To view events from multiple indexes not AND
Trendline command
Moving average on a chart
Defines period to compute the trend- integer between 2 & 10,000
3 arguments - trend type , time period , field
Sma- simple |trendline sma2(sales) as trend
Ema- exponential
Wma- weighted moving average
2 types of maps
Cluster= Geostats =latitude, longitude , by argument- same functions as stats
Choropleth= geom command =pologons, shading , relative metrics ,predefined regions ,need .KMZ & KML keyhole markup language
Splunk ships 2 kmz files:
Geo_us_states.kmz
Geo_countries.kmz
-iplocation= Info to event includes external IP addresses
Define latfield and longfield only if they differ from the default lat/lon fields.
Gauge command -Single value
Set colours , number format
Add totals command
Default - sum numerical fields for each event
Eval
Calculates , convert, round , format =field values
Multiple eval commands can be used in search
Expressions separated by commas
If no numeric values - “double quotes”
Results of eval are written to new or existing field (if field exists eval overwrites values ).
Doesn’t over write indexed data
Field values case sensitive
Can use search or where commands to filter
Characters - concerts field values to strings - sort used after returns alphanumerically
Sort used before - numerically
Operators -arithmetic, concatenation, Boolean, comparison
If function = 3 arguments “x,y,z”
Case function = Boolean return what is true , can be wrapped in transforming commands
Round function = 2 decimal places , if no decimal given splunk rounds to closest whole number.
Tostring function= numeric field into string , commas , duration ops out of _time .
Commas , duration, hex
Field format = format values but not change characteristics of underlying values
Search command =filter , anytime , insensitive,*
Where command = Sytax as eval , compare values from different fields . Like% wildcard operator * can’t be used
%multiple characters
_one character
Add totals - numeric fields for each event , totals
Transactions
Group of events that span time
One or more field names
Multiple fields specified if transaction exists between those fields events with related field values are grouped into a single transaction
Only use when you need to see events correlated together or when needs to be grouped with start or end values -1000 per transaction
2 fields :
Duration - 1st event to last
Event count- number of events contained by transaction
Constraints :
Max span - total time between earliest and latest
Max pause - total between events doesn’t exceed value
Max count - not automatically created with transaction command
Only use transaction when you need to find correlated events
Can use stats and reporting commands with transactions
Useful when event doesn’t provide info
Mid -message id
Dcid- delivery connection id
Icid- incoming connection id
Field aliases
Normalise data over multiple sources
1 or more to any extracted field
Original field not replaced by the field Alias
Field aliases can be applied before lookups
Can be applied to lookups
Define can be referenced to lookup table
Apply them lookups - settings , selecting fields , add new actions , destination app
Calculated fields
Setting , calculated fields , add new , eval expression
Saves time , long complex eval commands , must be an extracted field !!!
Look up table of search string can’t be used
Event types
Categorise events based on search string .
Time range not available
Saved reports - reports , openin search - verbose mode. Execute search
Priority -colour value for event types
Knowledge objects
Tools discover and analyse
Interpretation Classification Enrichment Normalisation Datasets
Knowledge objects are:
Shareable - not automatically
Reusable
Searchable
Automatically set to private
Admin can reassign knowledge objects and share to all apps
Knowledge manager - normalises event data
Builds data model that provides dataset for pivot
Naming convention - to know what each knowledge object does 6 keys: (toolbox uncluttered) Group Type Platform Category Time Description
GDPTTC
Fields
Discovers fields based on sourcetype, key value pairs ,. Fields related to the search results
Specific to host , source , source type
Fx- user extracts own fields , static fields , GUI, regex & delimiter. Can be shared , re used in multiple places 1 settings - fields sidebar or event actions menu
Non matches will display in fx events that don’t contain extracted fields
Regex - unstructured .syslog
If you edit you will not be returned to field ex UI
Delimiter structured .csv
Spaces , commas , pipes , tabs
3 ways to access field extractor utility
Settings / field names from settings
Fields sidebar
Event actions menu (easiest way)
Only events with highlighted string are included
Once field is created using regex method you can modify the underlying regex
Field aliases
Settings/fields/add new action
A new way to normalise data over any default field (host , source , sourcetype )
Multiple aliases can be applied to one field
When you create field aliases original is not affected
Tags
Tag::host=alert
Tag=privileged
Tag with value tag=
Specific field tag=::=
Knowledge objects
Tags case sensitive
Event types show up in fields list
Event types =categorise events based on search , no time range , side bar , event types , number of events , percentage
Priorities =which colour displays for event type (1high -10low)
Macros
Settings / advanced search
‘us_sales’
us_sales(2)
Search string can be reused in multiple places, Time range independent, store entire search string , pipes and eval .
Pass argument $arg$
Backtick in search string
Parentheses following macro name
Values used to resolve search string at execution time !!
Can pipe results of macro to other commands
Preview without running ctr+shift+E
Can be added multiple places
Workflow - settings/fields/workflow action
GET: Info ,URI
POST: send field values , LINK
SEARCH: field values ,secondary search .POST
Post workflow action:
Link , URI, POST
Action is used when creating a post workflow action
To escape ! Inside first dollar sign
Validation step of field extractor workflow can remove values that aren’t a match for field you want to define .
Datasets
Datasets-collections of data represented as tables with field names for columns and field values for cells.
Lookup is not a dataModel dataset type
Pivot reports based on datasets
Data models 3 types of datasets: est
Events
transactions
Searches
Event datasets contain constraints and fields - only return Events that include that field
Broken down. In to hierarchy
Child objects - marrow down the events
5 fields to add to a pivot : GRAEL Auto Eval expression Lookup field Regular expression GeoIP
Hidden fields will not be displayed to a pivot user , but can be used to define other data sets.
Fields used in datamodels don’t need be extracted before creating the datasets
Many ways to access and use datasets
Dataset name case sensitive
Transaction add field : String Number Boolean IPV4
Field flags :
Optional
Required
Hidden
New pivot window auto populated with a count of events for the selected dataset
Fields with each dataset are available as split rows and columns
Datamodel command -specified data model and its objects
|datamodel web web search |fields web*
CIM normalises common language
Data normalised at index time or search time using knowledge objects
CIM schema used . Creating field extractions, aliases, event types , tags
Admin installs CIM add on - splunkbase - JSON format
No effect to licence
No additional indexing
