Splunk Fundamentals 1 Flashcards
Each splunk event has:
1) timestamp
2) host
3) source
4) sourcetype
5) index
Options to display search results:
- Raw
- List
- Table
@
rounds down to the nearest specified time unit
Lifetime of a search job
- Default is 10 minutes
- Can be extended to 7 days
- Schedule a report to keep search results longer
Share link to Job
- Gives everyone read permissions
- Extends result retention to 7 days
- More efficient than each running search separately
Export search results formats
- Raw events (text file)
- CSV
- XML
- JSON
Phases of Index Time Process
- Input phase
- Parsing phase
- Indexing phase
Input phase
- handled at the source (usually forwarder)
- the data sources are being opened and read
- data is handled as streams and any configuration settings are applied to the entire stream
Parsing phase
- handled by indexers (or heavy forwarders)
2. data is broken up into events and advanced processing can be performed
Indexing phase
- License meter runs as data and is initially written to disk, prior to compression
- After data is written to disk, it cannot be changed
How to add data inputs
- Apps and add-ons from Splunkbase
- Splunk Web
- CLI
- Directly editing inputs.conf
Metadata setting
- metadata is applied to the entire source
- applies default if not specified
- can be overwritten at input time
Upload file from my computer
- local files only get indexed once
2. does not create inputs.conf
Monitor (add data option)
- one-time or continuous monitoring of files, directories, http events, network ports of data gathering scripts located on Splunk Enterprese instances
- useful for testing inputs
Forward option (add data)
- Main source of input in prod
2. Remote machine gather and forward data to indexes over a receiving port
Index once
does not create a stanza in inputs.conf
Set source type
- splunk automatically determines the source type for major data types when there is enough data
- you can choose a different source type form the dropdown list
- you can create a new type name for specific source
Input configurations is saved in:
SPLUNK_HOME/etc/apps/search/local
When are indexes events are available?
- immediately after search
2. might take a minute for Splunk to start indexing the data
Splunk Enterprise Install Package
- Indexer (search peer)
- Search Head
- Deployment Server
- License Master
- Heavy Forwarder
- Cluster Master
- Search Head Cluster
Required Splunk Ports
- splunkweb: 8000
- splunkd
- forwarder
Splunk Deployments
- Splunk Enterprise
- Splunk Cloud
- Splunk Light
Splunk Apps
- Collections of files containing data inputs, UI elements, and/or knowledge objects
- Allows multiple workspaces for different use cases/user roles to co-exist on a single Splunk instance
Splunk Enhanced Solutions
- Splunk IT Service Intelligence (ITSI)
- Splunk Enterprise Security (ES)
- Splunk User Behavior Analytics (UBA)
Host
Unique identifier of where the events originated (host name, IP address, etc. )
Source
Name of the file, stream or other input
Sourcetype
Specific data type or data format
Splunk Compotents
- Indexer
- Search Head
- Forwarder
Splunk Deployments
- Standalone
- Basic
- Multi-Instance
- Increasing Capacity
- Index Cluster
Additional Splunk Components
- Deployment Server
- Cluster Master
- License Master
Indexer
- processes machine data
- store the results in indexes as events
- enable fast search and analysis
- contains raw data (compressed) and indexes (uncompressed)
Forwarders
- Consume and send data to indexes
- Require minimal resources and have little impact on performance
- Typically reside on the machines where the data originates
- Primary way data is supplied for indexing
Search Heads
- Allows users to use the search language to search indexed data
- Distributes user search requests to indexers
- Consolidates the results and extracts field value pairs from the events to the user
- KO on search heads can be created to extract additional fields and transform the data without changing the underlying index data
- Also provides tools for reports, dashboards and visualizations
Use search results to modify search
- Add the item to the search
- Exclude the item from the search
- Open a new search including only that item
Fields extracted during the index time:
- meta fields - host, source, sourcetype, index
2. internal fields: _time and _raw
Selected fields
- Set of configurable fields displayed for each event
2. Default: host, source, sourcetype
Interesting fields
occur in at least 20% of resulting events
Case sensitivity
- Field names ARE case sensitive
2. Field values ARE NOT
!= vs. NOT
- Status != 200: returns events where status field exists and its value != 200
- NOT status = 200: returns (1) and all events where status field does not exist
Best practices
- time is the most efficient filter
- specify index values at the beginning of search string
- include as many search terms as possible
- make search terms as specific as possible
- inclusion is better than exclusion
- filter (i.e. remove duplicates) as early as possible
- when possible use OR instead of wildcards
- avoid wildcards at the beginning of string
Wildcards location
- at the beginning of the string - scan all events within timeframe
- in the middle, may return inconsistent results
Working with indexes
- its possible to specify multiple indexes
- its possible to use wildcard in index values
- possible to search without an index - but not recommended
Search Language Syntax Components
- Search terms
- Commands
- Functions
- Arguments
- Clauses
Syntax coloring
- ORANGE: Boolean and command modifiers
- BLUE: commands
- GREEN: command arguments
- PURPLE: functions
fields command
- field extraction is one of the most costly parts of search
- fields+: occurs before field extraction => improves performance
- fields-: occurs after field extraction => no performance benefit
Sort command
- sort +/-: sort results in the sign’s order
2. sort +/- : applies sort order to all following fields
Top command
- by default limit=10. limit=0 - unlimited results
- automatically returns count and percent
- common constraints: limit, countfield, showperc
Count command
- count: returns the number of matching events based on the current search criteria
- count(field): the number of events where a value is present for specified field
Avg function, does not include event if it
- does not have the field
2. has an invalid value for the field
What are reports?
- saved searches
- show events, statistics (tables) or visualizations (charts)
- running a report returns fresh results every time you run it
- allow drill downs to see underlying events
- can be shared and added to dashboards
Three main methods to create visualizations in Splunk
- Select a field from the fields sidebar and choose a report to run
- Pivot interface (dataset vs instant pivot)
- Use Splunk search language transforming commands
Reports for alphanumeric values
- Top values
- Top values by time
- Rare values
- Events with this field
Reports for numeric fields
- Average over time
- Max / Min over time
- Same as alphanumeric
Why create panels from reports?
- it is efficient
a. single report can be used across different dashboards
b. this links the report definition to the dashboard - any change to underlying report affects every panel that utilizes this report
Drilldown options
- None
- Link to search
- Link to report
- Link to dashboard
- Link to custom URL
- Manage tokens on this dashboard
Lookups
- Allow you to add more fields to your events
- After lookup is configured, can use lookup fields in searches
- Lookup fields appear in the Fields sidebar
- Lookup field values are case sensitive
Creating a lookup
- Upload the file for the lookup
- Define the lookup type
- Optionally: configure to run automatically
Scheduled reports
- time range picker cannot be used with scheduled reports
Scheduled reports actions
- Log event
- Output results to lookup
- Output results to telemetry endpoint
- Run a script
- Send email
- Webhook
Report permissions
Run as
- Owner: all data accessible by the owner appears in the report
- User: only data allowed to be accessed by the user role appears
Alert Actions
- Log event
- Output results to lookup
- Output results to telemetry endpoint
- Run a script
- Send email
- Webhook
Time selection Options
- Presets
- Relative (i.e. Earliest x seconds ago)
- Real-time (NO)
- Date Range (Between? dd x and dd y)
- Date & Time Range
- Advanced
Top/Rare command options
- countfield=
- limit=
- otherstr=
- percentfield=
- showcount=
- showperc=
- useother=
Dashboard panel based on report
- you cannot modify the search string in the panel
- you can change and configure the visualization
Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Viz/WorkingWithDashboardPanels
Dashboard panels
- Inline panel (search directly in source code)
2. Report panel
Primary function of scheduled report
Triggering an alert in your Splunk instance when certain conditions are met.
Alerts are based on the searches that can be run:
- in real time
2. in a scheduled interval
When a Splunk search generates calculated data that appears in the Statistics tab, in what formats can the results be exported?
- CSV
- XML
- JSON
Triggered alert listing
- Time
- App
- Type
- Severity
- Mode
Source: https://docs.splunk.com/Documentation/Splunk/7.2.6/Alert/Reviewtriggeredalerts
Alert permissions
- Private - only you can access
- Shared in App
- all users can view triggered alerts
- power users have write access
What type of search can be saved as a report?
Any search can be saved as a report.
We should use heavy forwarder for sending event-based data to Indexers.
Source: http://karunsubramanian.com/splunk/what-is-the-difference-between-splunk-universal-forwarder-and-heavy-forwarder/
You can view the search result in following format
- Table
- Raw
- List
You cannot accelerate a report if:
- You created it though Pivot.
- Your permissions do not enable you to accelerate searches.
- Your role does not have write permissions for the report.
- The search that the report is based upon is disqualified for acceleration.
Source: https://docs.splunk.com/Documentation/Splunk/latest/Report/Acceleratereports
Dashboards can be exported as
2. printed
Report time range
- runs using the time range that was specified when it was saved
- use time range picker to change if available