Best Practices and Better Practices for Users

Similar documents
Best Practices and Better Practices for Admins

Dashboards & Visualizations: What s New

Visualizing the Health of Your Mobile App

Metrics Analysis with the Splunk Platform

Create Dashboards that People Love

Indexer Clustering Fixups

FFIEC Cybersecurity Assessment Tool

DB Connect Is Back. and it is better than ever. Tyler Muth Denis Vergnes. September 2017 Washington, DC

Data Obfuscation and Field Protection in Splunk

Bringing Sweetness to Sour Patch Tuesday

Dashboard Time Selection

Running Splunk Enterprise within Docker

Docker and Splunk Development

Data Onboarding. Where Do I begin? Luke Netto Senior Professional Services Splunk. September 26, 2017 Washington, DC

Measuring HEC Performance For Fun and Profit

Next Generation Dashboards

Indexer Clustering Internals & Performance

Using Splunk Enterprise To Optimize Tailored Long-term Data Retention

Dashboard Wizardry. Advanced Dashboard Interactivity. Siegfried Puchbauer Principal Software Engineer Yuxiang Kou Software Engineer

The Power of Data Normalization. A look at the Common Information Model

A Trip Through The Splunk Data Ingestion And Retrieval Pipeline

Making Sense of Web Fraud With Splunk Stream

Making the Most of the Splunk Scheduler

Search Language Intermediate Lincoln Bowser

Tracking Logs at Zillow with Lookups & JIRA

Extending SPL with Custom Search Commands

Introducing Splunk Validated Architectures (SVA)

Scaling Indexer Clustering

Time ACer Time Comparing Time Ranges in Splunk Lisa Guinn

Modernizing InfoSec Training and IT Operations at USF

Copyright 2015 Splunk Inc. Smart Splunking. Jeff Champagne, Splunk Kate Engel, Morgan Stanley

Monitoring Docker Containers with Splunk

Bring Context To Your Machine Data With Hadoop, RDBMS & Splunk

Architecting Splunk For High Availability And Disaster Recovery

Fields, Indexed Tokens, And You

Squeezing all the Juice out of Splunk Enterprise Security

Splunking with Multiple Personalities

Search Optimization. Alex James. Karthik Sabhanatarajan. Principal Product Manager, Splunk. Senior Software Engineer, Splunk

Search Language - Beginner Mitch Fleischman

Search Head Clustering Basics To Best Practices

Atlassian s Journey Into Splunk

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Dragons and Splunk Do Not Do Well In Captivity

Data Models for Developers

Need for Speed: Unleashing the Power of SecOps with Adaptive Response. Malhar Shah CEO, Crest Data Systems Meera Shankar Alliance Manager, Splunk

Understanding Splunk AcceleraGon Technologies David Marquardt

Splunk & AWS. Gain real-time insights from your data at scale. Ray Zhu Product Manager, AWS Elias Haddad Product Manager, Splunk

Splunk Helping in Productivity

The "Gotchas" of Splunk!

Building Your First Splunk App with the Splunk Web Framework

Splunk Enterprise Security For Proactive Monitoring

Welcome to Tomorrow... Today

Essentials to creating your own Security Posture using Splunk Enterprise

Troubleshooting AWS App

4 phases to understand owncloud

Best Prac:ces + New Feature Overview for the Latest Version of Splunk Deployment Server

Malware Analysis: Suricata & Splunk for better rule writing

The Art of Detection. Using Splunk Enterprise Security

Copyright 2015 Splunk Inc. The state of Splunk. Using the KVStore to maintain App State. Stefan Sievert. Client Architect, Splunk Inc.

VMWARE VREALIZE OPERATIONS MANAGEMENT PACK FOR. Nagios. User Guide

Oracle Express CPQ for Salesforce.com. What s New in Summer 15

What You Think Is Real Is Not Real, Learn How Splunk Uncovered The Truth!

User Scripting April 14, 2018

C4C30. SAP Cloud Applications Studio COURSE OUTLINE. Course Version: 21 Course Duration: 4 Day(s)

USER MANUAL SATORI TEAM

Enterprise Security Biology

Five9 Supervisor App for ipad

APT Splunking. Searching for adversaries with quadrants (and other methods)

BIG-IP Secure Web Gateway and Splunk templates Summary

Splunk For Google Analytics

Lightning Knowledge Guide

Splunking Your z/os Mainframe Introducing Syncsort Ironstream

Keeping Track Of All The Things

Onboard Data into Splunk, Correctly

VMWARE VREALIZE OPERATIONS MANAGEMENT PACK FOR. MongoDB. User Guide

Understanding and Using Fields

VMware vrealize operations Management Pack FOR. PostgreSQL. User Guide

Atlassian Confluence 5 Essentials

Search Head Clustering

KV Store: Hammer Time

SecureTransport Version May Web Client User Guide

Inside Secrets From Support- How to Solve the Top 10 Support Issues

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Real Time Monitoring Of A Cloud Based Micro Service Architecture Using Splunkcloud And The HTTP Eventcollector

IN: US:

A case study in adopting Fusion 360 Hockey Skate Adapter

Light IT Up! Better Monitoring in Splunk with Custom Actions, Search Commands and Dashboards JUSTIN BROWN

Fighting Phishing I: Get phish or die tryin.

Adding Depth to Dashboards

Sync User Guide. Powered by Axient Anchor

Integrating Splunk And AWS Lambda

BlackBerry Handheld Tips and Tricks

Rapid Recovery License Portal Version User Guide

Oracle Adapter for Salesforce Lightning Winter 18. What s New

SQL Optimizer for Oracle Installation Guide

Building a Threat-Based Cyber Team

Data Driven Design BUSINESS BOOST: GOOGLE GEEK SESSION. datadriven.design. Paul Hickey

Salesforce Classic Mobile Guide for iphone

Manage AWS Services. Cost, Security, Best Practice and Troubleshooting. Principal Software Engineer. September 2017 Washington, DC

VARONIS APP FOR SPLUNK. User Guide

Transcription:

Best Practices and Better Practices for Users while you get settled Latest Slides: https://splunk.box.com/v/blueprints-practices-user Collaborate: #bestpractices Sign Up @ http://splk.it/slack Load Feedback --------------------------------------->

Best Practices and Better Practices for Users Presented by Splunk Blueprints Burch Senior Best Practices Engineer.conf2017 Version 0.0

Forward-Looking Statements During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. 2017 Splunk Inc. All rights reserved.

2017 SPLUNK INC. Scale customer success through the automation of adoption services and best practices Blueprint s Mission

What s a Burch? Senior Best Practices Engineer Was a Senior Sales Engineer Before that, Splunk Customer Before that, Middleware Eng Before that, Computer Science Before that, an idea of my parents

2017 SPLUNK INC. 1. How I Learned Agenda Coo wit u? 2. Searching Pretty Searches Search Performance Accuracy 3. Evolved Ideas

How I Learned Now this is a story all about how

Search Tutorial Free Search Tutorial -> docs.splunk.com -> Search Tutorial 2017 SPLUNK INC. Downloads & Installs Splunk Add tutorial data Local sandbox

Quick Reference Guide Search splunk quick reference guide

Search Command Reference docs.splunk.com -> Splunk Enterprise -> Search and report -> Search Reference -> Commands by category

Splunk! The Book www.splunk.com/goto/book

Splunk User Groups usergroups.splunk.com

Free Education! splunk.com/education

But now I have questions

answers.splunk.com Community Q&A E-mail notifications Fast answers Larger distribution

Searching

2017 SPLUNK INC. Pretty Searches I feel pretty, oh so pretty

Weak: Keep it kosher Params, cosmetics, combine (rename, evals) rename machine as host for later rename net as Subnet sort host for later timechart count by host for later span=1h Strong: timechart span=1h count by machine sort machine rename machine AS host for later, net AS Subnet

Help me?! n00b Ninja

Ninja: Debug This Where s Waldo eval max_runtime?!

n00b: Debug This Keyboard Command: Ctrl + \ or Command + \

Search Interface Improvements Default Suggestion

What the?! Speaking of UI Soooo sssllllloooowwww Dude! Where s my fields?!

Search Mode Speaking of UI Soooo sssllllloooowwww Dude! Where s my fields?!

Event Types & Tags Weak: index=oidemo host=dmzlog.splunktel.com sourcetype=access_combined source=/opt/apache/log/access_combined.log iphone user_agent="*iphone* stats count by action Strong: tag=iphone_event or eventtype=web_logs

Dereference Finesse Weak: index=internal eval ERROR = case( log_level == ERROR, message ) eval WARN = case( log_level == WARN, message ) eval INFO = case( log_level == INFO, message ) Strong: index=_internal eval {log_level} = message

Weak: Pretty Searches: coalesce s cooler than if eval size = if( isnull(bytes), if( isnull(b), "N/A", b ), bytes ) Strong: eval size = coalesce( bytes, b, "N/A" )

Macros Keyboard Shortcut: Control-Shift-E or Command-Shift-E Repeatable Code Expand in UI docs.splunk.com Help reading searches

Time and Units Weak: eval new_time = <ridiculous string edits> Strong: convert ctime(duration) bin span=1h _time eval pause = tostring( pause, duration ) rename new_time as _time

2017 SPLUNK INC. Search Performance He's a demon on wheels

Search Performance Improvement docs.splunk.com Search Job Inspector events per second = events / seconds results per second = results / seconds

Less is more Weak: iphone stats count by action search action=applewebkit Strong: iphone action=applewebkit stats count

NOT NOTs Weak: index=burch NOT blah=yay blah=cool Strong: index=burch blah=duh index=burch blah!=yay Implies ( blah!=yay blah=* )

stats vs dedup/transaction Weak: phone=* dedup phone table phone sort phone Strong: phone=* stats count by phone, host fields - count phone=* transaction host table host, phone Pro Tip: Table is cosmetic Fields is reducing

Avoid Subsearches Weak: index=burch eval blah=yay append [ search index=simon eval blah=duh ] Strong: ( index=burch ) OR ( index=simon ) eval blah=case( index== burch", "yay", index== simon", "duh" ) (format and return commands for returning results)

foreach FTW! Weak: timechart span=1h limit=0 sum(eval(b/pow(1024,3))) as size by st Strong: timechart span=1h limit=0 sum(b) by st foreach * [ eval <<FIELD>> = '<<FIELD>>' / pow( 1024, 3 ) ]

Weak: transaction host Transaction Mo data, Mo problems! Strong: transaction maxspan=10m maxevents=100

metadata Weak: index=* stats count by host Strong: metadata index=* type=hosts

eventcount Weak: index=* stats count by index Strong: eventcount summarize=false index=*

Dashboard Performance If your dashboard... Then use...has many similar searches Post-process is viewed by many is viewed by few Scheduled report (cache) Inline Searches

Pretty SimpleXML Keyboard Command: CTRL + Shift + F or Command + Shift + F

Metrics Explorer for Splunk https://splunkbase.splunk.com/app/3726/

Accuracy 2017 SPLUNK INC.

Require Fields Weak: iphone stats count Wrong Results: Pulls both phone=iphone and user_agent=*iphone* Strong: phone=iphone stats count Remember: iphone is not the same as iphone6s

Weak: iphone stats count by action Be specific Time Selector! Strong: index=oidemo host=dmzlog.splunktel.com sourcetype=access_combined source=/opt/apache/log/access_combined.log iphone user_agent="*iphone* stats count by action

Weak: SPL Testing Regex, strptime, etc index=* head eval blah = try to do stuff Strong: makeresults eval blah = try to do stuff

Create New Fields?! rex different for each person

Extract Fields Search: docs.splunk.com field extractor 2017 SPLUNK INC.

Play it Safe

_time Event Time Hidden Fields: Time docs.splunk.com Search Time Modifiers _indextime Index Time What does a big difference mean?

_time earliest latest Event Time Hidden Fields: Time docs.splunk.com Search Time Modifiers _indextime Index Time _index_earliest _index_latest

Snap-To Times Weak: Strong:

Time Fields Weak: Strong:

Alerts

Evolved Ideas 2017 SPLUNK INC.

Acceleration Options Knowledge Manager Manual > Use data summaries to accelerate searches > Manage report acceleration Summary Indexing Report Acceleration Data Model Acceleration Benefits Save disk space Control on impact to system Limits Gaps Intellectually difficult Backfill Backfill Simple Requires transforming Specific to search Backfill Simple Extensible Search Agnostic Massive if misused

Don t Scare Your Admins Impress Them! Accelerations Scheduled Searches Real Time Searches Search Limits

Medium Matters

Search Consumption Alerts vs Dashboards vs Searches Root Cause Unknown Root Cause Known Unaware Issue Exists Screens (Dashboards/GT) Changes in behavior Data Driven KPIs Notice patterns Aware Issue Exists Investigations (SPL) Go Spelunking! Alerts until Fixed Monitor for known symptoms Adaptive Response Actionable

Search Consumption Alerts vs Dashboards vs Searches Root Cause Unknown Root Cause Known Unaware Issue Exists Screens (Dashboards/GT) Changes in behavior Data Driven KPIs Notice patterns Aware Issue Exists Investigations (SPL) Go Spelunking! Alerts until Fixed Monitor for known symptoms Adaptive Response Actionable

Search Consumption Alerts vs Dashboards vs Searches Root Cause Unknown Root Cause Known Unaware Issue Exists Screens (Dashboards/GT) Changes in behavior Data Driven KPIs Notice patterns Aware Issue Exists Investigations (SPL) Go Spelunking! Alerts until Fixed Monitor for known symptoms Adaptive Response Actionable

2017 SPLUNK INC. 1. How I Learned Wrap Up 2. Searching Pretty Searches Search Performance Accuracy 3. Evolved Ideas

2017 SPLUNK INC. 1. Rate this! (be honest) 2. Collaborate: #bestpractices Sign Up @ http://splk.it/slack What Now? 3. Customer Success Studio 4. More talks, search for Blueprints Burch Champagne Delaney Optimization Best Practices Veuve

2017 SPLUNK INC. Questions & Discussion? Don't forget to rate this session in the.conf2017 mobile app

Search with Burch: Sourcetypes

Search with Burch: Index

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback