Use this practical guide to the Splunk operational data intelligence platform to search, visualize, and analyze petabyte-scale, unstructured machine data. Get to the heart of the platform and use the Search Processing Language (SPL) tool to query the platform to find the answers you need.
With more than 140 commands, SPL gives you the power to ask any question of machine data. However, many users (both newbies and experienced users) find the language difficult to grasp and complex. This book takes you through the basics of SPL using plenty of hands-on examples and emphasizes the most impactful SPL commands (such as eval, stats, and timechart). You will understand the most efficient ways to query Splunk (such as learning the drawbacks of subsearches and join, and why it makes sense to use tstats). You will be introduced to lesser-known commands that can be very useful, such as using the command rex to extract fields and erex to generate regular expressions automatically.
In addition, you will learn how to create basic visualizations (such as charts and tables) and use prescriptive guidance on search optimization. For those ready to take it to the next level, the author introduces advanced commands such as predict, kmeans, and cluster.
What You Will Learn
Use real-world scenarios (such as analyzing a web access log) to search, group, correlate, and create reports using SPL commands
Enhance your search results using lookups and create new lookup tables using SPL commands
Extract fields from your search results
Compare data from multiple time frames in one chart (such as comparing your current day application performance to the average of the past 30 days)
Analyze the performance of your search using Job Inspector and identify execution costs of various components of your search
Author(s): Karun Subramanian
Publisher: Apress
Year: 2020
Language: English
Pages: 279
Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
Chapter 1: Introducing the Splunk Platform
Machine Data
What Is Machine Data?
Events
Logs
Traces
Metrics
Time-Series Nature of Machine Data
The Value of Machine Data
IT Operations and Monitoring
Security and SIEM
Business Analytics
AIOps
The Shortcomings of Machine Data
Size
Speed
Structure
Distribution
The Splunk Operational Data Intelligence Platform
Primary Functions of Splunk
Architecture of Splunk Platform
Indexer
Search Head
Forwarder
Introducing Splunk Search Processing Language (SPL)
Syntax of SPL
Commands
Literal Strings
Key-Value Pairs
Wildcard
Comparison Operators
Boolean
Functions
Arithmetic Operators
The Search Pipeline
Navigating the Splunk User Interface
Installing Splunk
Logging onto Splunk Web
1. Splunk Bar
2. App Bar
3. App Icon and Label
4. Search Bar
5. Time Range Picker
6. Search History
Write Your First SPL Query
Using Splunk Tutorial Data
Download Splunk Tutorial Data Zip File
Add Splunk Tutorial Data Zip File into Splunk
Turning on Search Assistant
Search Modes
Fast Mode
Verbose Mode
Smart Mode
Run the Search
What Happens When You Run the Search?
Timeline
Fields Sidebar
Event Details
Key Takeaways
Chapter 2: Calculating Statistics
Stats
A Quick Example
Syntax
Counting Events
Counting a Field
Counting Using eval Expressions
Calculating Distinct Count
Splitting the Results
Producing Aggregation Statistics
Listing Unique Values
Using Time-Based Functions
Event Order Functions
Eventstats and Streamstats
Eventstats
Streamstats
Using Top and Rare
Chart
Eval
Eval Expressions
Calculating
Converting
Formatting
Rounding
Performing Conditional Operations
Creating Visualizations
Switching the Type of Visualization
Line Chart
Area Chart
Column Chart
Bar Chart
Pie Chart
Plotting Multiple Data Series
Key Takeaways
Chapter 3: Using Time-Related Operations
Splunk and Time
A Note About Time Zone
Timechart
Specifying Time Span
Using Aggregation Functions
Using Split-by Fields
Basic Examples
Additional Useful Tips
Retrieving Events in Time Proximity
Using the date_time Fields
Using Time Modifiers
Specifying a Snap-to Time Unit
Advanced Examples
Comparing Different Time Periods
Comparing the Current Day with Average of the Past 30 Days
Using Time Arithmetic
Key Takeaways
Chapter 4: Grouping and Correlating
Transactions
Using Field Values to Define Transactions
Using Strings to Define Transactions
Using Additional Constraints
maxspan
maxpause
maxevents
What Happens to the Fields in a Transaction?
Finding Incomplete Transactions
Subsearches
Constructing a Subsearch
Problems with Subsearches
Join
Constructing a Join
Problems with Join
Append, Appendcols, and Appendpipe
Append
Appendcols
Appendpipe
Key Takeaways
Chapter 5: Working with Fields
Why Learn About Fields?
Tailored Searches
Insightful Charts
Flexible Schema
Index-Time vs. Search-Time Fields
Automatically Extracted Fields
Default Fields
Internal Fields
Fields Extracted Through Field Discovery
Manually Extracting Fields
Using Field Extractor Wizard
Using Field Extractions Menu
A Primer on Regular Expressions
Using Rex Command
Using Fields
Filtering
Sorting
Deduping
Key Takeaways
Chapter 6: Using Lookups
Types of Lookups
File-Based Lookups
Creating a Lookup Table
Uploading the Lookup Table File
Verifying the Lookup Table Contents
Using Lookups
The Lookup Command
Maintaining the Lookup
Using the outputlookup Command
Lookups Best Practices
Creating Automatic Lookups
Key Takeaways
Chapter 7: Advanced SPL Commands
predict
kmeans
cluster
Outlier
fillnull and filldown
convert
Handling Multivalued Fields
makemv
nomv
mvexpand
mvcombine
mvcount
mvindex
mvfilter
mvfind
mvjoin
mvsort
split
Extracting Fields from Structured Data
spath
Key Takeaways
Chapter 8: Less-Common Yet Impactful SPL Commands
iplocation
geostats
untable
xyseries
bin
tstats
Using where and by Clause
Querying Against Accelerated Data Models
Splitting by _time
Caveats with tstats
eval coalesce Function
erex
addtotals and addcoltotals
loadjob
replace
savedsearch
Key Takeaways
Chapter 9: Optimizing SPL
Factors Affecting Performance of SPL
Quantity of Data Moved
Time Range of the Search
Splunk Server Resources
Optimizing Searches
Use Fast or Smart Search Mode
Narrow Down Time Range
Filter Data Before the First Pipe
Use Distributable Streaming Commands Ahead in the Pipeline
Best Practices for Scheduling Searches
Stagger Your Searches
Use cron for Maximum Flexibility
Utilize Schedule Window Setting
Useful Splunk Knowledge Objects to Speed Up Searches
Accelerated Reports
Summary Indexes
Accelerated Data Models
Using Job Inspector
Key Takeaways
Index
