Search Language Beginner Guinn Session 1
Transcript of Search Language Beginner Guinn Session 1
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 1/24
Splunk Worldwide Users’ Conference The Palace Hotel, San Francisco, CA
August 9-11, 2010
LisaGuinn
SearchLanguageBeginner
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 2/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 2
Agenda! Ge3ngStarted
! Searching
!SavingSearches! Repor9ngandDashboards
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 3/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference
OneSplunk.Manyuses.
TheLongTail...
Security&Compliance
Opera9onsManagement
Applica9on
Management
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 4/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 4
UniversalIndexingWorkswithdatafromanyApplica9on,serverornetworkdevice.
Data Inputs
Continuous real-time indexing
Handles any data format, no custom
adapters
Automatically identifies andindexes multiline events and
timestamps
Index full event content
Highly-efficient file system
datastore
Schema-less, no RDBMS
Data signed for authenticity
High performance and scale
Network Ports• Listen to any port
• TCP/UDP• syslog, SNMP, IMAP,
POP3, JMS
Files• Monitor active files
• Batch upload files• Web, Application, server
and device logs
Custom Scripts & APIs• Scheduled polling
• WMI, perfmon, AD, LDAP,SQL/DBI, OPSEC, LEA,JMX, VMware, Powershell
File Systems• Monitor changes
• Configurations• Password files• Critical scripts and code
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 5/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 5
APerSplunklogin
Ifyou’vejust
installedSplunk,
addsomedata
first!
Clickhere
tostart
searching
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 6/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 6
Summaryview
What’s available
to search?
Time selector Search box
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 7/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 7
BasicSearch
7
fail*
error OR 404
fail* nfs
"login failure"
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
! Everythingissearchable! *wildcardissupported! Searchtermsarecaseinsensi9ve BooleansAND,OR,NOT
Booleansmustbeuppercase! ImpliedANDbetweensearchterms! Use()forcomplexsearches! Quotephrases
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 8/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 8
Selec9ngsearch9merange
Searchoverany
past9merange–orsearch
real-9me
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 9/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference
Search terms highlightedTimestamp
Field picker
Event data
Time line
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 10/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 10
! Usethemousetodrill-downintheresults Clickatermtoaddittothesearch
ALT-clickatermtoeliminateitfromtheresults
! Timeline Clickonabartoviewasubsetoftheresults,SelectAlltoreturntoallresults
Zoominorzoomouttochangethe9merangeofthesearch
Naviga9ngsearchresults
1
0
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 11/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 11
Simplysearchingonthe
webserverlogsourcetype
“access_combined”
displaysalistofalltheeventswithinthe9me
range
ViewEventsinawebserverlog
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 12/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 12
! Splunkiden9fiesthe
fieldsinevents,
includingtheac.on
field! Inourresults,ac.on
hastwovalues–
“update”and
“purchase”
Iden9fytheFields
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 13/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 1
Tonarrowdownourresults,wecansearchonthesourcetypeANDthe
valueoftheac.onfield.We’llconcentrateonthevalue“purchase”in
thiscase.
FiltertheSearch
1
3
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 14/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 14
TwoWaystoSave
Leavestartandend
9meblanktouse
current9mese3ng
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 15/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 15
TheReportBuilder
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 16/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 16
Selectthe9merange
Choosethefieldsandsta9s9cs
Ontoforma3ng…
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 17/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 17
Change
charttype
and9tle
ClickApplytoseechanges
FormatXandYaxis
Tableview
Savereportandresultsop9ons
Clickabarto
drilldownto
results
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 18/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 18
Availablefromfieldpicker
QuickandEasyRepor9ng
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 19/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 1
AddingaDashboard
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 20/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 20
Chooseanels
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 21/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 21
AddanelsandArrangeLayout
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 22/24
8/3/2019 Search Language Beginner Guinn Session 1
http://slidepdf.com/reader/full/search-language-beginner-guinn-session-1 23/24
© Copyright Splunk 2010Splunk Worldwide Users’ Conference 2
BeyondBeginningSearch
2
3
! IntheSearchLanguage–Intermediatesession
! Categorizeandlabeldatausingevenypesandtags
! Createalertsbasedonsearchresults
! Useadvancedcommandstofilterandanalyzesearchresults