Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler

Copyright © 2014 Splunk Inc.

Ma:hias Maier Sales Engineer, Splunk

Dashboard Fun CreaCng an interacCve TransacCon Profiler

Disclaimer

2

During the course of this presentaCon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauCon you that such statements reflect our current expectaCons and

esCmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,

please review our filings with the SEC. The forward-‐looking statements made in the this presentaCon are being made as of the Cme and date of its live presentaCon. If reviewed aPer its live presentaCon, this presentaCon may not contain current or accurate informaCon. We do not assume any obligaCon to update any forward-‐looking statements we may make. In addiCon, any informaCon about our roadmap outlines our general product direcCon and is subject to change at any Cme without noCce. It is for informaConal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaCon either to develop the features or funcConality described or to

include any such feature or funcConality in a future release.

Who I am

3

!   Sales Engineer in Germany ! Splunker nearly 2 years !   Like to get hands on real world scenarios !   CISSP !   Worked in the past for McAfee (Security) and Tibco (AnalyCcs)

Self AnalyCcs / TransacCon Profiler Dashboard

•  Goals: –  Self exploraCon of data –  Gaining Ideas from other departmental users for new use cases and

business insight ê  “Do we have this informaCon available?” ê  “Can we add this?” ê  “Can we correlate with this?”

–  How to get to this stage?

4

Adding Value

5

I loaded 1.000.000 Records. Start to add value for other departments

You might want to provide an impressive starCng point for other people to explore the Data

(Next to the RAW Searches and DATA Models)

Challenge for Machine Data in Business Context

!   Not every user who can benefit might have SPLK Language skills !   Not every user is creaCve with data in the first step !   YOU as a Splunk Data Analyst might not be able to interpret business data for Business Insights

6

DemonstraCon

7

Demo (That is what you learn how to create/get this aPer my session):

Profiling Dashboard

TransacCon Profiler With IP Traffic

8

Start With One Single “TransacCon”

1.  Search and InvesCgate a TransacCon Field ‒  Filter down to one session

9

Sample “transac7on” fields

Username + Session InformaCon

TransacCon ID

Order-‐ID

E-‐Mail Address

Service Name

IP-‐Address/Hostname/System name

Interview

2.  Go to a object ma:er expert and let them explain what happened in this session

10

DemonstraCon

11

Demo (raw search, explain data-‐set)

TransacCon Profiler With IP Traffic

12

Create Dashboards 3.  Create consistent dashboards by using some of the following

methods

13

Search Descrip7on

… | Cmechart count Easiest one ever

… | stats dc(<fieldname>) by <fieldname> DisCnct count gives a lot of interesCng insights: •  Why is this user logging on from so many different systems •  Why has this transacCon id so many different status codes •  Why is this IP communicaCng to so many desCnaCon ports

… | transacCon <fieldname> | table duraCon

As single value How long did it take?

… | head 1 | table _Cme … | tail 1 | table _Cme

•  When was the first “session”, •  When was the last “interacCon with the system”

DemonstraCon

14

Demo (dashboard with some single values + stats +

Cme charts based on ONE TransacCon)

My IP Profiler

15

Create Drop Down Lists

4.  Create drop down lists and input fields to make the dashboard interacCve ‒  Thanks to Version 6.1 it can be done via the Gui without coding ‒  Review the dashboard example app for addiConal visualizaCon tricks

5.  Tokenize the searches to make them flexible

16

DemonstraCon

17

Demo (add free text field, pickers (dynamic), token

fields + replace single transacCon id with token)

My IP Profiler

18

Example

19

We are not done

6.  Make sure you add default values for each of the drop down fields. So in case someone wants to see something, you guide him to the right choice to get a dashboard populated.

20

DemonstraCon

21

Demo (add default values and show first user experience accessing the dashboard)

24

TransacCon Profiler Use Cases for… !   Helpdesk !   Support Desk !   Second + Third Level Support !   Developers of In House

ApplicaCons !   Service Level Manager !   MarkeCng Departments !   IT-‐Security / SIEM Use Cases !   Business Fraud DetecCon

Search and InvesCgate a Single TransacCon

Review transacCon with a subject ma:er expert from the

business

Create a Dashboard for a single transacCon

Create drop downs for exploraCon Tokenize the searches

Set default values

Gain new ideas and business insight from Machine Data • Give this in the hand’s of Business People for

• gather Feedback and tune

Special Offer: Try Splunk MINT Express for Free! Splunk MINT offers a fast path to mobile intelligence. How fast?

Find out with a 6-‐month trial*

•  Register for your free trial: h:p://mint.splunk.com/conf2014offer

•  Download the Splunk MINT SDKs •  Add the Splunk MINT line of SDK code and publish**

•  Start gexng digital intelligence at your fingerCps!

*Offer valid for .conf2014 a5endees and coworkers of a5endees only.

**Trial allows monitoring of up to 750,000 monthly acDve users (MAUs).

25

THANK YOU Contact: ma:[email protected]

Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler

Technology

Transcript of Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler