SlideShare a Scribd company logo

SplunkLive! Washington DC May 2013 - Search Language Beginner

Splunk
Splunk
Technology
1 of 34
Copyright  ©  2013  Splunk  Inc.   Search  Language  -­‐  Beginner   Dan  Plaza,  Senior  Instructor  
Agenda   GeEng  Started     Basic  Searching   NavigaHng  through  Results   Using  Fields   Saving  Searches   Next  Steps   2  
About  Your  Presenter   !   Senior  Instructor   ! Splunker  since  November  2010   !   Experience  in  database,  security,  web  apps  and  compliance  standards   !   Constantly  amazed  by  the  cool  stuff  Splunk  can  do   3  
GeEng  Started  
5   Launching  the  Search  App  
6   Summary  View   current view global stats menus and action links time range picker data sources search search box
Basic  Searching  
8   Basic  Search   Everything  is  searchable   !   *  wildcard  supported     !   Search  terms  are  case  insensiHve   !   Booleans  AND,  OR,  NOT     –  Booleans  must  be  uppercase   –  Implied  AND  between  search  terms   –  Use  ()  for  complex  searches   !   Quote  phrases     fail*   fail*  nfs   error  OR  404   error  OR  failed  OR  (sourcetype=access_*(500  OR  503))   "login  failure"  
9   Search  Results   timeline field sidebar timestamp event data Highlighted search terms
10   Events   !   Searches  return  events   !   An  event  is  single  piece  of   data  in  Splunk,  like  a  record  in   a  log  file  or  other  data  input   !   Splunk  breaks  up  data  into   individual  events  and  gives   each  a  *mestamp,  host,   source  and  source  type   10  
11   SelecHng  the  Time  Range   !   By  default,  Splunk  searches   over  all  Hme   !   Use  the  Hme  range  picker  to   narrow  your  search,  or  search   in  real  Hme  
12   Real-­‐Hme  Searching   !   Real-­‐Hme  searching  allows  you   to  view  events  as  they  stream   into  Splunk   !   Useful  in  troubleshooHng  an   acHve  issue  or  creaHng  criHcal   alerts  
NavigaHng  Through  Results    
14   NavigaHng  Search  Results  –  Click   Click a term in the events to add it to the search
15   NavigaHng  Results  –  Alt+Click   alt+click a term in the events to remove events with that term from the results
16   NavigaHng  Results  –  Timeline     Click a bar in the timeline to drill-down to events that occurred in that time period
17   NavigaHng  Results  –  Timeline  (cont.)   These are not functional unless part of the timeline is selected You can also zoom out to broaden the time range
18   IndicaHng  a  Custom  Time  Range   !   Select  custom  Hme  from  the  Hme  range  picker  to  indicate  specific  date   or  relaHve  Hme  ranges  
Using  Fields  
20   What  are  Fields?   !   Gives  more  focus  to  your   searches   !   There  are  2  types  of  fields:   –  Default  fields  –  host,  source,   sourcetype.  These  fields  exist  for   every  event  in  Splunk.   –  Data-­‐defined  fields  –  fields   specific  to  a  given  type  of  data  
21   Discovering  Fields   ! Splunk  extracts  fields  from  events,  for  example,  the  acHon  field   !   In  this  set  of  events,  the  acHon  field  has  five  values  
22   remove events from results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search Use  the  Field  Sidebar  
23   Searching  with  Fields   !   This  search  example  returns   events  where:   –  The  sourcetype  –  or  type  of   data  –  is  apache  weblogs   –  The  ac*on  field  has  a  value  of   purchase   –  The  HTTP  status  returned  was   NOT  200   sourcetype=access_* action=purchase status!=200 72 events where an e-commerce purchase failed because of an HTTP error!!
24   Quick  ReporHng   Click to generate a quick report
Saving  Searches  
26   Saving  a  Search   1.  Click  the  Save  menu     2.  Select  Save  Search…   3.  Name  the  search   –  You  can  also  edit  the  search  string  and  Hme   –  OpHonally,  share  the  search  with  other  users   tag="webfarm"  
27   Running  a  Saved  Search   !   Run  saved  searches  from   the  Searches  and  Reports   menu   !   Lists  all  searches  you  have   created  or  have  permission   to  run  
Next  Steps  
Beyond  the  Basics   29   ! Splunk  has  many  powerful  features  and  search  commands  that  allow   you  to   –  Create  Alerts   –  Capture  and  share  knowledge   –  Calculate  staHsHcs   –  Format  and  organize  values  within  search  results   –  Create  compelling  data  visualizaHons  and  reports   –  And  more!   !   Learn  about  these  features  in  Splunk  Educa*onal  offerings  (shameless   plug)  
Learn  More  Cool  Stuff   30  
Akend  a  Free  Class   31  
Watch  a  Video   32  
Build  Your  Own  Learning  Lab   33   Download  the  Splunk  Enterprise  Trial  &  build  your  own  sandbox  
Thank  You  

Recommended

SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCS
Splunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
Splunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 1
SplunkLive! Analytics with Splunk Enterprise - Part 1SplunkLive! Analytics with Splunk Enterprise - Part 1
SplunkLive! Analytics with Splunk Enterprise - Part 1
Splunk
 
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
Splunk
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner Session
Splunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
Splunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk Enterprise
Splunk
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout Session
Splunk
 

Recommended

SplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCSSplunkLive! Dallas Nov 2012 - Metro PCS
SplunkLive! Dallas Nov 2012 - Metro PCS
Splunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2SplunkLive! Analytics with Splunk Enterprise - Part 2
SplunkLive! Analytics with Splunk Enterprise - Part 2
Splunk
 
SplunkLive! Analytics with Splunk Enterprise - Part 1
SplunkLive! Analytics with Splunk Enterprise - Part 1SplunkLive! Analytics with Splunk Enterprise - Part 1
SplunkLive! Analytics with Splunk Enterprise - Part 1
Splunk
 
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
Splunk
 
SplunkLive! Beginner Session
SplunkLive! Beginner SessionSplunkLive! Beginner Session
SplunkLive! Beginner Session
Splunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
Splunk
 
SplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk EnterpriseSplunkLive! Analytics with Splunk Enterprise
SplunkLive! Analytics with Splunk Enterprise
Splunk
 
Splunk Ninjas Breakout Session
Splunk Ninjas Breakout SessionSplunk Ninjas Breakout Session
Splunk Ninjas Breakout Session
Splunk
 
Conf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimizationConf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimization
Splunk
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with Splunk
Splunk
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
Daniel Hernandez
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nyc
Dimitri McKay - CISSP
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout Session
Splunk
 
Introduction to WSO2 Analytics Platform: 2016 Q2 Update
Introduction to WSO2 Analytics Platform: 2016 Q2 UpdateIntroduction to WSO2 Analytics Platform: 2016 Q2 Update
Introduction to WSO2 Analytics Platform: 2016 Q2 Update
Srinath Perera
 
Power of SPL
Power of SPLPower of SPL
Power of SPL
Tian Chen
 
Introduction to WSO2 Data Analytics Platform
Introduction to WSO2 Data Analytics PlatformIntroduction to WSO2 Data Analytics Platform
Introduction to WSO2 Data Analytics Platform
Srinath Perera
 
Eagle from eBay at China Hadoop Summit 2015
Eagle from eBay at China Hadoop Summit 2015Eagle from eBay at China Hadoop Summit 2015
Eagle from eBay at China Hadoop Summit 2015
Hao Chen
 
Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...
Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...
Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...
Data Con LA
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over Hadoop
Yahoo Developer Network
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
MongoDB
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016
Arun Karthick Manoharan
 
Using Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
Using Apache Pulsar to Provide Real-Time IoT Analytics on the EdgeUsing Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
Using Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
DataWorks Summit
 
Streamlio and IoT analytics with Apache Pulsar
Streamlio and IoT analytics with Apache PulsarStreamlio and IoT analytics with Apache Pulsar
Streamlio and IoT analytics with Apache Pulsar
Streamlio
 
Realtime Sentiment Analysis Application Using Hadoop and HBase
Realtime Sentiment Analysis Application Using Hadoop and HBaseRealtime Sentiment Analysis Application Using Hadoop and HBase
Realtime Sentiment Analysis Application Using Hadoop and HBase
DataWorks Summit
 
Webinar: Event Processing & Data Analytics with Lucidworks Fusion
Webinar: Event Processing & Data Analytics with Lucidworks FusionWebinar: Event Processing & Data Analytics with Lucidworks Fusion
Webinar: Event Processing & Data Analytics with Lucidworks Fusion
Lucidworks
 
Webinar: Fusion for Business Intelligence
Webinar: Fusion for Business IntelligenceWebinar: Fusion for Business Intelligence
Webinar: Fusion for Business Intelligence
Lucidworks
 
Splunk - Buisness Intelligence tool
Splunk - Buisness Intelligence toolSplunk - Buisness Intelligence tool
Splunk - Buisness Intelligence tool
Arjun Ravindran
 
WSO2 Big Data Platform and Applications
WSO2 Big Data Platform and ApplicationsWSO2 Big Data Platform and Applications
WSO2 Big Data Platform and Applications
Srinath Perera
 
Using splunk6.2 labs
Using splunk6.2 labsUsing splunk6.2 labs
Using splunk6.2 labs
Jagadish a
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
Sanjib Dhar
 

More Related Content

What's hot

Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
MongoDB
 
Using Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
Using Apache Pulsar to Provide Real-Time IoT Analytics on the EdgeUsing Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
Using Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
DataWorks Summit
 
Realtime Sentiment Analysis Application Using Hadoop and HBase
Realtime Sentiment Analysis Application Using Hadoop and HBaseRealtime Sentiment Analysis Application Using Hadoop and HBase
Realtime Sentiment Analysis Application Using Hadoop and HBase
DataWorks Summit
 

What's hot (20)

Conf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimizationConf2014_SplunkSearchOptimization
Conf2014_SplunkSearchOptimization
 
SplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with SplunkSplunkLive! London 2016 Getting started with Splunk
SplunkLive! London 2016 Getting started with Splunk
 
Splunk overview
Splunk overviewSplunk overview
Splunk overview
 
Splunk live beginner training nyc
Splunk live beginner training nycSplunk live beginner training nyc
Splunk live beginner training nyc
 
Hunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout SessionHunk - Unlocking The Power of Big Data Breakout Session
Hunk - Unlocking The Power of Big Data Breakout Session
 
Introduction to WSO2 Analytics Platform: 2016 Q2 Update
Introduction to WSO2 Analytics Platform: 2016 Q2 UpdateIntroduction to WSO2 Analytics Platform: 2016 Q2 Update
Introduction to WSO2 Analytics Platform: 2016 Q2 Update
 
Power of SPL
Power of SPLPower of SPL
Power of SPL
 
Introduction to WSO2 Data Analytics Platform
Introduction to WSO2 Data Analytics PlatformIntroduction to WSO2 Data Analytics Platform
Introduction to WSO2 Data Analytics Platform
 
Eagle from eBay at China Hadoop Summit 2015
Eagle from eBay at China Hadoop Summit 2015Eagle from eBay at China Hadoop Summit 2015
Eagle from eBay at China Hadoop Summit 2015
 
Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...
Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...
Big Data Day LA 2016/ Big Data Track - Twitter Heron @ Scale - Karthik Ramasa...
 
December 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over HadoopDecember 2013 HUG: Hunk - Splunk over Hadoop
December 2013 HUG: Hunk - Splunk over Hadoop
 
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDBSplunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
Splunk's Hunk: A Powerful Way to Visualize Your Data Stored in MongoDB
 
Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016Apache Eagle Strata Hadoop World London 2016
Apache Eagle Strata Hadoop World London 2016
 
Using Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
Using Apache Pulsar to Provide Real-Time IoT Analytics on the EdgeUsing Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
Using Apache Pulsar to Provide Real-Time IoT Analytics on the Edge
 
Streamlio and IoT analytics with Apache Pulsar
Streamlio and IoT analytics with Apache PulsarStreamlio and IoT analytics with Apache Pulsar
Streamlio and IoT analytics with Apache Pulsar
 
Realtime Sentiment Analysis Application Using Hadoop and HBase
Realtime Sentiment Analysis Application Using Hadoop and HBaseRealtime Sentiment Analysis Application Using Hadoop and HBase
Realtime Sentiment Analysis Application Using Hadoop and HBase
 
Webinar: Event Processing & Data Analytics with Lucidworks Fusion
Webinar: Event Processing & Data Analytics with Lucidworks FusionWebinar: Event Processing & Data Analytics with Lucidworks Fusion
Webinar: Event Processing & Data Analytics with Lucidworks Fusion
 
Webinar: Fusion for Business Intelligence
Webinar: Fusion for Business IntelligenceWebinar: Fusion for Business Intelligence
Webinar: Fusion for Business Intelligence
 
Splunk - Buisness Intelligence tool
Splunk - Buisness Intelligence toolSplunk - Buisness Intelligence tool
Splunk - Buisness Intelligence tool
 
WSO2 Big Data Platform and Applications
WSO2 Big Data Platform and ApplicationsWSO2 Big Data Platform and Applications
WSO2 Big Data Platform and Applications
 

Viewers also liked

Viewers also liked (15)

Using splunk6.2 labs
Using splunk6.2 labsUsing splunk6.2 labs
Using splunk6.2 labs
 
Getting started with Splunk
Getting started with SplunkGetting started with Splunk
Getting started with Splunk
 
Security Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! HoustonSecurity Hands-On - Splunklive! Houston
Security Hands-On - Splunklive! Houston
 
Improving Healthcare Operations Using Process Data Mining
Improving Healthcare Operations Using Process Data MiningImproving Healthcare Operations Using Process Data Mining
Improving Healthcare Operations Using Process Data Mining
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-on
 
Customer Presentation
Customer PresentationCustomer Presentation
Customer Presentation
 
Field Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your BuddyField Extractions: Making Regex Your Buddy
Field Extractions: Making Regex Your Buddy
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Splunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-OnSplunk Enterprise for IT Troubleshooting Hands-On
Splunk Enterprise for IT Troubleshooting Hands-On
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 
Getting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceGetting Started with IT Service Intelligence
Getting Started with IT Service Intelligence
 
Machine Learning + Analytics in Splunk
Machine Learning + Analytics in SplunkMachine Learning + Analytics in Splunk
Machine Learning + Analytics in Splunk
 
Machine Data 101
Machine Data 101Machine Data 101
Machine Data 101
 
Machine Data 101 Hands-on
Machine Data 101 Hands-onMachine Data 101 Hands-on
Machine Data 101 Hands-on
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 

Similar to SplunkLive! Washington DC May 2013 - Search Language Beginner

Splunk .conf2011: Search Language: Intermediate
Splunk .conf2011: Search Language: IntermediateSplunk .conf2011: Search Language: Intermediate
Splunk .conf2011: Search Language: Intermediate
Erin Sweeney
 
Analytics with splunk - Advanced
Analytics with splunk - AdvancedAnalytics with splunk - Advanced
Analytics with splunk - Advanced
jenny_splunk
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
Splunk
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshop
jenny_splunk
 

Similar to SplunkLive! Washington DC May 2013 - Search Language Beginner (20)

Splunk .conf2011: Search Language: Beginner
Splunk .conf2011: Search Language: BeginnerSplunk .conf2011: Search Language: Beginner
Splunk .conf2011: Search Language: Beginner
 
Getting Started Breakout Session
Getting Started Breakout Session Getting Started Breakout Session
Getting Started Breakout Session
 
Splunk .conf2011: Search Language: Intermediate
Splunk .conf2011: Search Language: IntermediateSplunk .conf2011: Search Language: Intermediate
Splunk .conf2011: Search Language: Intermediate
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics MethodsSplunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
 
Analytics with splunk - Advanced
Analytics with splunk - AdvancedAnalytics with splunk - Advanced
Analytics with splunk - Advanced
 
Power of SPL - Search Processing Language
Power of SPL - Search Processing LanguagePower of SPL - Search Processing Language
Power of SPL - Search Processing Language
 
Getting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - DemoGetting Started with Splunk Enterprise - Demo
Getting Started with Splunk Enterprise - Demo
 
SplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding OverviewSplunkLive! Munich 2018: Data Onboarding Overview
SplunkLive! Munich 2018: Data Onboarding Overview
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding OverviewSplunkLive! Frankfurt 2018 - Data Onboarding Overview
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
Introduction into Security Analytics Methods
Introduction into Security Analytics Methods Introduction into Security Analytics Methods
Introduction into Security Analytics Methods
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics MethodsSplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
 
Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...Power of Splunk Search Processing Language (SPL) ...
Power of Splunk Search Processing Language (SPL) ...
 
SplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner WorkshopSplunkLive Oslo/Stockholm Beginner Workshop
SplunkLive Oslo/Stockholm Beginner Workshop
 
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
SplunkLive! Zurich 2018: Intro to Security Analytics MethodsSplunkLive! Zurich 2018: Intro to Security Analytics Methods
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
 
Splunk for ITOps
Splunk for ITOpsSplunk for ITOps
Splunk for ITOps
 
Splunk What's New - Nov 2014
Splunk What's New - Nov 2014Splunk What's New - Nov 2014
Splunk What's New - Nov 2014
 
Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)Power of Splunk Search Processing Language (SPL)
Power of Splunk Search Processing Language (SPL)
 

More from Splunk

SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
Splunk
 

More from Splunk (20)

.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica).conf Go 2023 - Navegando la normativa SOX (Telefónica)
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
 
.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International.conf Go 2023 - Raiffeisen Bank International
.conf Go 2023 - Raiffeisen Bank International
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett .conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär).conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu....conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever....conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex).conf go 2023 - De NOC a CSIRT (Cellnex)
.conf go 2023 - De NOC a CSIRT (Cellnex)
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
 
Splunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11ySplunk - BMW connects business and IT with data driven operations SRE and O11y
Splunk - BMW connects business and IT with data driven operations SRE and O11y
 
Splunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go KölnSplunk x Freenet - .conf Go Köln
Splunk x Freenet - .conf Go Köln
 
Splunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go KölnSplunk Security Session - .conf Go Köln
Splunk Security Session - .conf Go Köln
 
Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London Data foundations building success, at city scale – Imperial College London
Data foundations building success, at city scale – Imperial College London
 
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
Splunk: How Vodafone established Operational Analytics in a Hybrid Environmen...
 
SOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security WebinarSOC, Amore Mio! | Security Webinar
SOC, Amore Mio! | Security Webinar
 
.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session.conf Go 2022 - Observability Session
.conf Go 2022 - Observability Session
 
.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote.conf Go Zurich 2022 - Keynote
.conf Go Zurich 2022 - Keynote
 
.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session.conf Go Zurich 2022 - Platform Session
.conf Go Zurich 2022 - Platform Session
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

SplunkLive! Washington DC May 2013 - Search Language Beginner

  • 1. Copyright  ©  2013  Splunk  Inc.   Search  Language  -­‐  Beginner   Dan  Plaza,  Senior  Instructor  
  • 2. Agenda   GeEng  Started     Basic  Searching   NavigaHng  through  Results   Using  Fields   Saving  Searches   Next  Steps   2  
  • 3. About  Your  Presenter   !   Senior  Instructor   ! Splunker  since  November  2010   !   Experience  in  database,  security,  web  apps  and  compliance  standards   !   Constantly  amazed  by  the  cool  stuff  Splunk  can  do   3  
  • 5. 5   Launching  the  Search  App  
  • 6. 6   Summary  View   current view global stats menus and action links time range picker data sources search search box
  • 8. 8   Basic  Search   Everything  is  searchable   !   *  wildcard  supported     !   Search  terms  are  case  insensiHve   !   Booleans  AND,  OR,  NOT     –  Booleans  must  be  uppercase   –  Implied  AND  between  search  terms   –  Use  ()  for  complex  searches   !   Quote  phrases     fail*   fail*  nfs   error  OR  404   error  OR  failed  OR  (sourcetype=access_*(500  OR  503))   "login  failure"  
  • 9. 9   Search  Results   timeline field sidebar timestamp event data Highlighted search terms
  • 10. 10   Events   !   Searches  return  events   !   An  event  is  single  piece  of   data  in  Splunk,  like  a  record  in   a  log  file  or  other  data  input   !   Splunk  breaks  up  data  into   individual  events  and  gives   each  a  *mestamp,  host,   source  and  source  type   10  
  • 11. 11   SelecHng  the  Time  Range   !   By  default,  Splunk  searches   over  all  Hme   !   Use  the  Hme  range  picker  to   narrow  your  search,  or  search   in  real  Hme  
  • 12. 12   Real-­‐Hme  Searching   !   Real-­‐Hme  searching  allows  you   to  view  events  as  they  stream   into  Splunk   !   Useful  in  troubleshooHng  an   acHve  issue  or  creaHng  criHcal   alerts  
  • 14. 14   NavigaHng  Search  Results  –  Click   Click a term in the events to add it to the search
  • 15. 15   NavigaHng  Results  –  Alt+Click   alt+click a term in the events to remove events with that term from the results
  • 16. 16   NavigaHng  Results  –  Timeline     Click a bar in the timeline to drill-down to events that occurred in that time period
  • 17. 17   NavigaHng  Results  –  Timeline  (cont.)   These are not functional unless part of the timeline is selected You can also zoom out to broaden the time range
  • 18. 18   IndicaHng  a  Custom  Time  Range   !   Select  custom  Hme  from  the  Hme  range  picker  to  indicate  specific  date   or  relaHve  Hme  ranges  
  • 20. 20   What  are  Fields?   !   Gives  more  focus  to  your   searches   !   There  are  2  types  of  fields:   –  Default  fields  –  host,  source,   sourcetype.  These  fields  exist  for   every  event  in  Splunk.   –  Data-­‐defined  fields  –  fields   specific  to  a  given  type  of  data  
  • 21. 21   Discovering  Fields   ! Splunk  extracts  fields  from  events,  for  example,  the  acHon  field   !   In  this  set  of  events,  the  acHon  field  has  five  values  
  • 22. 22   remove events from results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search Use  the  Field  Sidebar  
  • 23. 23   Searching  with  Fields   !   This  search  example  returns   events  where:   –  The  sourcetype  –  or  type  of   data  –  is  apache  weblogs   –  The  ac*on  field  has  a  value  of   purchase   –  The  HTTP  status  returned  was   NOT  200   sourcetype=access_* action=purchase status!=200 72 events where an e-commerce purchase failed because of an HTTP error!!
  • 24. 24   Quick  ReporHng   Click to generate a quick report
  • 26. 26   Saving  a  Search   1.  Click  the  Save  menu     2.  Select  Save  Search…   3.  Name  the  search   –  You  can  also  edit  the  search  string  and  Hme   –  OpHonally,  share  the  search  with  other  users   tag="webfarm"  
  • 27. 27   Running  a  Saved  Search   !   Run  saved  searches  from   the  Searches  and  Reports   menu   !   Lists  all  searches  you  have   created  or  have  permission   to  run  
  • 29. Beyond  the  Basics   29   ! Splunk  has  many  powerful  features  and  search  commands  that  allow   you  to   –  Create  Alerts   –  Capture  and  share  knowledge   –  Calculate  staHsHcs   –  Format  and  organize  values  within  search  results   –  Create  compelling  data  visualizaHons  and  reports   –  And  more!   !   Learn  about  these  features  in  Splunk  Educa*onal  offerings  (shameless   plug)  
  • 30. Learn  More  Cool  Stuff   30  
  • 31. Akend  a  Free  Class   31  
  • 32. Watch  a  Video   32  
  • 33. Build  Your  Own  Learning  Lab   33   Download  the  Splunk  Enterprise  Trial  &  build  your  own  sandbox