Escorts Service Kumaraswamy Layout ☎ 7737669865☎ Book Your One night Stand (B...
SplunkLive Wellington 2015 - New Features, Pivot and Search Dojo
1. New
Features,
Pivot
and
Search
Dojo
David
Anso
Technical
Enablement
Manager,
GKC
2. 2
Safe
Harbor
Statement
During
the
course
of
this
presentaDon,
we
may
make
forward
looking
statements
regarding
future
events
or
the
expected
performance
of
the
company.
We
cauDon
you
that
such
statements
reflect
our
current
expectaDons
and
esDmates
based
on
factors
currently
known
to
us
and
that
actual
events
or
results
could
differ
materially.
For
important
factors
that
may
cause
actual
results
to
differ
from
those
contained
in
our
forward-‐looking
statements,
please
review
our
filings
with
the
SEC.
The
forward-‐looking
statements
made
in
this
presentaDon
are
being
made
as
of
the
Dme
and
date
of
its
live
presentaDon.
If
reviewed
aOer
its
live
presentaDon,
this
presentaDon
may
not
contain
current
or
accurate
informaDon.
We
do
not
assume
any
obligaDon
to
update
any
forward
looking
statements
we
may
make.
In
addiDon,
any
informaDon
about
our
roadmap
outlines
our
general
product
direcDon
and
is
subject
to
change
at
any
Dme
without
noDce.
It
is
for
informaDonal
purposes
only
and
shall
not
be
incorporated
into
any
contract
or
other
commitment.
Splunk
undertakes
no
obligaDon
either
to
develop
the
features
or
funcDonality
described
or
to
include
any
such
feature
or
funcDonality
in
a
future
release.
11. 11
Search
Dojo
Comment
your
search:
sourcetype=access_combined
| eval COMMENT="Examine all web logs"
sourcetype=access_combined_wcookie
| rename COMMENT AS "Examine all web logs"
14. 14
Search
Dojo
Use
a
subsearch
to
improve
performance.
sourcetype=access_combined
[|inputlookup ip_watchlist.csv | search
type=malicious | fields clientip ]
15. 15
Search
Dojo
Use
a
subsearch
to
search
for
text
rather
than
a
field.
sourcetype=access_combined
[|inputlookup ip_watchlist.csv | search
type=malicious | fields clientip | rename
clientip as query ]
16. 16
Search
Dojo
Issues
with
the
subsearch
approach:
Subsearches
have
a
limit
of
10,000
results.
If
there
are
more
result
for
the
subsearch,
only
10,000
of
them
will
make
it
through.
While
searching
text
may
prove
faster,
it
will
prevent
you
matching
any
field
values
that
are
created
by
calculated
fields,
lookups,
etc.
17. 17
Search
Dojo
Ensuring
your
search
returns
a
result:
| inputlookup malwaredomains.csv |head 10 |
append [ |stats count | eval
domain="splunk.com" | eval
category="exploits" | eval isbad="false" |
eval reference="Test match to ensure results
from search" ]