SplunkLive Wellington 2015 - New Features, Pivot and Search Dojo
•
0 gostou•392 visualizações
Splunk Enterprise - new features, pivot and search dojo
Recomendados
Recomendados
Mais conteúdo relacionado
Destaque
Semelhante a SplunkLive Wellington 2015 - New Features, Pivot and Search Dojo
Semelhante a SplunkLive Wellington 2015 - New Features, Pivot and Search Dojo (20)
Mais de Splunk
Mais de Splunk (20)
Último
Último (20)
SplunkLive Wellington 2015 - New Features, Pivot and Search Dojo
- 1. New Features, Pivot and Search Dojo David Anso Technical Enablement Manager, GKC
- 2. 2 Safe Harbor Statement During the course of this presentaDon, we may make forward looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aOer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to include any such feature or funcDonality in a future release.
- 3. New Features Pivot Search Dojo AGENDA
- 5. 5 New Features Demo: Splunk 6.3 Overview App
- 6. Pivot
- 7. 7 Pivot Demo: Instant Pivot
- 8. 8 Pivot Demo: Instant Pivot Pivot Tutorial
- 9. 9 Pivot Demo: Instant Pivot Pivot Tutorial Splunk CIM Data Model
- 10. Search Dojo
- 11. 11 Search Dojo Comment your search: sourcetype=access_combined | eval COMMENT="Examine all web logs" sourcetype=access_combined_wcookie | rename COMMENT AS "Examine all web logs"
- 12. 12 Search Dojo
- 13. 13 Search Dojo
- 14. 14 Search Dojo Use a subsearch to improve performance. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip ]
- 15. 15 Search Dojo Use a subsearch to search for text rather than a field. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip | rename clientip as query ]
- 16. 16 Search Dojo Issues with the subsearch approach: Subsearches have a limit of 10,000 results. If there are more result for the subsearch, only 10,000 of them will make it through. While searching text may prove faster, it will prevent you matching any field values that are created by calculated fields, lookups, etc.
- 17. 17 Search Dojo Ensuring your search returns a result: | inputlookup malwaredomains.csv |head 10 | append [ |stats count | eval domain="splunk.com" | eval category="exploits" | eval isbad="false" | eval reference="Test match to ensure results from search" ]