We explore "Metrics, mstats and Me: Splunking Human Data” and also have some insights into the KV Store and javascript use in dashboards. We’ll also re-cover the conf18 updates for those who couldn’t attend our last session.
6. HUMAN DATA TO SPLUNK
METRICS, | MSTATS AND ME
EDINBURGH SPLUNK USER GROUP – 22/11/2018
ANDREW MCMANUS – ASSOCIATE SECURITY CONSULTANT - ECS
7. ABOUT MYSELF
• Associate Security Consultant at ECS
• Prior - Senior/Security Operations Center Analyst at ECS
• (Non-Pearson) Credentials: Admin, Sales Rep I
• Know a lot about searches.
• Like to mess about with shiny new Splunk Additions
• Type 1 Diabetic – Since 2001.
• Part Cyborg
8. DIABETES 101? ISN’T THIS A SPLUNK TALK?
• Body uses Insulin to regulate glucose between blood stream and cells
• Type 1 – Something causes destruction of insulin cells in Pancreas, causing deficiency.
• No-one’s sure about exact cause – widely believed to be Auto-Immune related.
• Manual injections required. Manual glucose testing required.
• Type 2 – Resistance to Insulin, normally through diet or environmental aspects.
• Can go into remission with treatment/diet.
• Can use injections or pills to regulate glucose content.
9. DISCLAIMER
• I’m not intentionally advocating treatments or products.
• There are pros and cons to the products/treatments mentioned
• Price, usability, comfort, reaction times…
• Yes, I can eat sugar. Common misconception.
• I shouldn’t, but that’s on me. I crave dessert too much.
• Go to your GP if you have health concerns.
10. MEASUREMENT STEPS (UNTIL 23/07/2018)
• Glucose sample from blood, via a finger pricker.
• Glucose meter takes static snapshot of blood glucose concentration
• Sample taken before major meals, and ad-hoc if required
• Insulin taken as a response to glucose result, or recommended dosage
• Aiming for between 4mmol/l and 10mmol/l glucose concentration.
11. MEASUREMENT STEPS (SINCE 23/07/2018)
• Prescribed Abbott Libre FreeStyle sensor (other sensors available)
• Checks glucose content in interstitial fluid below skin, not blood
• Takes reading every 1m and calculates trending behaviour.
• Retains a rolling 8 hours worth of data on sensor
• Transfers readings to monitoring device, or phone, via NFC
14. LESS MEDICAL, MORE METRICAL PLEASE!
• Sensor is continuously taking metric data of glucose concentration in body.
• Phone or meter can send this metrics data to a cloud service for doctors to see
• Cloud service provides a export of metric data to local machine.
• Metric data is Machine Data
• Splunk likes Machine Data – Splunk has special metrics gizmos baked in.
15. SPLUNK METRICS
• Meant for “collecting, investigating, monitoring, and sharing metrics from your technology
infrastructure, security systems, and business applications in real time”
• Fast statistical results and visualizations using command Splunk commands
• Can’t search for events, in traditional sense (i.e. security logs).
• Claims: 20x faster than equivalent accelerated log (tstats) and 200x faster than non-
accelerated logs/event data searches.
• What makes up a Metric?
16. SPLUNK METRICS
• Timestamp
• Timestamp of metric
• Metric Name
• dotted namespace i.e. server.www1.response.5xx
• Value
• Numerical data point
• Dimensions
• Metadata to describe data – i.e. AWS AZ, server name, technology name
• Can have multiple dimensions
17. GETTING METRICS IN
• Various methods.
• | mcollect, HEC, statsD, collectD, csv to metric, Insights for Infra App
18. COLLECTD
• https://collectd.org
• Periodically collects system and application performance metrics.
• Point collectd’s write_http module to HEC with collectd_http sourcetype
• Quick Demo – Computer Metrics
19. METRICS FROM LAPTOP
Hint: Don’t be like me. Use Splunk App for Infrastructure
(https://splunkbase.splunk.com/app/3975/)
Sets Collectd up for you.
20. DIABETIC DATA TO METRIC_CSV
• Data needed to be transformed to match metric_csv sourcetype
• Quick dirty Python Script to import csv, transform timestamps and collapse
data to expected fields
• Write to new file and ingest this on a monitor input
• Danger – No “| delete” method for metrics – once it’s in, it’s in.
• Keep in mind if monitoring a file, or one-shotting data in.
22. MCATALOG
• List metric names, hosts and dimensions
• Useful to see what metrics you have in Splunk
• | mcatalog values(_dims) values(host) by metric_name
23. MSTATS
• Run statistical commands on metric values.
| mstats avg(_value) as ”avg_glucose" WHERE metric_name="personal.glucose.historic" AND "index"="diabetic_data"
span=1h
| append [| mstats sum(_value) as total_quick_insulin WHERE metric_name="personal.insulin.rapid.dose.units" AND
index=diabetic_data span=1h]
| append [| mstats sum(_value) as total_carbs WHERE metric_name="personal.carbohydrate.grams" AND
index=diabetic_data span=1h]
24. VIEWING METRICS – METRICS EXPLORER
• App on Splunkbase – will be added to core Splunk eventually.
25. NEW! FROM CONF 2018: METRICS WORKSPACE
• Download from SplunkBase:
• One stop shop for metric discovery, dash-boarding and alerting.
• No SPL required
26. FURTHER READING
• .conf2018:
• Getting logs and metrics into metricstore (https://conf.splunk.com/files/2018/recordings/getting-logs-and-
metrics-fn1888.mp4)
• New Splunk Metrics Workspace Experience (https://conf.splunk.com/files/2018/recordings/exciting-to-be-
announced-fn1508.mp4)
• .conf2017:
• Getting Metrics In: Splunking Metrics – The Right Way (https://conf.splunk.com/files/2017/slides/getting-
metrics-data-in.pdf)
28. THE KVSTORE FOR
FUN AND PROFIT*
* Profit not guaranteed **
** Fun not guaranteed either
29. ELEGANT CAT, SITTING
• This is my cat.
• His name is Roran.
• He also answers to “Catface.”
• I call him this because his face bears a quite uncanny
resemblance to the bewhiskered visage of a cat.
• Also ”Roy Cattersley”, “Catweazel” and “The Floofmeister.”
• When my waffle becomes intolerable, think back to his
fluffy coat, his furry paws, his gentle smile. It’ll all be over in
no time.
• One way or another.
31. EXTENDED CHAT SUMMARISED
• As the title hints, I’m going to talk about the KV Store :
• How KV Store collections differ from CSV collections
• How to quickly deploy KV store collections
• How to take advantages of what they offer
• Quick look at an in-development SimpleXML-extended KV Store dashboard
32. EXPLANATORY CSV SLIDE
• CSV lookup queries look like this:
• index=foo sourcetype=alignment | lookup detectEvilLookup isEvil | where
isEvil=1
• |inputlookup detectEvilLookup where characterClass=“Fighter”
• |inputlookup detectEvilLookup where characterClass=“Fighter” | outputlookup
theworstLookup
33. EXPLANTORY C..ER..KV-STORE SLIDE
• On the other hand, KV Store lookups look like this:
• index=foo sourcetype=alignment | lookup detectEvilLookup isEvil | where
isEvil=1
• |inputlookup detectEvilLookup where characterClass=“Fighter”
• |inputlookup detectEvilLookup where characterClass=“Fighter” | outputlookup
theworstLookup append=f
34. EXPLANATION COMING, STAT
• No real difference in addressing them.
• CSV files reside on indexers, KV Store on search heads.
• CSV files can only append to or replace file ; KV Store can add, upsert,
and delete specific field entries.
• KV Store has REST endpoint access.
• KV Store can enforce data types.
37. EXAMPLE CASES & SITUATIONS
• Better performance with a larger or frequently updated record set
• Any record management system – inventory, control lists, etc
• Preserving application state
• Scratchdisk
• (Field acceleration!)
• Porting
42. EASILY CONFIGURED – SEE!
• What do you need?
• Two conf files: collections.conf and transforms.conf in a search head app
• You can do this in the GUI, but we are not teh n00blets
• el oh el
48. EXPLANATORY CONTEXTUALISING
STATEMENT
• Replace an existing inventory and control management system
• Based on copied and pasted excel sheets
• Frequently updated daily
• Potentially large updates
• Referenced by many apps for gatekeeping
51. EXTENDED COMMENTARY SECTION 3
• Javascript LIVE SHOWING! I’ve run the JOKE into the GROUND!
• Gains over CSV – any?
52. EVENTUALLY (COMING SOON)
• Custom renderer
• Monitoring and troubleshooting tools
• Current client view of MC: ”supping from the very bladder of Satan.”
• A direct quote.*
* Not a direct quote
53. EMBARKING CAREFULLY=SUCCESS
• Some things to be aware of:
• Export and import is everything or nothing
• Use CSV to export and import individual collection. IRONY.
• Auto lookups
• Switch replicate to true in collections.conf stanza
• You’re on the indexers now though
• Filtering with where
• Declare _key
Welcome everyone. My name’s Andrew and I work as an Associate Consultant at ECS. This is a sort of sequel to a presentation I did back in March where I talked about using tstats to find issues with your data. Today I’m going to be talking about new Metrics indexes that were introduced in Splunk 7.0 and how you could use it to capture human produced data.
Bit more about me. I’ve been at ECS for 4 years, been an Associate Consultant for 2 of them. I’ve currently got Certified Admin, though haven’t got it marked off by Pearson yet.
I’ve used Splunk a lot in a security function so know a lot about searches and logic.
More importantly I’ve been a Type 1 diabetic since 2001, and more recently a diabetic cyborg. I’ll explain in a few slides time.
So if you want a purely Splunk talk and don’t care for context, go have a beer for the next five minutes.
What is Diabetes? In an non-diabetic body, the Pancreas produces the hormone Insulin to allow the body to regulate glucose between the blood stream and cells. A diabetic has complications with the Pancreas and Insulin. Type 1s, like myself, can’t produce Insulin in their bodies – this is widely believed to be auto-immune related though no-one knows the specific cause. This requires manual injections of insulin and continual glucose monitoring to determine amount of insulin based on carbohydrate intake.
Type 2s are resistant to insulin - most people tend to get this from poor diet and being overweight, but this could affect anyone. This could go into remission, but normally Type 2s need to diet and can take pills/injections for regulation.
There’s Gestational which could occur during pregnancy, but this tends to go into remission once the pregnancy ends.
Recent research also states various sub-categories but I’ve not seen a lot of news about this yet.
Just a disclaimer. Just as this is not a sales pitch for Splunk or services, this is not a sales pitch for treatments and products. There’s pros and cons to the things I’m about to discuss.
And yes, I can eat sugar which is a common misconception. I shouldn’t but I can.
Always see your GP if you have health concerns.
Since my diagnosis, I had to use a Blood Glucose tester to extract a sample of blood to test my glucose levels. This would produce a static image of what my glucose was at time of testing.
Normally this would be before main meals and ad-hoc if needed. Insulin would be taken as response to glucose or food.
Between 4 and 10mmol/l glucose concentration is desired.
Since July, I’ve been lucky enough to be prescribed a Continuous Glucose Monitor. This is a sensor that has a little plastic tube protruding from it that enters the body to record glucose content in interstitial fluid just below the skin. It’s slightly slower than the blood test as the glucose has to travel to the interstitial fluid, which takes roughly five minutes.
The sensor takes a reading every minute and uses this to display trends of what your glucose is doing.
This sensor stores a rolling 8 hours worth of data which can be transferred to a monitoring device or phone via NFC.
Here’s some of the sensors from the other side. The only thing that goes in the body is that small plastic filament. These get replaced every 2 weeks due to warranty, but are stuck on with an adhesive that covers the entire sensor.
Now to just grab a reading.
So, to get back to Splunk. This sensor takes continous metrics of glucose concentration. My sensor provides a service to send data up to a cloud service for doctors to review.
I can export this data myself as a CSV file.
Metrics is Machine Data. Splunk likes Machine Data.
Splunk Metrics time.
Just read the slide details
You need four fields to make up a metricA Unix Timestamp
A dotted namespace to represent your metric’s name
The numerical Value of your metric – strings will cause Splunk to skip indexing that record
And Dimensions, which can describe the metadata behind your value.
You also have your index and host that can be used to find data.
How do you get metrics in?
There’s several ways, but I will focus on CollectD/HEC and Metrics CSV
CollectD is an Open Source (GPLv2) Unix Daemon that collect, transfers and stores system information.
You can periodically collect system and appication performance metrics with it.
Using the write_http module and a HEC token, you can send HTTP POST requests with metrics data from collectd straight into Splunk.
Over the last week, I set up another laptop in my flat to also run collectd and write http requests over my local wifi using the same HEC token.
| mcatalog values(metric_name) WHERE metric_name=* AND "index"="macbook_metrics”
| mcatalog values(host) WHERE metric_name=* AND "index"="macbook_metrics" by metric_name
http://localhost:8000/en-GB/app/search/search?sid=1542884254.926
You can see that if you have an entire infrastructure forwarding collectd to a load balancer or your indexers, you can get metrics data in really quick and really easily.
What about Diabetic Data? The data we receive from the cloud service is a bit messy. Timestamps are in string format, the metrics are stored under specific headers, rather than have metric_names.
I got round this by looking at what the exported csv produces and translate this into a metric_csv formatted csv. This expects just the timestamps, metric_names, _value and dim fields to ingest.
This is written to a new file which is monitored, using the metric_csv sourcetype.
Doing this really because it was intensely familiar to me as a developer with experience in mobile and web app development, and I was surprised that very few of my colleagues were using it – and the environment where I’m currently based had no experience of it being deployed at all.
Blah…
And some gotchas from the experience.
Let’s start by talking about CVS based lookups. Pretty sure use them to do lookups, automated or otherwise, maintain fairly static stuff.
Lookup – adding data to your existing events (here a cleric is using Splunk instead of that tired old detect evil spell)
Inputlookup – creating new events in an existing result set|outputlookup – takes events and writes them to a store
On the other hand, KV Store lookup queries look…like… hang on a minute. Oddly familiar.
Live on the indexers. If they get large, depending on your setup, that’s a lot of stuff zinging about the network.
You can only add stuff to it - append to it actually. If you want to make a modification, or a removal, or change the order - you need to grab what you need from the file, reconstruct it as you wish, and then write the WHOLE THING out again.
KV store- we can insert, update/change, and delete specific entries without rewriting everything. Because it’s classically key value paired - hence the name.
Familiar paradigm to anyone using a relation (or otherwise, I guess) datastore, in app development or anything else.
BTW you can replicate across indexers by setting replicate to true in the stanza in collections.conf, then run off indexers. Haven’t tried it, so can’t report on that./
Collections are the containers for your data, similar to a database table. Collections exist within the context of a given app.
Records contain each entry of your data, similar to a row in a database table.
Fields correspond to key names, similar to the columns in a database table. Fields contain the values of your data as a JSON file. Although it is not required, you can enforce data types (number, boolean, time, and string) for field values.
_key is a reserved field that contains the unique ID for each record. If you don't explicitly specify the _key value, the app auto-generates one.
_user is a reserved field that contains the user ID for each record. This field cannot be overridden.
Accelerations improve search performance by making searches that contain accelerated fields return faster. Accelerations store a small portion of the collection's data set in an easy-to-traverse form.
Living on search head, faster if the file is large and/or updated frequentlySelf explanatory, but something often updated – traditional DB app
Preserving state – either to resume a complex application when the user returns when exiting, or if you have an app managing another app, or you need to queue tasks in an app – a good way to do it. Pretty much a scratchdisk definition actually.
Field acceleration can give extra speed/efficiency
Porting an app with a datastore over, or thinking of porting out. Familiar paradigm to get going or take away. Something that’s been on my mind a lot as I find myself fighting more and more against the assumptions in dashboards, particular their aesthetic assumptions – but perhaps more on that later.
This section I’ll cover actually getting the thing up and running.
System set up tasks – requirements in terms of hardware, ports used, etc.
Configuring a collection – how to set up bare-bones definitions for the store and lookups
Dashboards and logic – doing something practical with it. May be light on detail here and talk through or discuss a real world example depending on how many of you are left alive, conscious, and sane by the time we get to that point.
KV store is available and supported on all Splunk Enterprise 64-bit builds. It is not available on 32-bit Splunk Enterprise builds. KV store is also not available on universal forwarders
KV store uses port 8191 by default. You can change the port number in server.conf's [kvstore] stanza.
The KV store files reside on search heads.
In a search head cluster, if any node receives a write, the KV store delegates the write to the KV store captain. The KV store keeps the reads local, however.
.
Also REST, not going to talk about that much beyond an example of targeting a field directly, but you can manage use REST to manage collections – add, remove, delete, whatever – as well as records.
Not too dissimilar to setting up a file-based lookup.
The order of accelerations is important. For example, an acceleration of { "a":1, "b":1 } speeds queries on "a" and "a" + "b", but not on "b" alone.
A combined acceleration speeds up queries better than multiple separate accelerations. For example, to speed up queries on "a" + "b", a combined acceleration { "a":1, "b":1 } is better than separate accelerations { "a":1 } and { "b": 1 }.
To delete an acceleration, remove the corresponding entry from the stanza and restart Splunk Enterprise.
Accelerated fields have a limitation of 1024 bytes per entry, so you cannot use fields that have more than 1024 bytes.
Every record has what amounts to a primary key, a unique value. This is _key. Set it explicitly yourself; if not, a unique value is autogenerated for you._user is also reserved
Declare it explicitly if you want to use it or make it visible – tip: do this
Just talk through what I did; why, the config setup, and what things look like.
A confluence of circumstances…
Need to replace some controls – list and inventory management from many sources into single app that many other apps could reference
Updated multiple times daily, up to 4k entries at a time. Copy and paste from an excel sheet (funny story: I implemented what was basically an editable excel sheet, then they told me they’d actually just meant one of the columns in it. Ho hum) into individual csvs which are then possibly copied somewhere else.
In an environment where replicating many CSV files was becoming problematic and reliable updates were rather less than that. A search head cluster. And no monitoring console. Or REST access.
Dashboard
Moan about UI stuff
Like documentation, tends to get downplayed in favour of functionality
BAH
MOAR BOOTSTRAP! MOAR (CAREFUL) JQUERY!
(more react! More angular!)
Show css
Not using search manager partly as exercise to familiarize myself with async control without threads
Javascript: last serious time was when marquee tags were pretty hot stuff
(Yes, I know, but limited to jscript, browser, and jquery version in environment)
Handling
Rest version
No real delete because of nature of app. But it would look like this as a query – kind of a fake out, much closer to CSV approach – and this as a rest query.
Gains: failed to take a screenshot in the environment but getting a recordcount of the whole thing was just under 3s as opposed to 22s, so there’s a bit of improvement.
Next - probably write a renderer where displays are inputs so can be changed like a spreadsheet. Or change type to input on a click. Haven’t decided.
Monitor with monitoring console to troubleshoot – not something I can talk about a lot since the places I’m working view using it as ”supping from the very bladder of Satan.” A direct quote.*
Gotchas
Duplicating from one environment to another? Export and import. Can do that as JSON, so I’m in the early stages of a command to do this automatically.
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/BackupKVstore - backing up and restoring - but ALL OF IT - if app, maybe CSV
Access.conf - permission issues.
WHERE and where in queries
Append=t
KV Store can’t do some type of query - check this
_key and _user
Making the _key visible
Auto lookups - n Splunk Enterprise, KV Store collections are not bundle-replicated to indexers by default, and lookups run locally on the search head rather than on remote peers. When you enable replication for a KV Store collection, you can run the lookups on your indexers which let you use automatic lookups with your KV Store collections.
To enable replication for a KV Store collection and allow lookups against that collection to be automatic:
Open collections.conf.
Set replicate to true in the stanza for the collection. This parameter is set to false by default.
Example configuration of an automatic KV Store lookup
This configuration references the example KV Store lookup configuration in Configure KV Store lookups, in this manual. The KV Store lookup is defined in transforms.conf, in a stanza named employee_info.
[access_combined] LOOKUP-http = employee_info CustID AS cust_ID OUTPUT CustName AS cust_name, CustCity AS cust_city
This configuration uses the employee_info lookup in transforms.conf to add fields to your events. Specifically it adds cust_name and cust_city fields to any access_combined event with a cust_ID value that matches a custID value in the kvstorecoll KV Store collection. It also uses the AS clause to:
Find matching fields in the KV Store collection.
Rename output fields when they are added to events.
(http://docs.splunk.com/Documentation/Splunk/7.2.1/Knowledge/Makeyourlookupautomatic#Enable_replication_for_a_KV_store_collection)