Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Using Metrics for Fun, Developing with the KV Store + Javascript & News from Conf 2018! (Security, ITOps & More!)
Semelhante a Using Metrics for Fun, Developing with the KV Store + Javascript & News from Conf 2018! (Security, ITOps & More!) (20)
Mais de Harry McLaren
Mais de Harry McLaren (20)
Último
Último (20)
Using Metrics for Fun, Developing with the KV Store + Javascript & News from Conf 2018! (Security, ITOps & More!)
- 1. © 2018 SPLUNK INC.© 2018 SPLUNK INC. Splunk User Group Edinburgh
- 2. © 2018 SPLUNK INC. Harry McLaren ● Managing Consultant at ECS Security ● Splunk Enablement Lead & Member of Splunk Trust ● Leader of the Splunk User Group Edinburgh
- 3. © 2018 SPLUNK INC. Introduction to ECS Security Splunk Partner - UK – Security Consultancy & Managed SOC Provider – Splunk Revolution Award & Splunk Partner of the Year
- 4. © 2018 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Metrics, mstats and Me (Andrew McManus) • KV Store & Javascript (Mark Hunter) • Splunk .conf18 Updates (Harry McLaren) • Security • IT Ops • Others (Docker)
- 5. © 2018 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● Technical Discussions ● Sharing Environment ● Build Trust ● No Sales!
- 6. HUMAN DATA TO SPLUNK METRICS, | MSTATS AND ME EDINBURGH SPLUNK USER GROUP – 22/11/2018 ANDREW MCMANUS – ASSOCIATE SECURITY CONSULTANT - ECS
- 7. ABOUT MYSELF • Associate Security Consultant at ECS • Prior - Senior/Security Operations Center Analyst at ECS • (Non-Pearson) Credentials: Admin, Sales Rep I • Know a lot about searches. • Like to mess about with shiny new Splunk Additions • Type 1 Diabetic – Since 2001. • Part Cyborg
- 8. DIABETES 101? ISN’T THIS A SPLUNK TALK? • Body uses Insulin to regulate glucose between blood stream and cells • Type 1 – Something causes destruction of insulin cells in Pancreas, causing deficiency. • No-one’s sure about exact cause – widely believed to be Auto-Immune related. • Manual injections required. Manual glucose testing required. • Type 2 – Resistance to Insulin, normally through diet or environmental aspects. • Can go into remission with treatment/diet. • Can use injections or pills to regulate glucose content.
- 9. DISCLAIMER • I’m not intentionally advocating treatments or products. • There are pros and cons to the products/treatments mentioned • Price, usability, comfort, reaction times… • Yes, I can eat sugar. Common misconception. • I shouldn’t, but that’s on me. I crave dessert too much. • Go to your GP if you have health concerns.
- 10. MEASUREMENT STEPS (UNTIL 23/07/2018) • Glucose sample from blood, via a finger pricker. • Glucose meter takes static snapshot of blood glucose concentration • Sample taken before major meals, and ad-hoc if required • Insulin taken as a response to glucose result, or recommended dosage • Aiming for between 4mmol/l and 10mmol/l glucose concentration.
- 11. MEASUREMENT STEPS (SINCE 23/07/2018) • Prescribed Abbott Libre FreeStyle sensor (other sensors available) • Checks glucose content in interstitial fluid below skin, not blood • Takes reading every 1m and calculates trending behaviour. • Retains a rolling 8 hours worth of data on sensor • Transfers readings to monitoring device, or phone, via NFC
- 13. A QUICK DEMONSTRATION • Hope the Pizza and Beer don’t shame my glucose levels…
- 14. LESS MEDICAL, MORE METRICAL PLEASE! • Sensor is continuously taking metric data of glucose concentration in body. • Phone or meter can send this metrics data to a cloud service for doctors to see • Cloud service provides a export of metric data to local machine. • Metric data is Machine Data • Splunk likes Machine Data – Splunk has special metrics gizmos baked in.
- 15. SPLUNK METRICS • Meant for “collecting, investigating, monitoring, and sharing metrics from your technology infrastructure, security systems, and business applications in real time” • Fast statistical results and visualizations using command Splunk commands • Can’t search for events, in traditional sense (i.e. security logs). • Claims: 20x faster than equivalent accelerated log (tstats) and 200x faster than non- accelerated logs/event data searches. • What makes up a Metric?
- 16. SPLUNK METRICS • Timestamp • Timestamp of metric • Metric Name • dotted namespace i.e. server.www1.response.5xx • Value • Numerical data point • Dimensions • Metadata to describe data – i.e. AWS AZ, server name, technology name • Can have multiple dimensions
- 17. GETTING METRICS IN • Various methods. • | mcollect, HEC, statsD, collectD, csv to metric, Insights for Infra App
- 18. COLLECTD • https://collectd.org • Periodically collects system and application performance metrics. • Point collectd’s write_http module to HEC with collectd_http sourcetype • Quick Demo – Computer Metrics
- 19. METRICS FROM LAPTOP Hint: Don’t be like me. Use Splunk App for Infrastructure (https://splunkbase.splunk.com/app/3975/) Sets Collectd up for you.
- 20. DIABETIC DATA TO METRIC_CSV • Data needed to be transformed to match metric_csv sourcetype • Quick dirty Python Script to import csv, transform timestamps and collapse data to expected fields • Write to new file and ingest this on a monitor input • Danger – No “| delete” method for metrics – once it’s in, it’s in. • Keep in mind if monitoring a file, or one-shotting data in.
- 22. MCATALOG • List metric names, hosts and dimensions • Useful to see what metrics you have in Splunk • | mcatalog values(_dims) values(host) by metric_name
- 23. MSTATS • Run statistical commands on metric values. | mstats avg(_value) as ”avg_glucose" WHERE metric_name="personal.glucose.historic" AND "index"="diabetic_data" span=1h | append [| mstats sum(_value) as total_quick_insulin WHERE metric_name="personal.insulin.rapid.dose.units" AND index=diabetic_data span=1h] | append [| mstats sum(_value) as total_carbs WHERE metric_name="personal.carbohydrate.grams" AND index=diabetic_data span=1h]
- 24. VIEWING METRICS – METRICS EXPLORER • App on Splunkbase – will be added to core Splunk eventually.
- 25. NEW! FROM CONF 2018: METRICS WORKSPACE • Download from SplunkBase: • One stop shop for metric discovery, dash-boarding and alerting. • No SPL required
- 26. FURTHER READING • .conf2018: • Getting logs and metrics into metricstore (https://conf.splunk.com/files/2018/recordings/getting-logs-and- metrics-fn1888.mp4) • New Splunk Metrics Workspace Experience (https://conf.splunk.com/files/2018/recordings/exciting-to-be- announced-fn1508.mp4) • .conf2017: • Getting Metrics In: Splunking Metrics – The Right Way (https://conf.splunk.com/files/2017/slides/getting- metrics-data-in.pdf)
- 27. ANY QUESTIONS?
- 28. THE KVSTORE FOR FUN AND PROFIT* * Profit not guaranteed ** ** Fun not guaranteed either
- 29. ELEGANT CAT, SITTING • This is my cat. • His name is Roran. • He also answers to “Catface.” • I call him this because his face bears a quite uncanny resemblance to the bewhiskered visage of a cat. • Also ”Roy Cattersley”, “Catweazel” and “The Floofmeister.” • When my waffle becomes intolerable, think back to his fluffy coat, his furry paws, his gentle smile. It’ll all be over in no time. • One way or another.
- 30. PART 1: CSV VS KV STORE. FIGHT!
- 31. EXTENDED CHAT SUMMARISED • As the title hints, I’m going to talk about the KV Store : • How KV Store collections differ from CSV collections • How to quickly deploy KV store collections • How to take advantages of what they offer • Quick look at an in-development SimpleXML-extended KV Store dashboard
- 32. EXPLANATORY CSV SLIDE • CSV lookup queries look like this: • index=foo sourcetype=alignment | lookup detectEvilLookup isEvil | where isEvil=1 • |inputlookup detectEvilLookup where characterClass=“Fighter” • |inputlookup detectEvilLookup where characterClass=“Fighter” | outputlookup theworstLookup
- 33. EXPLANTORY C..ER..KV-STORE SLIDE • On the other hand, KV Store lookups look like this: • index=foo sourcetype=alignment | lookup detectEvilLookup isEvil | where isEvil=1 • |inputlookup detectEvilLookup where characterClass=“Fighter” • |inputlookup detectEvilLookup where characterClass=“Fighter” | outputlookup theworstLookup append=f
- 34. EXPLANATION COMING, STAT • No real difference in addressing them. • CSV files reside on indexers, KV Store on search heads. • CSV files can only append to or replace file ; KV Store can add, upsert, and delete specific field entries. • KV Store has REST endpoint access. • KV Store can enforce data types.
- 37. EXAMPLE CASES & SITUATIONS • Better performance with a larger or frequently updated record set • Any record management system – inventory, control lists, etc • Preserving application state • Scratchdisk • (Field acceleration!) • Porting
- 38. PART 2: SET-UP AND IMPLEMENTATION
- 39. ELUCIDATE CLEAR STEPS • System set-up tasks • Configuring a collection • Dashboards and logic
- 40. EGADS! CAT SHENANIGANS. • I thought you might like to be reminded of Catface.
- 42. EASILY CONFIGURED – SEE! • What do you need? • Two conf files: collections.conf and transforms.conf in a search head app • You can do this in the GUI, but we are not teh n00blets • el oh el
- 43. EXAMPLE CONF SETUP (1)
- 44. EXAMPLE CONF SETUP (2)
- 45. EGREGIOUSLY CATASTROPHIC SUGGESTION • Let’s live dangerously and try jumping straight to an example.
- 46. PART 3: FROM THEORY TO (BADLY IN NEED OF) PRACTICE
- 47. EXPECTED CONVERSATIONAL SLOG • The problem • The config • The dashboard • The javascript
- 48. EXPLANATORY CONTEXTUALISING STATEMENT • Replace an existing inventory and control management system • Based on copied and pasted excel sheets • Frequently updated daily • Potentially large updates • Referenced by many apps for gatekeeping
- 49. EXTENDED COMMENTARY SECTION 1 • Collection LIVE SHOWING. YOLO!
- 50. EXTENDED COMMENTARY SECTION 2 • Dashboard LIVE SHOWING! LIVE DANGEROUSLY!
- 51. EXTENDED COMMENTARY SECTION 3 • Javascript LIVE SHOWING! I’ve run the JOKE into the GROUND! • Gains over CSV – any?
- 52. EVENTUALLY (COMING SOON) • Custom renderer • Monitoring and troubleshooting tools • Current client view of MC: ”supping from the very bladder of Satan.” • A direct quote.* * Not a direct quote
- 53. EMBARKING CAREFULLY=SUCCESS • Some things to be aware of: • Export and import is everything or nothing • Use CSV to export and import individual collection. IRONY. • Auto lookups • Switch replicate to true in collections.conf stanza • You’re on the indexers now though • Filtering with where • Declare _key
- 54. THANKS, ALL. THALL. • Feedback pls
- 55. © 2018 SPLUNK INC. Splunk .conf18 Updates Harry McLaren
- 56. © 2018 SPLUNK INC. Introducing Splunk Enterprise Security 5.2 Generally Available: 16/10/18
- 57. © 2018 SPLUNK INC. Event Sequencing Define Attacker Techniques via Multiple Matching Events ▶ The Event Sequencing Engine runs as a real- time search and listens for incoming notable events and risk modifiers that are triggered by correlation searches. ▶ Transitions can also be configured to aggregate notable events or risk modifiers that may happen after a transition match is found.
- 58. © 2018 SPLUNK INC. Event Sequencing Define Attacker Techniques via Multiple Matching Events
- 59. © 2018 SPLUNK INC. Use Case Library ES Content Updates Type Function Integrated
- 60. © 2018 SPLUNK INC. Investigation Workbench Two New Artifact Types - File Name & URL
- 61. © 2018 SPLUNK INC. Introducing Splunk Phantom Version 4.0 Security Orchestration, Automation, & Response (SOAR) Platform ▶ Clustering support for added performance and redundancy • Enables Phantom to scale horizontally using additional instances for added performance and redundancy ▶ Indicator View for threat intelligence style analysis • Provides a new and important way to visualize security data on the Phantom platform. Data is presented in the view organized by indicator, versus event, for easier threat- intelligence style analysis. ▶ Native Splunk search support • Splunk is now the default search engine shipped with the Phantom product. Users are able to use their existing or new external Splunk instances to achieve a single source for security data storage. Elasticsearch engine remains an external option for those that prefer it.
- 62. © 2018 SPLUNK INC. Introducing Splunk User Behaviour Analytics 4.2 Generally Available: 16/10/18 ▶ User Feedback for machine learning models provides anomaly customization and improved threat detection accuracy ▶ Improved data ingestion performance by up to 10x, with the new Splunk-to-Kafka UBA ingestion connector. Kafka ingestion does not require UBA to run real-time indexed search queries on core Splunk, rather uses micro-batched queries. ▶ Native single-sign-on authentication support for multiple identity providers Okta, Microsoft ADFS and Ping Identity
- 63. © 2018 SPLUNK INC. Introducing Splunk ITSI 4.0 Predictive Analytics for Real-Time Insights ▶ KPI Predictions We’re excited to deliver deeper insights into a potential health degradation with KPI Predictions. These utilize the breadth of data in the platform to help predict KPIs like customer experience, application workload, and infrastructure health, in order to identify issues or outages in advance. ▶ Predictive Cause Analysis This new feature helps you drill down into the specific services underlying a predicted issue to proactively remediate and resolve it before customer experience is impacted.
- 64. © 2018 SPLUNK INC. Introducing Splunk SmartStore Cut the Cord by Decoupling Compute and Storage ▶ Allowing compute and storage tiers to be independently scaled. ▶ Automatically evaluates users’ data access patterns to determine which data needs to be accessible for real-time analytics and which data should reside in lower cost, long-term storage.
- 65. © 2018 SPLUNK INC. Introducing Dynamic Data: Active Archive Data Retention Options in Splunk Cloud ▶ Data Management • Splunk provides complete lifecycle management of the archive on your behalf and remains the custodian of your data. Just like your Active Searchable data, Splunk manages all aspects of archive availability, durability, security and privacy requirements on your behalf. ▶ Data Restore • Enables you to request a slice of your data to be restored back into your Splunk Cloud instance. The entire workflow is fully integrated into Splunk Web so your archived data is available at your fingertips with predictable time between retrieval to search.
- 66. © 2018 SPLUNK INC. Other Features! Selection of Interesting New Releases! ▶ Dark Mode heightens visual contrast within Splunk dashboards. ▶ Workload Management enables users to prioritize the allocation of compute and memory resources used by Splunk on searches and alerts to ensure users’ most critical analytics are completed first. ▶ Guided Data Onboarding is a new graphical user interface helping customers move data into Splunk Cloud or Splunk Enterprise and guiding them through the best onboarding methodology based on their specific architecture. ▶ Logs to Metrics helps configure and convert log events to metrics, enabling users to take advantage of breakthrough performance when monitoring and alerting on metrics with the Splunk platform. ▶ Health Report gives Splunk administrators immediate visibility into the overall health status of their Splunk environments.
- 67. © 2018 SPLUNK INC. Introducing Splunk Next Splunk Works the Way Your Data Works ▶ Feedback from Splunk Customers • Make it easier to access data with Splunk no matter where it lives or what format it is in. • Make it easier to automate the actions and outcomes in order to drive the business forward. • Make it possible for all kinds of people to ask questions of Splunk and get to answers, no matter their role or where they might be in the world. ▶ What Does Splunk Next Do For You? • Ask Questions: Open customers to a broader set of data sources. • Get Answers: Empower a broader set of customers from IT and Security to Lines of Business. • Take Action: Operate on data wherever it lives.
- 68. © 2018 SPLUNK INC. Splunk Next Experimental, Pre-release Features (Alpha/Beta) ▶ Splunk Developer Cloud: Write Splunk applications natively in the cloud. ▶ Splunk Business Flow: Analytics-driven approach into customer/user’s interactions and identify ways to optimize those interactions and processes. ▶ Splunk Data Fabric Search: Seamlessly search across massive amounts of data and federated searches across multiple instances. ▶ Splunk Data Stream Processor: Refine, modify and adjust data mid-stream and within milliseconds before the data reaches its destination. ▶ Splunk Cloud Gateway: Secure cloud service with end-to-end encryption for easy mobile engagement through a simple to install Splunk app for Mobile. ▶ Splunk Mobile: Actionable alerts and mobile-friendly dashboards on mobile devices through our Splunk Mobile App. ▶ Splunk Natural Language: Query a system and ask question of Splunk without knowing SPL ▶ Splunk TV: View Splunk on any peripheral device instead of having to purchase a dedicated PC ▶ Splunk Augmented Reality: Enjoy direct access to the Splunk dashboard and live augmented reality Splunk-powered gauges on top of real-world objects.
- 69. © 2018 SPLUNK INC. Splunk on Docker Containers are now a First-Class Citizen ▶ Splunk Support now covers Splunk Enterprise 7.2 deployments in Docker containers, enabling customers to quickly deploy and scale Splunk based on their organizations’ demands.
- 70. © 2018 SPLUNK INC. Get Involved! ● Splunk User Group Edinburgh – https://usergroups.splunk.com/group/splunk-user-group-edinburgh.html – https://www.linkedin.com/groups/12013212 ● Splunk’s Slack Group – Register via http://splunk-usergroups.signup.team/ – Channel: #edinburgh ● Present & Share at the User Group? Connect: ‣ Harry McLaren | harry.mclaren@ecssecurity.co.uk | @cyberharibu | harrymclaren.co.uk ‣ ECS | enquiries@ecs.co.uk | @ECS_IT | ecs.co.uk
Notas do Editor
- Welcome everyone. My name’s Andrew and I work as an Associate Consultant at ECS. This is a sort of sequel to a presentation I did back in March where I talked about using tstats to find issues with your data. Today I’m going to be talking about new Metrics indexes that were introduced in Splunk 7.0 and how you could use it to capture human produced data.
- Bit more about me. I’ve been at ECS for 4 years, been an Associate Consultant for 2 of them. I’ve currently got Certified Admin, though haven’t got it marked off by Pearson yet. I’ve used Splunk a lot in a security function so know a lot about searches and logic. More importantly I’ve been a Type 1 diabetic since 2001, and more recently a diabetic cyborg. I’ll explain in a few slides time.
- So if you want a purely Splunk talk and don’t care for context, go have a beer for the next five minutes. What is Diabetes? In an non-diabetic body, the Pancreas produces the hormone Insulin to allow the body to regulate glucose between the blood stream and cells. A diabetic has complications with the Pancreas and Insulin. Type 1s, like myself, can’t produce Insulin in their bodies – this is widely believed to be auto-immune related though no-one knows the specific cause. This requires manual injections of insulin and continual glucose monitoring to determine amount of insulin based on carbohydrate intake. Type 2s are resistant to insulin - most people tend to get this from poor diet and being overweight, but this could affect anyone. This could go into remission, but normally Type 2s need to diet and can take pills/injections for regulation. There’s Gestational which could occur during pregnancy, but this tends to go into remission once the pregnancy ends. Recent research also states various sub-categories but I’ve not seen a lot of news about this yet.
- Just a disclaimer. Just as this is not a sales pitch for Splunk or services, this is not a sales pitch for treatments and products. There’s pros and cons to the things I’m about to discuss. And yes, I can eat sugar which is a common misconception. I shouldn’t but I can. Always see your GP if you have health concerns.
- Since my diagnosis, I had to use a Blood Glucose tester to extract a sample of blood to test my glucose levels. This would produce a static image of what my glucose was at time of testing. Normally this would be before main meals and ad-hoc if needed. Insulin would be taken as response to glucose or food. Between 4 and 10mmol/l glucose concentration is desired.
- Since July, I’ve been lucky enough to be prescribed a Continuous Glucose Monitor. This is a sensor that has a little plastic tube protruding from it that enters the body to record glucose content in interstitial fluid just below the skin. It’s slightly slower than the blood test as the glucose has to travel to the interstitial fluid, which takes roughly five minutes. The sensor takes a reading every minute and uses this to display trends of what your glucose is doing. This sensor stores a rolling 8 hours worth of data which can be transferred to a monitoring device or phone via NFC.
- Here’s some of the sensors from the other side. The only thing that goes in the body is that small plastic filament. These get replaced every 2 weeks due to warranty, but are stuck on with an adhesive that covers the entire sensor.
- Now to just grab a reading.
- So, to get back to Splunk. This sensor takes continous metrics of glucose concentration. My sensor provides a service to send data up to a cloud service for doctors to review. I can export this data myself as a CSV file. Metrics is Machine Data. Splunk likes Machine Data.
- Splunk Metrics time. Just read the slide details
- You need four fields to make up a metric A Unix Timestamp A dotted namespace to represent your metric’s name The numerical Value of your metric – strings will cause Splunk to skip indexing that record And Dimensions, which can describe the metadata behind your value. You also have your index and host that can be used to find data.
- How do you get metrics in? There’s several ways, but I will focus on CollectD/HEC and Metrics CSV
- CollectD is an Open Source (GPLv2) Unix Daemon that collect, transfers and stores system information. You can periodically collect system and appication performance metrics with it. Using the write_http module and a HEC token, you can send HTTP POST requests with metrics data from collectd straight into Splunk. Over the last week, I set up another laptop in my flat to also run collectd and write http requests over my local wifi using the same HEC token.
- | mcatalog values(metric_name) WHERE metric_name=* AND "index"="macbook_metrics” | mcatalog values(host) WHERE metric_name=* AND "index"="macbook_metrics" by metric_name http://localhost:8000/en-GB/app/search/search?sid=1542884254.926 You can see that if you have an entire infrastructure forwarding collectd to a load balancer or your indexers, you can get metrics data in really quick and really easily.
- What about Diabetic Data? The data we receive from the cloud service is a bit messy. Timestamps are in string format, the metrics are stored under specific headers, rather than have metric_names. I got round this by looking at what the exported csv produces and translate this into a metric_csv formatted csv. This expects just the timestamps, metric_names, _value and dim fields to ingest. This is written to a new file which is monitored, using the metric_csv sourcetype.
- Doing this really because it was intensely familiar to me as a developer with experience in mobile and web app development, and I was surprised that very few of my colleagues were using it – and the environment where I’m currently based had no experience of it being deployed at all. Blah… And some gotchas from the experience.
- Let’s start by talking about CVS based lookups. Pretty sure use them to do lookups, automated or otherwise, maintain fairly static stuff. Lookup – adding data to your existing events (here a cleric is using Splunk instead of that tired old detect evil spell) Inputlookup – creating new events in an existing result set |outputlookup – takes events and writes them to a store
- On the other hand, KV Store lookup queries look…like… hang on a minute. Oddly familiar.
- Live on the indexers. If they get large, depending on your setup, that’s a lot of stuff zinging about the network. You can only add stuff to it - append to it actually. If you want to make a modification, or a removal, or change the order - you need to grab what you need from the file, reconstruct it as you wish, and then write the WHOLE THING out again. KV store- we can insert, update/change, and delete specific entries without rewriting everything. Because it’s classically key value paired - hence the name. Familiar paradigm to anyone using a relation (or otherwise, I guess) datastore, in app development or anything else. BTW you can replicate across indexers by setting replicate to true in the stanza in collections.conf, then run off indexers. Haven’t tried it, so can’t report on that./
- Collections are the containers for your data, similar to a database table. Collections exist within the context of a given app. Records contain each entry of your data, similar to a row in a database table. Fields correspond to key names, similar to the columns in a database table. Fields contain the values of your data as a JSON file. Although it is not required, you can enforce data types (number, boolean, time, and string) for field values. _key is a reserved field that contains the unique ID for each record. If you don't explicitly specify the _key value, the app auto-generates one. _user is a reserved field that contains the user ID for each record. This field cannot be overridden. Accelerations improve search performance by making searches that contain accelerated fields return faster. Accelerations store a small portion of the collection's data set in an easy-to-traverse form.
- Living on search head, faster if the file is large and/or updated frequently Self explanatory, but something often updated – traditional DB app Preserving state – either to resume a complex application when the user returns when exiting, or if you have an app managing another app, or you need to queue tasks in an app – a good way to do it. Pretty much a scratchdisk definition actually. Field acceleration can give extra speed/efficiency Porting an app with a datastore over, or thinking of porting out. Familiar paradigm to get going or take away. Something that’s been on my mind a lot as I find myself fighting more and more against the assumptions in dashboards, particular their aesthetic assumptions – but perhaps more on that later.
- This section I’ll cover actually getting the thing up and running. System set up tasks – requirements in terms of hardware, ports used, etc. Configuring a collection – how to set up bare-bones definitions for the store and lookups Dashboards and logic – doing something practical with it. May be light on detail here and talk through or discuss a real world example depending on how many of you are left alive, conscious, and sane by the time we get to that point.
- KV store is available and supported on all Splunk Enterprise 64-bit builds. It is not available on 32-bit Splunk Enterprise builds. KV store is also not available on universal forwarders KV store uses port 8191 by default. You can change the port number in server.conf's [kvstore] stanza. The KV store files reside on search heads. In a search head cluster, if any node receives a write, the KV store delegates the write to the KV store captain. The KV store keeps the reads local, however. .
- Also REST, not going to talk about that much beyond an example of targeting a field directly, but you can manage use REST to manage collections – add, remove, delete, whatever – as well as records. Not too dissimilar to setting up a file-based lookup.
- The order of accelerations is important. For example, an acceleration of { "a":1, "b":1 } speeds queries on "a" and "a" + "b", but not on "b" alone. A combined acceleration speeds up queries better than multiple separate accelerations. For example, to speed up queries on "a" + "b", a combined acceleration { "a":1, "b":1 } is better than separate accelerations { "a":1 } and { "b": 1 }. To delete an acceleration, remove the corresponding entry from the stanza and restart Splunk Enterprise. Accelerated fields have a limitation of 1024 bytes per entry, so you cannot use fields that have more than 1024 bytes.
- Every record has what amounts to a primary key, a unique value. This is _key. Set it explicitly yourself; if not, a unique value is autogenerated for you. _user is also reserved Declare it explicitly if you want to use it or make it visible – tip: do this
- Just talk through what I did; why, the config setup, and what things look like.
- A confluence of circumstances… Need to replace some controls – list and inventory management from many sources into single app that many other apps could reference Updated multiple times daily, up to 4k entries at a time. Copy and paste from an excel sheet (funny story: I implemented what was basically an editable excel sheet, then they told me they’d actually just meant one of the columns in it. Ho hum) into individual csvs which are then possibly copied somewhere else. In an environment where replicating many CSV files was becoming problematic and reliable updates were rather less than that. A search head cluster. And no monitoring console. Or REST access.
- Dashboard Moan about UI stuff Like documentation, tends to get downplayed in favour of functionality BAH MOAR BOOTSTRAP! MOAR (CAREFUL) JQUERY! (more react! More angular!) Show css
- Not using search manager partly as exercise to familiarize myself with async control without threads Javascript: last serious time was when marquee tags were pretty hot stuff (Yes, I know, but limited to jscript, browser, and jquery version in environment) Handling Rest version No real delete because of nature of app. But it would look like this as a query – kind of a fake out, much closer to CSV approach – and this as a rest query. Gains: failed to take a screenshot in the environment but getting a recordcount of the whole thing was just under 3s as opposed to 22s, so there’s a bit of improvement.
- Next - probably write a renderer where displays are inputs so can be changed like a spreadsheet. Or change type to input on a click. Haven’t decided. Monitor with monitoring console to troubleshoot – not something I can talk about a lot since the places I’m working view using it as ”supping from the very bladder of Satan.” A direct quote.*
- Gotchas Duplicating from one environment to another? Export and import. Can do that as JSON, so I’m in the early stages of a command to do this automatically. http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/BackupKVstore - backing up and restoring - but ALL OF IT - if app, maybe CSV Access.conf - permission issues. WHERE and where in queries Append=t KV Store can’t do some type of query - check this _key and _user Making the _key visible Auto lookups - n Splunk Enterprise, KV Store collections are not bundle-replicated to indexers by default, and lookups run locally on the search head rather than on remote peers. When you enable replication for a KV Store collection, you can run the lookups on your indexers which let you use automatic lookups with your KV Store collections. To enable replication for a KV Store collection and allow lookups against that collection to be automatic: Open collections.conf. Set replicate to true in the stanza for the collection. This parameter is set to false by default. Example configuration of an automatic KV Store lookup This configuration references the example KV Store lookup configuration in Configure KV Store lookups, in this manual. The KV Store lookup is defined in transforms.conf, in a stanza named employee_info. [access_combined] LOOKUP-http = employee_info CustID AS cust_ID OUTPUT CustName AS cust_name, CustCity AS cust_city This configuration uses the employee_info lookup in transforms.conf to add fields to your events. Specifically it adds cust_name and cust_city fields to any access_combined event with a cust_ID value that matches a custID value in the kvstorecoll KV Store collection. It also uses the AS clause to: Find matching fields in the KV Store collection. Rename output fields when they are added to events. (http://docs.splunk.com/Documentation/Splunk/7.2.1/Knowledge/Makeyourlookupautomatic#Enable_replication_for_a_KV_store_collection)
- https://www.splunk.com/blog/2018/10/16/introducing-splunk-enterprise-security-5-2.html#
- http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Sequencecorrelationsearches
- http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Sequencecorrelationsearches
- http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Usecasecontentlibrary
- https://www.splunk.com/blog/2018/10/02/introducing-the-splunk-phantom-platform-version-4-0.html#
- https://www.splunk.com/blog/2018/10/16/splunk-user-behavior-analytics-4-2-delivers-user-feedback-for-machine-learning-models-and-more.html#
- https://www.splunk.com/blog/2018/10/02/announcing-splunk-itsi-4-0-predictive-analytics-for-real-time-insights-simplified-operations-and-root-cause-isolation.html# https://static.rainfocus.com/splunk/splunkconf18/sess/1523371319781001Y2QV/finalPDF/TransUnion-and-Time-Traveling-1396_1538792137079001YOqH.pdf
- https://www.splunk.com/en_us/software/splunk-enterprise/features.html#scale https://www.splunk.com/blog/2018/10/11/splunk-smartstore-cut-the-cord-by-decoupling-compute-and-storage.html# https://www.splunk.com/blog/2018/10/11/splunk-smartstore-disrupting-existing-large-scale-data-management-paradigms.html
- https://www.splunk.com/blog/2018/04/24/dynamic-data-self-storage-compliance-cloud-and-data-lifecycle.html https://www.splunk.com/blog/2018/10/11/dynamic-data-data-retention-options-in-splunk-cloud.html#
- https://www.splunk.com/en_us/software/splunk-next.html https://www.splunk.com/blog/2018/10/02/splunk-next-working-the-way-your-data-works.html
- https://www.splunk.com/blog/2018/10/02/splunk-next-workin https://www.splunk.com/en_us/software/splunk-next.htmlg-the-way-your-data-works.html
- https://www.splunk.com/blog/2018/10/02/splunk-next-workin https://www.splunk.com/en_us/software/splunk-next.htmlg-the-way-your-data-works.html
- http://splunk-usergroups.signup.team/