dlux - splunk technical overview
DESCRIPTION
Splunk Technical Overview, Lunch'n'Learn v3TRANSCRIPT
![Page 1: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/1.jpg)
splunk> Overview
Your Guide David Lutz
![Page 2: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/2.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.2
splunk> Lunch’n Learn Agenda
splunk> Overview· What is splunk>?· Use cases· ArchitectureUsing splunk>· Installation and setup (v4.3)· Adding data· Search with keywords, boolean operators and statistical commands· Alerts, reports, and dashboards
splunk> Public Assets· Splunkbase (splunk> repository of over 200 free applications)· Answers – community-driven Q&A· Online Documentation· Enterprise and Global Supportsplunk> App demo· A demonstration of the splunk> for Application Management App and more
![Page 3: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/3.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
Agenda
What is Splunk? splunk> explainedSearching, Alerting & Reporting explained
Universal Indexing explainedDeployment Options explained
Demonstration
3
![Page 4: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/4.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.4
What is it?
![Page 5: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/5.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.5
Collects, indexes and harnesses your machinedata to identify problems, patterns, risks and opportunities and drive better decisions for
IT and the business.
![Page 6: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/6.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.6
Wait. What?
![Page 7: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/7.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.7
splunk> is software
splunk> creates a key : value index
splunk> retains pristine copies of all data
splunk> searches that index for data
![Page 8: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/8.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.11
splunk> is the engine for machine dataNo predefined schema, no custom connectors, no RDBMS, no need to filter/forward.
Web logsLog4J, JMS, JMX.NET eventsCode and scripts
ConfigurationssyslogSNMPnetflow
ConfigurationsAudit/query logsTablesSchemas
HypervisorGuest OS, AppsCloud
ConfigurationssyslogFile systemps, iostat, top
RegistryEvent logsFile systemsysinternals
Logfiles Configs Messages Traps Alerts
Metrics Scripts TicketsChanges
Linux/UnixWindows NetworkingDatabasesApplicationsVirtualization & Cloud
Click-stream dataShopping cart dataOnline transaction data
Customer Facing Data
Outside the Datacenter
Manufacturing, logistics…CDRs & IPDRsPower consumptionRFID dataGPS data
![Page 9: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/9.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
splunk> eliminates finger pointing
13
![Page 10: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/10.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.14
What It’s Like In The Trenches
Service DeskApplication
SupportSystems
AdministratorApplication Developer
Application Developer
Database Administrator
Log call. The console says everything is
green.
Java monitoring tools don’t show anything either.
Call the developer.
Stop working on new code to
troubleshoot. Need production
logs!
Stop what they’re doing to identify
and gather production logs for developer.
Manual investigation
establishes not application problem.
DBA analyzes audit logs which
points to bad query.
Escalate. Escalate. Escalate. Respond. Escalate. Now what?
![Page 11: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/11.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.15
Harnessing Your Machine Data
Search and Investigate
ReactiveIT silo chaos
Investigate, find and fix problems dramatically faster across your organization
Proactive
![Page 12: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/12.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.16
Harnessing Your Machine Data
Search and Investigate
ReactiveIT silo chaos
Investigate, find and fix problems dramatically faster across your organization
Proactive
![Page 13: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/13.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.18
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Reactive
Automatically monitor to identify issues,problems and attacks before they impact your customers and services
IT silo chaos
Proactive
![Page 14: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/14.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.19
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Reactive
Automatically monitor to identify issues,problems and attacks before they impact your customers and services
IT silo chaos
Proactive
![Page 15: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/15.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.21
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Operational Visibility
Reactive
Gain end-to-end visibility to track and deliver on IT KPIs and make better-informed IT decisions
IT silo chaos
Proactive
![Page 16: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/16.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.22
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Operational Visibility
Reactive
Gain end-to-end visibility to track and deliver on IT KPIs and make better-informed IT decisions
IT silo chaos
Proactive
![Page 17: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/17.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.23
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Operational Visibility
Real-time Business Insights
Proactive
ReactiveIT silo chaos
Gain real-time insight from operational data to make better-informed business decisions
![Page 18: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/18.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.24
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Operational Visibility
Real-time Business Insights
Proactive
ReactiveIT silo chaos
Gain real-time insight from operational data to make better-informed business decisions
![Page 19: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/19.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
splunk> Supports Diverse Apps/Solutions
Security
IronPort WSA
CDR
![Page 20: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/20.jpg)
Universal Indexing
![Page 21: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/21.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.27
key : value
Universal Indexing Indexes Unstructured Data
It’s that simple.
![Page 22: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/22.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.28
Every wordEvery valueEvery character … even punctuation … even white spaces
Universal Indexing Indexes Unstructured Data
![Page 23: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/23.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
New Approach to Heterogeneous Data
29
Universal Indexing Search-time Knowledge Flexibility and Fast Time to Value
• No data normalization• Automatically handles
timestamps• Parsers not required• Index every term &
pattern “blindly”• No attempt to
“understand” up front
• Knowledge applied at search-time• No brittle schema to
work around• Multiple views into the
same data• Splunk helps find
transactions, patterns and trends
• Normalization as it’s needed• Faster implementation• Easy search language• Multiple views into the
same data
![Page 24: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/24.jpg)
Deployment Options
![Page 25: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/25.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
A splunk> Installation Has 4 Functions Searching and Reporting (Search Head)
Indexing and Search Services (Indexer)
Data Collection and Forwarding (Forwarder)
Local and Distributed Management (Deployment Server)
35
A splunk> installation can be one or all of these …
![Page 26: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/26.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.36
Single splunk> Indexer
Get started with a single splunk> Indexer. You can index, search, alert, report, correlate within 15 minutes.
Send in syslog data Pull in local data via File or Dir monitoring, WMI, and/or Scripted Inputs
ScriptsLogs
Messages
Servers & Desktops
Firewalls, Routers, Switches
![Page 27: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/27.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.37
splunk> Indexer with Forwarders
splunk> Forwarders can be used to send data to your splunk> Indexer reliably and securely
![Page 28: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/28.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.38
splunk> Scales Across the Datacenter
Send data from 1,000s of servers using combination of splunk> Forwarders, syslog, WMI, message queues, or other remote protocols
Auto load-balanced forwarding to as many splunk> Indexers as you need to index, up to TBs/day
Offload search with dedicated splunk> Search Head(s)
![Page 29: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/29.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
splunk> Runs Across Datacenters
39
Distributed search unifies the view across locations
Role-based access controls how far a given user's search will span
![Page 30: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/30.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
splunk> Scales to TBs/day and 1,000s of Users
40
Automatic load balancing linearly scales indexing
Distributed Search with MapReduce linearly scales search and reporting
![Page 31: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/31.jpg)
Demonstration
![Page 32: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/32.jpg)
Executive and Domain-level Dashboards
![Page 33: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/33.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.45
Remember ‘Harnessing Your Machine Data’?
Operational Visibility
Real-time Business Insights
Proactive
Reactive
Gain real-time insight from operational data to make better-informed business decisions
Gain end-to-end visibility to track and deliver on IT KPIs and make better-informed IT decisions
![Page 34: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/34.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.46
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Operational Visibility
Real-time Business Insights
Proactive
ReactiveIT silo chaos
Gain real-time insight from operational data to make better-informed business decisions
![Page 35: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/35.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.47
Harnessing Your Machine Data
Search and Investigate
Proactive Monitoring
Operational Visibility
Reactive
Gain end-to-end visibility to track and deliver on IT KPIs and make better-informed IT decisions
IT silo chaos
Proactive
![Page 36: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/36.jpg)
Root Cause Analysis
![Page 37: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/37.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.49
Is There A Problem?
![Page 38: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/38.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.50
Where Is The Problem?
![Page 39: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/39.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.51
What Is The Problem?
![Page 40: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/40.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.52
Remember ‘Harnessing Your Machine Data’?
Search and Investigate
ReactiveIT silo chaos
Investigate, find and fix problems dramatically faster across your organization
Proactive
![Page 41: dlux - Splunk Technical Overview](https://reader030.vdocuments.us/reader030/viewer/2022012913/54c682014a795953028b45cf/html5/thumbnails/41.jpg)
Copyright © 2011, Splunk Inc. Listen to your data.
The IT Search Company
Your Guide David Lutz
email: [email protected]: @dlux_at_splunk
skype: dluxatsplunkdotcom