Splunk really shows its power in the realm of real time analysis of unstructed data. A professional implementation of Splunk involves some sort of machine produced data stream being fed into Splunk. This could be web clicks, social media feeds, sensor readings from mechanical devices, log files, etc.
In our example we are going to be working with computer log files I pulled from a server.
Download Data File: event
Log into Splunk and select Add Data from the home screen
Select upload
Select File
Select the event.csv file I provided
Select Next
Select Next (since we are on a local machine, the default Input settings will do fine)
Finally, hit Submit
Now we have the full log file loaded, let’s try filtering the data load down a little.
Put error* in the search bar. (* is a wild card in Splunk)
Now only Errors are showing up in our data.
Now try the following in the search bar
error* terminal*
Now my log files are filtered down to TerminalServices Errors only.
Notice the top bar graph. It shows an abnormal increase in these particular errors in October.
Setting Alerts
This seems like there has been an abnormal increase in these particular errors. Wouldn’t it be nice to know if these errors were starting to fire off again.
Splunk lets us set Alerts to do just that. Above the bar graph, you will find a drop down menu Save As – click on it and then select Alert
Give the Alert a name.
I don’t want to run this on a schedule. Instead I clicked Real-time
I set the Trigger Conditions to go off when more than 50 of these errors appear.
Under Add Trigger Actions, I select Add to Triggered Alerts
Select your Severity
Now the Alert is saved
If you select Alerts in the top menu, you can see the newly saved alert too.