Splunk: Overview of functionality

Splunk is great at analyzing large sets of unstructured data quickly and easily. To simulate working with a stream of data, I am using a log file I pulled from a server. You can download it here: event

Load this into Splunk through data upload button. You can just hit next through the remaining upload screens. The default setting work just fine for us.


With out data loaded, we can search through the data using key words and wildcards


But for something cool, click on the Patterns tab. This shows interesting patterns Splunk has sniffed out on its own.


Click on any of the Interesting Fields Splunk created from your data to see some interest quick stats.


You can dig deeper into the Stats by picking one of the canned reports that appear in the pop-up window.


You can run visualizations from these reports.


Of course you can change the visualization type from a  simple menu


The Statistics tab shows numeric stats based on the report/query you are working with.


If while interacting you find search you want to keep or share it, you can save the settings in it as a Report


When you save the report, Splunk gives you a default option to add a Time Range Picker that will let you pick a time range next time you run the report.


I personally recommend playing with Splunk to get a better feel for it. What is so cool about it is how quickly and easily you can produce actionable analytics.


Splunk: Introduction to Real Time Data Analysis – Setting Alerts

Splunk really shows its power in the realm of real time analysis of unstructed data. A professional implementation of Splunk involves some sort of machine produced data stream being fed into Splunk. This could be web clicks, social media feeds, sensor readings from mechanical devices, log files, etc.

In our example we are going to be working with computer log files I pulled from a server.

Download Data File:  event

Log into Splunk and select Add Data from the home screen


Select upload


Select File


Select the event.csv file I provided


Select Next


Select Next (since we are on a local machine, the default Input settings will do fine)


Finally, hit Submit


Now we have the full log file loaded, let’s try filtering the data load down a little.

Put error* in the search bar. (* is a wild card in Splunk)

Now only Errors are showing up in our data.


Now try the following in the search bar

error* terminal*

Now my log files are filtered down to TerminalServices Errors only.


Notice the top bar graph. It shows an abnormal increase in these particular errors in October.


Setting Alerts

This seems like there has been an abnormal increase in these particular errors. Wouldn’t it be nice to know if these errors were starting to fire off again.

Splunk lets us set Alerts to do just that. Above the bar graph, you will find a drop down menu Save As – click on it and then select Alert


Give the Alert a name.

I don’t want to run this on a schedule. Instead I clicked Real-time

I set the Trigger Conditions to go off when more than 50 of these errors appear.


Under Add Trigger Actions, I select Add to Triggered Alerts


Select your Severity


Now the Alert is saved


If you select Alerts in the top menu, you can see the newly saved alert too.






Splunk: Install Splunk Light on Ubuntu Linux

In this lesson, I will go over how to install Splunk Light Desktop on Ubuntu Linux.

Open your browser and search for splunk light download

Click on the Splunk Light Software Free Download


Click on the Linux tab and select .deb download


If you go to the file drawer – downloads, you will see the Splunk install file.


Now search system for terminal


With terminal open type the following:

sudo dpkg -i (path and file name of your download file)


Once installed, go to the following folder opt/splunk/bin

cd /opt/splunk/bin

sudo ./splunk start --accept-license


Now you can open your browser and go to http://127.0.01:8000

Login – your first log in they will want you to change your password


And now we are up and running