Splunk: Overview of functionality

Splunk is great at analyzing large sets of unstructured data quickly and easily. To simulate working with a stream of data, I am using a log file I pulled from a server. You can download it here: event

Load this into Splunk through data upload button. You can just hit next through the remaining upload screens. The default setting work just fine for us.

2016-11-30_08-57-31

With out data loaded, we can search through the data using key words and wildcards

2016-11-30_09-03-51

But for something cool, click on the Patterns tab. This shows interesting patterns Splunk has sniffed out on its own.

2016-11-30_09-13-33

Click on any of the Interesting Fields Splunk created from your data to see some interest quick stats.

2016-11-30_09-16-40.jpg

You can dig deeper into the Stats by picking one of the canned reports that appear in the pop-up window.

2016-11-30_09-30-07

You can run visualizations from these reports.

2016-11-30_09-30-28

Of course you can change the visualization type from a  simple menu

2016-11-30_10-15-25

The Statistics tab shows numeric stats based on the report/query you are working with.

2016-11-30_09-30-58

If while interacting you find search you want to keep or share it, you can save the settings in it as a Report

2016-11-30_09-18-05.jpg

When you save the report, Splunk gives you a default option to add a Time Range Picker that will let you pick a time range next time you run the report.

2016-11-30_09-18-20

I personally recommend playing with Splunk to get a better feel for it. What is so cool about it is how quickly and easily you can produce actionable analytics.

 

Splunk: Introduction to Real Time Data Analysis – Setting Alerts

Splunk really shows its power in the realm of real time analysis of unstructed data. A professional implementation of Splunk involves some sort of machine produced data stream being fed into Splunk. This could be web clicks, social media feeds, sensor readings from mechanical devices, log files, etc.

In our example we are going to be working with computer log files I pulled from a server.

Download Data File:  event

Log into Splunk and select Add Data from the home screen

2016-11-30_08-56-59

Select upload

2016-11-30_08-57-31.jpg

Select File

2016-11-30_09-00-27

Select the event.csv file I provided

2016-11-30_08-58-58.jpg

Select Next

2016-11-30_09-01-45.jpg

Select Next (since we are on a local machine, the default Input settings will do fine)

2016-11-30_09-02-03.jpg

Finally, hit Submit

2016-11-30_09-02-18

Now we have the full log file loaded, let’s try filtering the data load down a little.

Put error* in the search bar. (* is a wild card in Splunk)

Now only Errors are showing up in our data.

2016-11-30_09-03-51.jpg

Now try the following in the search bar

error* terminal*

Now my log files are filtered down to TerminalServices Errors only.

2016-11-30_09-06-12

Notice the top bar graph. It shows an abnormal increase in these particular errors in October.

2016-11-30_09-06-39

Setting Alerts

This seems like there has been an abnormal increase in these particular errors. Wouldn’t it be nice to know if these errors were starting to fire off again.

Splunk lets us set Alerts to do just that. Above the bar graph, you will find a drop down menu Save As – click on it and then select Alert

2016-11-30_09-08-13.jpg

Give the Alert a name.

I don’t want to run this on a schedule. Instead I clicked Real-time

I set the Trigger Conditions to go off when more than 50 of these errors appear.

2016-11-30_09-10-02.jpg

Under Add Trigger Actions, I select Add to Triggered Alerts

2016-11-30_09-10-44.jpg

Select your Severity

2016-11-30_09-11-08.jpg

Now the Alert is saved

2016-11-30_09-11-49

If you select Alerts in the top menu, you can see the newly saved alert too.

2016-11-30_09-12-20.jpg

 

 

 

 

Splunk: Install Splunk Light on Ubuntu Linux

In this lesson, I will go over how to install Splunk Light Desktop on Ubuntu Linux.

Open your browser and search for splunk light download

Click on the Splunk Light Software Free Download

2016-11-29_21-48-28.jpg

Click on the Linux tab and select .deb download

2016-11-29_21-49-21.jpg

If you go to the file drawer – downloads, you will see the Splunk install file.

2016-11-29_21-49-57.jpg

Now search system for terminal

2016-11-29_21-50-34.jpg

With terminal open type the following:

sudo dpkg -i (path and file name of your download file)

2016-11-29_21-51-49.jpg

Once installed, go to the following folder opt/splunk/bin

cd /opt/splunk/bin

sudo ./splunk start --accept-license

2016-11-29_21-52-56.jpg

Now you can open your browser and go to http://127.0.01:8000

Login – your first log in they will want you to change your password

2016-11-29_21-54-10.jpg

And now we are up and running

2016-11-29_21-54-33.jpg