Splunk 7 Implementation - the first book on Splunk in Russian

Hi, Habr!

Today we want to talk about the first book on Splunk in Russian! The introduction of Splunk 7 by James D. Miller was released in December 2018 by MQM Press, with the support of our company.

Under the cat you will find a description of the book, a small fragment, as well as a link to the drawing of the book, which we arrange for our subscribers.

Splunk is a platform for collecting, storing, processing and operational analysis of machine data, that is, data from all physical, virtual and cloud environments of an organization's IT infrastructure. Splunk gives you the opportunity to study machine data in detail and turns system logs into valuable information. It is used to troubleshoot IT infrastructure problems, monitor security breaches, prevent attacks, obtain information for business analytics, optimize enterprise workflow and increase productivity, and work with a variety of large industrial data and data from IoT. Splunk is used in a wide range of industries from healthcare, to financial services and industrial production.

The book Splunk Introduction 7 from A to Z tells you how to work in Splunk. The explanations are accompanied by screenshots, illustrations, examples of search queries and code snippets. After reading the book, you will get acquainted with the built-in language of search queries and learn from the machine data to get tables, charts and other analytics both at the basic and at the advanced level. Learn how to optimize the speed of search queries on large data arrays and how to create data models. In addition, the book provides fairly detailed information on the system configuration and the main configuration files, as well as on the features of a distributed deployment, which is more common in the productive operation of Splunk. Also in this edition, a section appeared that describes special tools for machine learning in Splunk and shows how to create different models of machine learning with their help.

This book will be useful for both beginners who have not had previous experience in Splunk, and advanced users. Also, the book will be of interest to anyone who is somehow connected to data, for example, data analysts or business analysts who can get acquainted with new ways of managing big data, and IT administrators who can understand how to organize log management and monitoring systems in your organization.

Fragment from the book

Search

So we got to search. This is where all the power of Splunk is concentrated.
As a first example, let's try to perform a search (case insensitive) for the word error . Click in the search field, enter the word error and then press the Enter key or click on the magnifying glass icon to the right of the field, as shown in Figure. 1.19.


Fig. 1.19 Search field Search

After launching the search procedure, a page with results will open (which has changed little in version 7.0), as shown in Fig. 1.20.


Fig. 1.20 Search Results Page

Please note that we have started a search for all-time data (by default); To change the time interval for the search, you can use the time selection widget.

However, because we are experimenting on randomly generated data, not all requests will act as expected, and you may need to change them.
The description of the stages of loading data sets can be found in the previous section “Data Generator”.

How to change the time interval for the search, you will learn in the section “Using the timing widget”.

Actions

Consider the elements on this page. Under the search line Search (Search) displays the event counter, action icons and menus (Fig. 1.21).


Fig. 1.21 Information under the Search field

Here is what information is displayed under the search box (from left to right).

• The number of events found during the search. Technically, this number may not correspond to the number of results read from the disk, depending on the search parameters. In addition, if the query uses commands, this number may differ from the number of events in the list below.
• Job menu : opens the search job inspector window, which contains very detailed information about the request.
• Pause button : pauses the current search for events, but does not delete the results. This can be useful when you need to look at the results already obtained to determine whether to continue the search, which can take a long time.
• “Stop” button : stops the execution of the query, but saves already received results on the page. This can come in handy when a sufficient amount of information has been obtained and you can proceed to researching them.
• Share button : stretches the search time interval to seven days and provides access to the results for all users to read.
• Print button : formats the page for printing and starts the print function in the browser.
• “Export” button : exports results, offering to specify the number of exported results and the format - CSV, plain text, XML or JSON (JavaScript Object Notation is a form for writing JavaScript objects).
• Smart mode menu : controls the search mode. You can use this menu to speed up the search by limiting the amount of data returned and the number of fields that Splunk will extract from the data ( Fast mod e (Fast mode)). You can also select Verbose mode (Detailed mode) to get the maximum amount of event information. In Smart mode , the default behavior, the search behavior is determined by its type.

Time scale

Now let's move on to the time scale displayed below the bar with action buttons (Fig. 1.22).


Fig. 1.22 Timeline

The time scale not only allows you to quickly assess the distribution of events in a given interval, but is also a valuable tool to help you choose the appropriate interval. If you hover the mouse over the timeline, a pop-up hint appears with the number of events in the interval. Clicking on the scale selects events for a specific period of time.

If you press the left mouse button and drag the pointer, several time periods will be highlighted, as shown in fig. 1.23.


Fig. 1.23 Allocation of several time intervals

With the interval selected, you can click on the Zoom to selectio n link to change the interval and repeat the search for this interval. By repeating this process, you can get to specific events.

Deselect (returns selection) returns the display of all events in the time interval set in the time selection widget.

Zoom out increases the time interval displayed in the window.

You can get acquainted with additional materials and participate in the drawing of one of the 5 copies of the book by following the link .

You can buy a book on the publisher site .