Splunk Lab Manual

Lab #1 Start Splunk Enterprise and Launch Splunk Web

1. Launch Splunk Web

Please enter the following url: http://www.uxcreate.com/guacamole

2. Login Screen

Lab 2 Navigating Splunk Web

AboutSplunkHome

Splunk Home is your interactive portal to the data and apps accessible from this Splunk instance. The main parts of Home include the Splunk Enterprise navigation bar, the Apps menu, the Explore Splunk Enterprise panel, and a custom default dashboard (not shown here).

Apps

The Apps panel lists the apps that are installed on your Splunk instance that you have permission to view. Select the app from the list to open it.

For an out-of-the-box Splunk Enterprise installation, you see one App in the workspace: Search & Reporting. When you have more than one app, you can drag and drop the apps within the workspace to rearrange them.

You can do two actions on this panel:

• Click the gear icon to view and manage the apps that are installed in your

Splunk instance.

• Click the plus icon to browse for more apps to install.

Explore Splunk Enterprise

The options in the Explore Splunk Enterprise panel help you to get started using Splunk Enterprise. Click on the icons to open the Add Data view, browse for new apps,

open the Splunk Enterprise Documentation, or open Splunk Answers.

About the Splunk bar

Use the Splunk bar to navigate your Splunk instance. It appears on every page in Splunk Enterprise. You can use it to switch between apps, manage and edit your Splunk configuration, view system-level messages, and monitor the progress of search jobs.

The following screenshot shows the Splunk bar in Splunk Home.

The Splunk bar in another view, such as theSearch & Reporti ng app's Search view, also includes an App menu next to the Splunk logo.

Return to Splunk Home

Click the Splunk logo on the navigation bar to return to Splunk Home from any other view in Splunk Web.

Settings menu

The Settings menu lists the configuration pages for Knowledge objects, Distributed environment settings, System and licensing, Data, and Authentication settings. If you do not see some of these options, you do not have the permissions to view or edit them.

User menu

The User menu here is called "Administrator" because that is the default user name for a new installation. You can change this display name by selectingEdit account and changing the Full name . You can also edit the time zone settings, select a default app for this account, and change the account's password. The User menu is also where you Logout of this Splunk installation.

Messages menu

All system-level error messages are listed here. When there is a new message to review, a notification displays as a count next to theMessages menu. Click the X to remove the message.

Activity menu

The Activity menu lists shortcuts to the Jobs, Triggered alerts, and System Activity views.

• Click Jobs to open the search jobs manager window, where you can view and

manage currently running searches.

• Click Triggered Alerts to view scheduled alerts that are triggered. This

tutorial does not discuss saving and scheduling alerts. See "About alerts" in the Alertin g Manual.

• Click System Activity to see Dashboards about user activity and status of the

system.

Help

Click Help to see links to Video Tutorials, Splunk Answers, the Splunk Support

Portal, and online Documentation.

Find

Use Find to search for objects within your Splunk Enterprise instance. Find performs non-case sensitive matches on the ID, labels, and descriptions in saved objects. For example, if you type in "error", it returns the saved objects that contain the term "error".

These saved objects includeReports , Dashboards , Alerts, and Data mo dels . The results appear in the list separated by the categories where they exist.

You can also run a search forerror in the Search & Reporti ng app by clicking Open error in s earch .

Lab 4 Searching the tutorial data

Start searching

In this section, you start searching that tutorial data. This topic discusses searches that retrieve events from the index.

Before you can start this section, you need to first download and add the tutorial data.

What to search

1._{ClickSearch in the App navigation bar.}

2._{In the}Search landing page, Look at theWhat to search panel.

3._{ClickData Summ ary.}

Review the tutorial data, which represents a fictitious online game store, called Buttercup Games. The data summary tells you where the data comes from and what type of data it is. There are five hosts, eight sources, and three source

types. The three source types are Apache web access logs

(access_combined_wcookie), Linux secure formatted logs (secure), and the vendor sales log (vendor_sales).

Most of this tutorial covers searching the Apache web access logs and correlating it with the vendor sales logs.

Search assistant

You have data for an online store that sells a variety of games. Try to find out how many errors have occurred on the site.

1.Open Splunk Search, and typebuttercupgames into the search bar.

As you type, theSearch Assistant opens. There are two parts to search assistant: the matching search history and search help.

Search assistant suggests completions for your search based on terms it matches in your event data. These search completions are listed under

Matching terms orMatching searches . It does not list terms or phrases that do

not exist in your event data. Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. Here,buttercupgames appears in 36,819 events.

Here, search assistant also provides Steps to help you learnHow to Search. Step 1 explains searches to retrieve events with examples for searching with terms, quoted phrases, boolean operators, wildcards, and field values. Step 2 introduces how to use search commands.

Search assistant has more uses after you start learning the search language. When you type in search commands, search assistant displays the command syntax and usage.

If you do not want search assistant to open automatically, click Auto Opento toggle it off. You can click the down arrow below the search bar to open it back up again.

Retrieve events from the index

1.Type in keywords to find errors or failures and use Boolean operators: AND, OR, NOT.

but t er cupgames ( er r or OR f ai l * OR sever e)

Boolean operators need to be capitalized. The AND directive is implied between terms, so you do not need to write it. You can use parentheses to group terms. When evaluating boolean expressions, precedence is given to terms inside parentheses. OR clauses are evaluated before AND or NOT clauses. The asterisk wildcard is used to match terms that start with "fail". These terms can include: failure, failed, and so on.

This search retrieves 427 matching events.

The search command

Each time you type keywords and phrases, you implicitly use thesear ch

command to retrieve events from a Splunk index. The search command lets you use keywords, quoted phrases, field values, boolean expressions, and

comparison expressions to specify which events you want to retrieve. You can also explicitly invoke the search command later in the pipeline to filter search results. Read "Use the search command" in theSearchmanual.

Use fields to search

You can not take full advantage of the more advanced search features in Splunk Enterprise without understanding what fields are and how to use them.

About fields

When you look at the Data Summary in the search view, you see tabs for the Hosts, Sources, and Source Types that described the type of data you added to your Splunk index.

These are also default fields (host,sour ce,sour cet ype) that Splunk Enterprise extracts from the data during indexing. They help to specify exactly which events you want to retrieve from the index.

What are fields?

Fields exist in machine data in many forms. Often, a field is a value (with a fixed, delimited position on the line) or a name and value pair, where there is a single value to each field name. A field can be multivalued, that is, it can appear more than once in an event and has a different value for each appearance.

Some examples of fields arecl i enti p for IP addresses accessing your Web server, _t i me for the timestamp of an event, andhost for domain name of a server. One of the more common examples of multivalue fields is email address

fields. While theFromfield will contain only a single email address, the ToandCc

fields have one or more email addresses associated with them.

In Splunk Enterprise, fields are searchable name and value pairings that distinguish one event from another because not all events will have the same fields and field values. Fields let you write more tailored searches to retrieve the specific events that you want.

Extracted fields

Splunk extracts fields from event data at index-time and at search-time.

Default and other indexed fields are extracted for each event that is processed when that data is indexed. Default fields includehost,sour ce, andsour cet ype..

Splunk Enterprise extracts different sets of fields, when you run a search..

You can also use thefield extractor to create custom fields dynamically on your local Splunk instance. The field extractor lets you define any pattern for

recognizing one or more fields in your events.

Find and sele ct fi elds

1._{Go to the Search dashboard and type the following into the search bar:}

sour cet ype=" access_ * "

Search for fields use the syntax: f i el dname=" f i el dval ue" . Field names are case sensitive, but field values are not. You can use wildcards in field values. Quotes are required when the field values include spaces.

This search indicates that you want to retrieve only events from your web access logs and nothing else.

This search uses the wildcard access_* to match any Apache web accesssour cet ype, which can be access_common, access_combined, or access_combined_wcookie.

2._{In theEvents tab, scroll through the list of events.}

If you are familiar with the access_combined format of Apache logs, you recognize some of the information in each event, such as:

• IP addresses for the users accessing the website.

• URIs and URLs for the pages requested and referring pages. • HTTP status codes for each page request.

These are events for the Buttercup Games online store, so you might recognize other information and keywords, such as Arcade, Simulation, productId, categoryId, purchase, addtocart, and so on.

To the left of the events list is the Fields sidebar. As Splunk Enterprise retrieves the events that match your search, the Fields sidebar updates withSelected

fields andInte resting fields. These are the fields that Splunk Enterprise

extracted from your data.

Selected Fields are the fields that appear in your search results. The default fields host, source, and sourcetype are selected. These fields appear in all the events.

You can hide and show the fields sidebar by clickingHide Fie lds andShow

Fields, respectively.

3._{Click All Fi elds.}

TheSelect Fields dialog box opens, where you can select the fields to show in

You see more default fields, which includes fields based on each event's t i mest amp (everything beginning with dat e_* ), punctuation (punct ), and location (i ndex).

Other field names apply to the web access logs. For example, there are cl i ent i p, met hod, and status . These are not default fields. They are extracted at search time.

Other extracted fields are related to the Buttercup Games online store. For example, there are act i on, cat egor yI d, and pr oduct I d.

4._{Select act i on, cat egor yI d, and pr oduct I d and close the Select Fields}

window.

The three fields appear underSelected Fields in the sidebar. The selected fields appear under the events in your search results if they exist in that particular event. Every event might not have the same fields.

The fields sidebar displays the number of values that exist for each field. These are the values that Splunk Enterprise indentifies from the results of your search.

5._{UnderSelected Fields, click the act i on field.}

This opens the field summary for the action field.

In this set of search results, Splunk Enterprise found five values foracti on, and that theact i onfield appears in 49.9% of your search results.

6._{Close this window and look at the other two fields you selected,cat egor yI d}

(what types of products the shop sells) andpr oduct I d(specific catalog number for products).

7._{Scroll through the events list.}

If you click on the arrow next to an event, it opens up the list of all fields in that event.

Use this panel to view all the fields in a particular event and select or deselect individual fields for an individual event.

Run more targeted searches

The following are search examples using fields.

Example1: Search for successful purchases from the Buttercup Games store.

sour cet ype=access _* s t at us=200 act i on=pur chase

This search uses the HTTP status field,status, to specify successful requests and theact i onfield to search only for purchase events.

You can search for failed purchases in a similar manner using

st at us! =200, which looks for all events where the HTTP status code is not equal to 200.

sour cet ype=access _* st at us! =200 act i on=pur chase

Example 2: Search for general errors.

( er r or OR f ai l * OR sever e) OR ( st at us=404 OR st at us=500 OR st at us=503) This doesn't specify a source type. The search retrieves events in both the secure and web access logs.

Example 3: Search for how many simulation games were bought yesterday.

Select the Preset time range, Yesterday, from the time range picker and run: sour cet ype=access _* st at us=200 act i on=pur chase cat egor yI d=si mul at i on

The count of events returned are the number of simulation games purchased. To find the number purchases for each type of product sold at the shop, run this search for each unique categoryId. For the number of purchases made each day of the previous week, run the search again for each time range.

Use the search language

The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.

For example, in the last topic, you ran this search to see how many simulation games were purchased:

sour cet ype=access_ * st at us=200 act i on=pur chase cat egor yI d=si mul at i on

To find this number for the days of the previous week, you have to run it against the data for each day of that week. To see which products are more popular than the other, you have to run the search for each of the eightcat egor yI dvalues and compare the results.

Learn with search assistant

This section explains in more detail one of the ways you can use the search assistant to learn about the Splunk search processing language and construct searches.

1._{Return to the search dashboard and restrict your search to Yesterday:}

sour cet ype=access _* s t at us=200 act i on=pur chase

As you type in the search bar, search assistant opens with syntax and usage information for the search command (on the right side). If search assistant doesn't open, click the down arrow under the left side of the search bar.

You've seen before that search assistant displays type ahead for keywords that you type into the search bar. It also explains briefly how to search.

2._{Type a pipe character, " | ", into the search bar.}

The pipe indicates to Splunk that you're about to use a command, and that you want to use the results of the search to the left of the pipe as the input to this command. You can pass the results of one command into another command in a series, or pipeline, of search commands.

You want Splunk to give you the most popular items bought at the online store.

3._{Undercommon next commands , clickto p.}

Splunk Enterprise appends thet opcommand to your search string.

According to search assistant's description and usage examples, theto p

command "displays the most common values of a field."

4._{Type thecat egoryI dfield into the search bar to complete your search.}

sour cet ype=access_ * st at us=200 act i on=pur chase | t op cat egor yI d 5._{Run the search.}

The count of events under the search bar indicates the number of events retrieved that match the search for sour cet ype=access _* s t at us=200 act i on=pur chase. The results of the top command appear in theStatistics

View reports in the Statistics tab

The results of a search are reports. The t op command is atransforming

command and returns a tabulated report for the most common values of

cat egor yI d. You can view the results of transforming searches in the

Statistics tab.

In this search for successful (st at us=200) purchases (act i on=pur chase), Splunk Enterprise found seven different category IDs. This report lists the category ID values in order from highest to lowest.

The top command also returns two new fields:countis the number of times each value of the field occurs, andper cent is how large that count is compared to the total count.

ViewandformatreportsintheVisualizationtab

You can also view the results of transforming searches in theVisualizations tab where you can format the chart type. For example, a search using thet op

command can be illustrated with a pie chart.

1._{Click theVisualization tab.}

By default, theVisualizations tab opens with a Column Chart.

2._{ClickColumn to open the visualization type selector.}

Column,Bar , andPiecharts are recommended for this data set.

3._SelectPie.

You can turn on drill down to delve deeper into the details of the information presented to you in the tables and charts that result from your search.

4._{Mouse over each slice of the pie to see the count and percentage values for}

each categoryId.

5._{Click on a slice, such as "Strategy".}

Splunk Enterprise appendscat egoryI d=st r at egyto your srcinal search for successful purchases and runs this new search.

Lab 5 Subsearchs

Use a subsearch

This topic walks you through examples of correlating events with subsearches.

A subsearch is a search with a search pipeline as an argument. Subsearches are contained in square brackets and evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search.

Example 1: Without a subsearch

Let's try to find the single most frequent shopper on the Buttercup Games online store and what this customer has purchased.

To do this, search for the customer who accessed the online shop the most.

1. Use thet opcommand:

sour cet ype=access_* st at us=200 act i on=pur chase | t op l i mi t =1 cl i ent i p

Limit thet opcommand to return only one result for thecl i enti p.

This search returns onecl i ent i pvalue, which we'll use to identify our VIP customer.

2. Use thestats command to count this VIP customer's purchases:

sour cet ype=access_ * st at us=200 act i on=pur chase cl i ent i p=87. 194. 216. 51 | st at s co unt , dc(pro ductI d) by c l i ent i p

This search used thecount() function which only returns the total count of

purchases for the customer. The dc() function is used to count how many different products he buys.

The drawback to this approach is that you have to run two searches each time you want to build this table. The top purchaser is not likely to be the same person at any given time range.

Example2:Withasubsearch

1.Type or copy/paste the following into the search bar.

sour cet ype=access_ * s t at us=200 act i on=pur chase [ sear ch

sour cet ype=access_* st at us=200 act i on=pur chase | t op l i mi t =1 cl i ent i p | t abl e cl i ent i p] | st at s co unt , dc(p r oductI d) , val ues( pr oductI d) by cl i enti p

Here, the subsearch is the segment that is enclosed in square brackets, [ ]. This

l i mi t =1 cl i ent i p | t abl e cl i ent i p is the same as Example 1 Step 1, except

for the last piped command,| t abl e cl i ent i p

Because thet opcommand returnscountandper cent fields as well, thet abl e

command is used to keep only thecl i enti pvalue.

These results should match the previous result, if you run it on the same time range. But, if you change the time range, you might see different results because the top purchasing customer will be different.

2.Rename the columns to make the information more understandable.

sour cet ype=access_ * st at us=200 act i on=pur chase [ sear ch sour cet ype=access_ * st at us=200 act i on=pur chase | t op l i mi t =1 cl i ent i p | t abl e cl i ent i p] | sta t s count AS "To t al Pur chased", dc( pr oduct I d) AS "T ot al Pr oduct s" ,

val ues( pr oduct I d) AS "Pr oduct s I D" by cl i ent i p | r ename cl i ent i p AS "VI P Cust omer "

Lab 3 Add the sample data into Splunk Enterprise

Log into Splunk.

If you are not in Splunk Home, click the Splunk logo on the

Splunk bar to go to Splunk Home.

Get file

tutorialdata.zip

tutorialdata.zip

Under Explore Splunk Enterprise, click Add data.

The Add Data view opens. The Add Data displays three options for

adding data, lists of common data types, and add-ons you can use

to extend Splunk

Enterprise's capabilities to add data.

Under "How do you want to add data?", click Upload.

2.

Under Select Source

Select Source, click Select File

Select File to browse for the tutorial

data or Drop

Drop the data file into the outlined box.

Because the tutorial data file is an archived data file, the next

step in the Add Data workflow changes from Set Sourcetype

Set Sourcetype

to Input Settings

Input Settings.

3.

_{Click Next}

_{Next to continue to Input Settings}

_{Input Settings.}

Under Input Settings

Input Settings, you can override the default settings for

Host, Source type, and Index.

4.

Modify the host settings to assign host names using a portion of

the path name:

4.1.

_{Select Segment in path}

Segment in path from the menu.

4.2.

_{Type in 1}

_{1 for the segment number.}

5.

Click Review

Review to review your input settings.

6.

_{Click Submit}

_Submit

7.

.( PLEASE DO NOT SUBMIT BECAUSE INSTRUCTOR ALREADY

.( PLEASE DO NOT SUBMIT BECAUSE INSTRUCTOR ALREADY

SUBMITTED FOR ENTIRE CLASS)

SUBMITTED FOR ENTIRE CLASS)

8.

_{To confirm that the data added successfully, click Start}

_Start

Searching

Searching. This opens the Search view and runs a search for the

tutorial data source.

Lab 6 Field Lookup

This topic takes you through using field lookups to add new fields to your events. Field lookups let you reference fields in an external CSV file that match fields in your event data. Using this match, you can enrich your event data by adding more meaningful information and searchable fields to each event.

Uncompress the following file:

• Prices.csv.zip

Find the Lookups manager

1._{In the Splunk bar, on the upper right, clickSettings.}

This opens the Lookups editor where you can create new lookups or edit existing ones.

Uploa d the looku p table file

1.In the Lookups manager under "Actions" forLookup t able files, click Add

new.

This takes you to the Add new' lookup table files view where you upload CSV files to use in your definitions for field lookups.

2._{To save your lookup table file in the Search app, leave the Destination app as}

search.

3._{UnderUpload a lookup f ile, browse for the CSV file (prices.csv) to upload.}

4._{UnderDestination filename, name the file prices.csv.}

This is the name you use to refer to the file in a lookup definition.

5._ClickSave.

This uploads your lookup file to the Search app and returns to the lookup table files list.

Note:If Splunk does not recognize or cannot upload the file, check that it was uncompressed before you attempt to upload it again.

Share the lo okup table file globally

If the lookup file is not shared, you can not select it when you define the lookup.

1._{Go to theLookup table files list.}

2._{UnderSharing for the prices.csv lookup table'sPath, clickPermissions .}

This opens thePermission dialog box for theprices.csv lookup file.

3._{UnderObject sh ould appear in , select All ap ps.}

4._ClickSave.

Now, the lookup table should be shared withGlobal permissions.

Addthefieldlookupdefinition

1._{Return to the Lookups manager.}

2._{Under Act io nsforLookup definitions , click Add New.}

This takes you to the Add n ewlookups definitions view where you define your

3._{Leave theDestination appassearch.}

4._{Nameyour lookupprices_lookup .}

5._{UnderType, selectFile-based.}

File-based lookups add fields from a static table, usually a CSV file.

6._{UnderLookup file , select prices.csv (the name of your lookup table).}

7._{LeaveConfigure time-ba sed lookup and Ad vanced op ti onsunselected.}

8._ClickSave.

This defines prices_lookup as a file-based lookup.

Sharethelookupdefinitionwithallapps

1._{Return to theLookup definitions list.}

2._{UnderSharing forprices_lookup , clickPermissions .}

ThePermission dialog box for theprices.lookup opens.

4._ClickSave.

Now, prices_lookup should be shared withGlobal permissions.

Make the lookup automatic

1._{In the Lookups manager, under Actions for Auto matic lo ok up s, click Add}

New.

This takes you to the Add Newautomatic lookups view where you configure the lookup to run automatically.

2._{Leave theDestination appassearch.}

3._{Nameyour automatic lookupprice_lookup .}

5._{Under Appl y toandnamed, selectsourcetype and type in}

access_combined_wcookie.

6._{UnderLookup input fields type inpr oduct I din both text areas under}

Lookup input fields .

Splunk Enterprise matches the field in the lookup table (which is the one specified on the left) with the field on the right (which is the field in your events).

In this case the field names match.

7._{UnderLookup output fields , type in the name of the fields that you want to}

add to your event data based on the input field matching and rename the fields.

7.1In the first text area, typepr oduct _name, which contains the descriptive name

for eachpr oduct I d.

7.2._{In the second text area, after the equal sign, typepr oduct Name. This}

renames the field topr oduct Name.

7.3._{Click Add another fi eldto add more fields after the first one.}

7.4. _{Add the fieldpri ce, which contains the price for eachpr oduct I d. Do not}

rename this field.

8._{LeaveOverwri te field values unchecked.}

9._ClickSave.

This returns you to the list of automatic lookups and you should see your configured lookup.

Show the ne w fields in your s earch r esults

1._{Return toSearch.}

2._{Run the search for web access activity.}

sour cet ype=access_ *

3.Scroll through the list ofIntere stin g Fields in the fields sidebar, and find the

pr i cefield.

4._{Clickprice to open its field summary dialog box.}

5._{Next toSelected, clickYes.}

6._{Close the dialog box.}

Theprice field appears underSelected Fields in the fields sidebar.

6.Repeat Steps 3 to 5 for theproductName field.

Searchwiththenewlookupfields

1.Copy and paste or type in the previous subsearch example to see what the

VIP customer bought. This time, replace thepr oduct I dfield withpr oduct Name.

sour cet ype=access_ * s t at us=200 act i on=pur chase [ sear ch

t abl e cl i ent i p] | st at s co unt AS "To t al Pur chased", dc( pr oduct I d) AS " Tot al Prod uct s" , val ues( pr oduct Name) AS "Pr oduct Names" by cl i ent i p | r ename cl i ent i p AS "VI P Cust omer "

The result is the same as in the previous subsearch example, except that the VIP customer's purchases are more meaningful with the added descriptive product names.

Lab 7 Saving and sharing Reports

This lab takes you through saving searches and more search examples.

Saveasareport

1._{Select the time rangeYesterday and run the following search} 2.

sour cet ype=access_ * s t at us=200 act i on=pur chase [ sear ch

sour cet ype=access_* st at us=200 act i on=pur chase | t op l i mi t =1 cl i ent i p | t abl e cl i ent i p] | st at s co unt AS "To t al Pur chased", dc( pr oduct I d) AS " Tot al Prod uct s" , val ues( pr oduct Name) AS " Prod uct Names" by cl i ent i p | r ename cl i ent i p AS "VI P Cust omer "

3._{ClickSave as above the search bar and selectReport.}

This opens theSave as Report dialog.

5._{(Optional) Enter a DescriptionButtercup Game s mos t frequent shopper .}

6.Because the report is a table, for Visualization, clickNone.

7._{To include a Time Range Picker, clickYes.}

8._ClickSave.

TheYour report has been create d dialog box opens.

There are other options in this window.

•Continue Editing lets you refine the search and report format.

• Ad d t o d ashb oardlets you add the report to a new or existing dashboard.

•Viewlets you view the report.

9._ClickView.

View and edit saved reports

You can view and edit the saved report from its report view.

You can open the report in the search view and edit the saved search's description, permissions, schedule, and acceleration. You can also clone, embed, and delete the report from this menu.

2._{ClickMore Info.}

You can view and edit different properties of the report, including its schedule, acceleration, permissions, and embedding.

3._{Look at the time range picker, located to the top left.}

You saved this report with a time range picker. The time range picker lets you change the time period to run this search. For example, you can use this time range picker to run this search for the VIP CustomerWeek to date,Last 60

minutes,Last 24 hours just by selecting the Preset time range or defining a

custom time range.

Find and share saved reports

You can access your saved reports using the app navigation bar.

1.ClickReports to open the Reports listing page.

When you save a new report, itsPermission s are set toPrivate. This means that only you can view and edit the report. You can allow other apps to view, or

edit, or view and edit the reports by changing its Permissions.

1._{Under Acti on sfor theVIP Custom erreport, clickEdit and selectEdit}

Permissions .

This opens theEdit Pe rmiss ions dialog box.

2._{In theEdit Pe rmiss ions dialog box, setDisplay For to Appand check the}

box underReadforEveryone.

This action gives everyone who has access to this app the permission to view it.

3._ClickSave.

Back at the Reports listing page, you see that the Sharing for VIP Customer now reads App.

About report acceleration

If your search has a large number of events and is slow to finish, you might be able to accelerate the resulting report so it finishes faster when you run it again. This option is available when the report produced by your search qualifies for

acceleration. The "VIP Customer" report does not qualify for acceleration, because it is based on a transforming search.

Lab 8 More Searches and Reports

Example1:Comparecountsofuseractions

In this example, calculate the number of views, purchases, and adds to cart for each type of product.

This report requires thepr oduct Namefield from thefields lookup example . If

you did not add the lookup, refer to that example and follow the procedure.

1._{Run this search:}

sour cet ype=access_ * s t at us=200 | char t count AS vi ews count ( eval ( act i on="addt ocar t ") ) AS addt ocar t

count ( eval ( act i on=" pur chase" ) ) AS pur chases by pr oduct Name | r ename pr oduct Name AS " Pr oduct Name", vi ews AS " Vi ews" , addt ocar t AS " Adds t o Cart " , pur chases AS "Pu r chases"

This search uses the chart command to count the number of events that are

act i on=pur chaseandact i on=addt ocar t.

2._{Use theVisualization view options to format the results as a column chart.}

Example 2: Overlay Actions and Conversion Rates on one chart

1._{Run this search:}

sour cet ype=access_ * st at us=200 | st at s count AS vi ews count ( eval ( act i on="addt ocar t ") ) AS addt ocar t

count ( eval ( act i on=" pur chase" ) ) AS pur chases by pr oduct Name | eval vi ewsToPur chase=( pur chases/ vi ews) *100 | eval

car t ToPur chase=( pur chases/ addt ocar t ) *100 | t abl e pr oduct Name vi ews addt ocar t pur chases vi ewsToPur chase car t ToPur chase | r ename pr oduct Name AS "Pr oduct Name" vi ews AS " Vi ews" , addt ocar t as " Adds To Car t " , pur chases AS " Pur chases"

Instead of the chart command, this search uses the stats command to count the user actions. Then, it uses the eval command to define two new fields which

calculate conversion rates for "Product Views to Purchases" and "Adds to cart to Purchases".

Steps 2 to 6 reformat the visualization to overlay the Conversion series onto the Actions series.

2._{ClickVisualization.}

This is the same chart as in Example 1, with two additional series, "viewsToPurchase" and "cartToPurchase".

3._{ClickFormat andX-Axis.} 4.

4.1_{Rotate the label-45degrees and do not truncate the label.}

4.2_{Click Appl y.}

5._{ClickFormat andY-Axis.}

5.1_{ForTitle, chooseCustom and type in "Actions".}

5.2_{Set theMax Valueto 2500 and theInterval to 500.}

5.3_{Click Appl y.}

6.1_{Type in or select the fields, "viewsToPurchase" and "cartToPurchase".}

6.2_{ForView as Axis, clickOn.}

6.3_{ForTitle, chooseCustom and type inConversion Rates.}

6.4_{ForScale, chooseLinear .}

6.5_{Set theMax Valueto 100 and theInterval to 20.}

6.6_{Click Appl y.}

7._{ClickSave Asand selectReport.}

7.1_{In theSave Repor t As dialog box, enter a Title, "Comparison of Actions and}

Conversion Rates by Product".

7.2_{(Optional) Enter a Description, "The number of times a product is viewed,}

added to cart, and purchased and the rates of purchases from these actions."

Example 3: Products purchased over time

For this report, chart the number of purchases that were completed for each item.

This report requires thepr oduct Namefield from thefields lookup example. If you

didn't add the lookup, refer to that example and follow the procedure.

1._{Search for:}

sour cet ype=access_ * | t i mechar t count ( eval ( act i on=" pur chase" ) ) by pr oduct Name usenul l =" f " useot her =" f "

Use thecount() function to count the number of events that have the field

act i on=pur chase. Use theusenul l anduseot herarguments to make sure the

chart counts events that have a value forpr oduct Name.

This produces the following statistics table.

2._{Click theVisualization tab andFormat theX-Axis,Y-Axis, andLegend to}

produce the following line chart.

3.1_{In theSave Repor t As dialog box, enter a Title, "Product Purchases over}

Time".

3.2_{(Optional) Enter a Description, "The number of purchases for each product."}

4._{ClickSaveandViewthe report.}

Example4:Purchasingtrends

This example uses sparklines to trend the count of purchases made over time.

Forstats andchart searches, you can add sparklines to their results tables. Sparklines are inline charts that appear within the search results table and are designed to display time-based trends associated with the primary key of each row.

See "Add sparklines to your search results" in theSearch Manual_.

This example requires thepr oduct Namefield from thefields lookup example. If

you did not add the lookup, refer to that example and follow the procedure.

1.Run the following search:

sour cet ype=access_ * st at us=200 act i on=pur chase| char t spar kl i ne( count ) AS " Pur chases Tr end" count AS Tot al by cat egor yI d | r ename cat egor yI d AS " Cat egor y"

This search uses thechar t command to count the number of purchases,

act i on=" pur chase", made for each product,pr oduct Name. The difference is that the

count of purchases is now an argument of thespar kl i ne( ) function.

4._{In theSave Repor t As dialog box, enter a Title, "Purchasing trends".}

5._{(Optional) Enter a Description, "Count of purchases with trending."}

6._{ClickSaveandViewthe report.}

Lab 9 Dashboards

Dashboards are views that are made up of panels that can contain modules such as search boxes, fields, charts, tables, and lists. Dashboard panels are usually hooked up to saved searches.

After you create a visualization or report, you can add it to a new or existing dashboard using the Save as repor t dialog box. You can also use the

Dashboard Editor to create dashboards and edit existing dashboards. Using the Dashboard editor is useful when you have a set of saved reports that you want to quickly add to a dashboard.

Change dashboard permissions

You can specify access to a dashboard from the Dashboard Editor. However, your user role (and capabilities defined for that role) might limit the type of access you can define.

If your Splunk user role is admin (with the default set of capabilities), then you can create dashboards that are private, visible in a specific app, or visible in all apps. You can also provide access to other Splunk user roles, such as user, admin, and other roles with specific capabilities.

Change dashboard panel visualizations

After you create a panel with the Dashboard Editor, use the Visualization Editor to change the visualization type in the panel, and to determine how that

visualization displays and behaves. The Visualization Editor lets you choose from visualization types that have their data structure requirements matched by the search that has been specified for the panel.

Edit theXMLconfiguration of a dashboard

Although you are not required to use XML to build dashboards, you can edit a dashboard's panels by editing the XML configuration for the dashboard. This provides editing access to features not available from the Dashboard Editor. For example, edit the XML configuration to change the name of dashboard or specify a custom number of rows in a table.

Create dashboards and dashboard panels

This topic walks you through saving a search as a dashboard panel and adding an input element to the dashboard.

Save a search as a dashboard panel

1._{Run the following search:}

sour cet ype=access_ * st at us=200 act i on=pur chase | t op cat egor yI d

2._{Click the Visualization tab and select the Pie chart type.}

3._{In the Search view, click Save as and select Dashb oard Panel .}

The Save as Dashboard Panel dialog box opens.

4.1._{For Dashboard, click New.}

4.2._{Enter the Dashboard Title , "Buttercup Games Purchases", The Dashboard}

ID updates with "Buttercup_games_purchases".

4.3._{(Optional) Add a Dashboard Descrip tion , "Reports on Buttercup Games}

purchases data".

4.4._{Type in the Panel Title , "Top Purchases by Category"}

4.5._{Leave the Panel Powered B y as Inline search .}

5._{Click Save.}

6._{Click View Da shb oard .}

This creates a dashboard with one report panel. To add more report panels, you can run new searches and save them to this dashboard, or you can add saved reports.

View and edit dashboard panels

1._{Click Dashboards in the app navigation bar.}

You can Create a new dashbo ard and edit existing dashboards. You see the

Buttercup Games Purchases dashboard that you created.

2._{Under the i column, click the arrow next to Buttercup Games Purchases to}

see more information about the dashboard: What app context it is in, whether or not it is scheduled, and its permissions.

You can use the quick links that are inline with the information to edit the dashboard's Schedule and Permissions.

Add an input to the dashboard

1._{In the Dashboards list, click Buttercup Games Purchases to return to that}

dashboard.

2._{Click Edit and select Edit Panels .}

The Edit: Butt ercup Games Purchase s view opens.

In this view, you have edit buttons: Add In pu t, Add Pan el, and Edit Source .

This adds a time range picker input to the dashboard editor.

4._{Click the Edit Input icon for the time range picker. It looks like a pencil.}

This opens a set of input controls. The Time input type should be preselected.

5._{Change the Token value to Buttercup_Games_Time_Range and click}

Apply.

This optional step redefines the name of the input token for the time range picker. Because the default names of input tokens are not very descriptive (field1, field2,

field3, and so on), you may want to do this when you give your dashboard multiple inputs. It makes it easier to understand which input you are working with.

You can also optionally change the default time range for the picker by changing the value of Default . Right now it defaults to Al l t im e.

In the next two steps you connect your dashboard panel to this time range picker.

6._{In the new dashboard panel, click the Inline Sea rch icon and select}

Edit Search String .

The Edit Sea rch dialog opens.

7._{Click Time Range Scope and select Shared Time Picker}

(Buttercup_Games_Time_Range) .

The panel is now hooked up to the shared time range picker input. The inline search that powers the panel now uses the time range selected for the shared time range picker.

As you add panels to this dashboard, repeat steps 6 through 8 to hook the new panels up to the shared time range picker input.

You can have dashboards that offer a mix of panels that work with the shared time range picker and panels that show data for fixed time ranges.

9._{Click Done to save your changes to the dashboard.}

Add more panels to the dashboard

In the previous section, you ran searches and saved them as reports. In this topic, you add the saved reports to an existing dashboard.

Add saved reports to the dashboard

1._{Return to the Buttercup Games Purchases dashboard.}

3._{In the Buttercup Games Purchases dashboard editor, click Add Panel .} 4.

The Add Panel sidebar menu slides open.

5._{To add a new panel from a report, click New fro m Report .}

This opens the list of saved reports.

6._{Select Purchasing Trends .}

This opens a preview of the saved Report.

The new panel is placed in the dashboard editor. You can click anywhere to close the Add Pan el sidebar menu or choose another report to add to the dashboard.

Note: If you want the new panels to work with the shared time range picker input,

repeat steps 6 through 8 from the " Add an input to the dashboard" procedure to

connect them to that input.

8._{Select the report Compa rison of Action s and Conversion Rates by}

Product and add it to the dashboard.

9._{Close the Add Panel sidebar and rearrange the panels on the dashboard.}

While in the dashboard editor, you can drag and drop a panel to rearrange it on the dashboard.

10. _{Click Done .}

Moredashboardactions

After you complete the dashboard, you can Expor t to PDF and Print the dashboards using the buttons to the upper right. You can also share the dashboard with other users by changing its permissions.

Lab 10 Create a new data model

This topic shows you how to create new data models based on the tutorial data. Data models are created within Pivot and you need to have admin or power role to create a data model.

Enable roles to create a data model

By default only users with the admin or power role can create data models. For other users, the ability to create a data model is tied to whether their roles have "write" access to an app. Since this is a first time install, you have admin privileges by default and should be able to continue.

If you are not able to create or edit a data model, you may need to check your permissions. For more information, read "About data model permissions" in the Knowledge Manager Manual.

Navigate to the Data Models management pag

2._{Under Knowledge , click Data Models .}

This takes you to theData Models management page. The Data Models

management page is a listing page of data models. If you have existing data models in this Splunk Enterprise instance, this page lists them. Use this page to manage the permissions, acceleration, cloning, and removal of existing data models. You can also use this page to upload a data model or create new data models, using the Upload Data Model and New Data Model buttons on the top right.

Create a new data model

1._{In the Data Models management page, clickNew Data Model .}

This opens the New Data Model dialog box.

2._{Enter the Title , "Buttercup Games"}

The Title field accepts any character, as well as spaces. The value you enter here is what appears on the data model listing pages.

3._{(Optional) Enter the ID, "Tutorial"}

If you don't change the ID, it automatically reads "Buttercup_Games".

The ID must be a unique identifier for the data model. It cannot contain spaces or any characters that aren't alphanumeric, underscores, or hyphens (a-z, A-Z, 0-9,

_, or -). Spaces between characters are also not allowed. Once you define the data model ID, you can't change it.

4.Next to App, select "Search & Reporting" from the menu.

5._{(Optional) Enter the Description , "Enables data analysis and reporting for}

tutorial data."

6._{Click Create.}

This opens the Buttercup GamesEdit Objects page.

Use this page to create objects for the new data model, define their constraints and attributes, arrange the objects in logical hierarchies, and manage them.

Lab 11 Define a root object for the data model

In the last lab, you created the data model "Buttercup Games". This lab walks you through adding a root object for Buttercup Games purchases.

Edit data model objects

1. From the Data Models list, click Buttercup Games .

This opens the Buttercup Games object editor view.

Use the Edit Objects page to design a new data model or redesign an existing data model. On the Edit Objects page, you can create objects for your data model, define their constraints and attributes, arrange them in logical object hierarchies, and maintain them.

Add a ro ot object

Data models are typically composed of object hierarchies built on root event objects. Each root event object represents a set of data that is defined by a

constraint, which is a simple search that filters out events that are not relevant to the object.

Let's create an object to track purchase requests on the Buttercup Games website.

1._{To define the data model's first event base object, click Add Object .}

Your first root object can be either aRoot event or Root search .

2._{Select Root event .}

3._{Enter the Object Name:Purchase Requests}

The Object Name field can accept any character, as well as spaces. It's what you'll see on the Choose an Object page and other places where data model objects are listed.

4._{Enter the Object ID:Purchase_Requests}

This should automatically populate when you type in the Object Name. You can edit it if you want to change it.

The Object ID must be a unique identifier for the object. It cannot contain spaces or any characters that aren't alphanumeric, underscores, or hyphens (a-z, A-Z, 0-9, _, or -). Spaces between characters are also not allowed. Once you save the Object ID value, you can't edit it.

5._{Enter the following search Constraints:sour cet ype=access _*} act i on=pur chase

This defines the web access page requests that are purchase events.

After you provide Constraints for the event base object you can clickPreview_to

test whether the constraints you've supplied return the kinds of events you want.

The list of attributes for the root object include: host, source, sourcetype, and _time. If you want to add child objects to client and server errors, you need to edit the

attributes list to include additional attributes.

Lab 12 Designing a Pivot report

The Splunk Enterprise Pivot tool lets you quickly design reports with tables and data visualizations that present different aspects of a selected Data Model. Pivot lets you generate these reports with a UI interface instead of having to use the search processing language.

Pivot views

Pivot is part of theSearch & Reporti ng app.

1.

1._{On the Search & Reportin g app's navigation bar, clickPivot .}

Entering Pivot takes you to theSelect a Data Model page, where you should see a list of the data models if any have been created. For example, this list

includes the Buttercup Games data model that you created earlier in this tutorial. It also includes two sample data models that track Splunk Enterprise

i nt er nal andaudi tlogs.

If you view Pivot in smaller browser windows, the Search & Reporting app's navigation bar is hidden. To use the navigation bar, click the menu icon on the upper right. The navigation bar slides down.

2.

2._{Use the arrows under thei column to view information forButtercup Games .}

Clicking Edit objects takes you to the object editor for the Buttercup Games data model.

3.

3._{Click Buttercup Games .}

This takes you to theSelect a Data Object view. This view lists all the objects that have been created for this data model. The Buttercup Games data model consists of the Purchase Requests parent object and the Successful Purchases and Failed Purchases child objects.

4.

5.

5.Click Purchase Requests .

Selecting an object from theSelect a Data Object view takes you to theNew Pivot editor for that data model.

Components of Pivot

The following illustrates the Pivot editor components.

Visualiza tion types: The left-hand vertical bar contains icons that represent different visualization types. Selecting a different icon controls which Pivot builder and report interfaces display. Visualization types are: Statistics Table (default), Column Chart, Bar Chart, Scatter Chart, Bubble Chart, Area Chart, Line Chart, Pie Chart, Single Value Display, Radial Gauge, Marker Gauge, and Filler Gauge.

Document Actions: The upper horizontal bar displays document-related actions. These actions include:

dashboard panel (Dashbo ard Panel).

• Clear: Reset the interface to its initial state, which will dismiss the saved

report (if applicable), change the visualization type to Statistics Table, and populate the report with a single Column Value for the count of the object and a time filter for all time (if _time is an applicable field).

• Data model o bject: This is the right-most button. It takes its label from the

data model object that was selected. For example, in the screenshot it is "Purchase Requests". Use this menu to navigate back to the list of data models (Select another Data Model ), navigate back to the list of data model objects (Select another Object ), or edit the selected data model object (Edit Object ). Additionally, you can rebuild acceleration and inspect the acceleration job.

Job Actions: The Pause and Stop buttons control the progress of the Pivot job. Other actions include:Share, Export , Print , and Open in Search . Clicking Open in Sea rch opens the Search view and runs the current search string.

Create and save a Pivot

This topic shows you how to use pivot to create and save a simple report. This is a very simple example. More complicated examples are shown in later topics of this tutorial.

Create a new Pivot

When you set out to design a report, you first need to select a data model that represents the broad category of event data that you want to work with. For this tutorial, that data model is the "Buttercup Games".

1.

1._{From the app navigation bar, select Pivot to enter theSelect a Data Model}

page.

2.

2.In the data models list, clickButtercup Games .

This takes you to theSelect an Object page.

The Buttercup Games data model has a root object to track Purchase Requests from the game website. The Purchases object breaks down into Successful and Failed purchases.

3.

3._{Select "Purchase Requests".}

By default, the Pivot Editor interface displays elements to define a pivot table. There are four basic pivot element categories: Filters, Split Rows, Split Columns, and Column Values. When you first open the Pivot Editor for a specific object, only two elements will be defined:

• A time range Filter element (set to All time).

• A Column Values element (set to "Count of <object_name>".

This gives you the single value, which is the total count of events returned by the object over all time. In this case, this count is the "Count of Purchase Requests".

4.

4._{Select the Single Value Display element from the visualization bar.}

4.a

4.a_{Next to Under Label , type Purchase Requests .}

• _{By default, the time range filter element is set to All time.}

• Single value visualizations (single value, the three gauge types) use the

first column value element to get their single value. Here, the field is "Count of Purchase Requests".

• Single value visualizations do not use Split Row or Split Column elements.

Save the Pivo t as a repor t

After you define a pivot, you can save it as either a report or a dashboard panel. In this example, you save the single value display as a report. Dashboards and dashboard panels are discussed in a later chapter.

1.

The Save as Report dialog box opens.

2.

2._{Enter a Title "Total Purchase Requests" and Description (optional).}

3.

3._{Select Yes to include the time range picker. (This should be the default.)}

4.

4._{Click Save.}

After the report saves, a window displays that "Your report has been created". You can continue editing the current Pivot, add the pivot to a dashboard, change additional settings for the saved report, or view the report.

5.

View saved reports

A report that is created from Pivot will always be saved under the current app and owner namespace.

1.

1._{Click Reports in the app navigation bar to view the list of all saved reports.}

2.

2._{Use the arrow in thei column to view information aboutTotal Purchase}

Requests report.

3.

3.Click the report name to view the report.

Lab 13 Pivots and Visualizations

In the previous topic you used pivot to find the total number of purchase requests and saved the single value display as a report. In this topic, you will use the pivot visualization editor to create a pivot table of the Buttercup Games Successful Purchases object.

The Successful Purchases object has attributes for the products purchased from the Buttercup Games website. This includes the automatically extracted attributes (categoryId and productId) as well as the lookup attributes (price and product_name).

The Buttercup Games online store offers hundreds of products, of a variety of categories, and you want to know more about the items that were purchased over the past week. You can create a pivot report that breaks down the total number of purchase events by product name, and through that quickly see which of your products were the top sellers for that period.

Define a new Pivot

1._{From the app navigation bar, select Pivot to enter the "Select a Data Model"}

page.

2.Choose theButtercup Games data model and select theSuccessful

TheNew Pivot editor forSuccessful Purch asesopens.

Add pivot elements

You can add multiple elements from each pivot element category to define your pivot table. It's easy to add, define, and remove pivot elements in the process of determining what information your table should provide.

•To add a pivo t element: Click the + icon. This opens up the element

dialog, where you choose an attribute and then define how the element

uses that attribute.

•To inspect o r edit an element: Click the "pencil" icon on the element.

This opens the element dialog.

•To reorder and transfer pivot elements: Drag and drop an element

within its pivot element category to reorder it. Drag and drop elements between element categories to transfer them.

•To remove pivot eleme nts fr om the Pivot Editor: Open its element

dialog and click theRemove button, or drag the element up or down until it turns red and drop it.

UnderFilters, the time filter is always present when you build a pivot; you cannot remove it. It defines the time range for which the pivot returns results. It operates exactly like the time range menu that is in use throughout Splunk Web.

Change the time range filter

Currently your Pivot table shows a single value, the total count of Successful Purchases over Al l t im e.

Change thetime filter to view the Successful Purchases over a different time range:

2._{UnderPresets andRelative, click "Last 7 days".}

(If this shows no events, you can select "All time" and continue.)

Add a Split Row element

Add Pivot elements to see the Count of Successful Purchases for each product by name:

1._{UnderSplit Rows , click+and select}pr oduct Name, the lookup field that contains the name of each product, based on thepr oduct I d.

This opens a dialog box that lets you format the field.

Add a Column Value element

Add aColumn Value to see total earned for each product that was successfully purchased:

1._{UnderColumn Values , click+and select}pri ce.

2.In the dialog box, format the field:

2.a_{Enter the labelTotal Revenue.} 2.b_{Select the ValueSum.}

This creates a field calledTotal Revenue, which is the summation of the price for each successful purchase of the product. (You can add thepr i cevalues as another Split Row, if you want to see the cost of each individual product in this table.)

Save the Pivot table

Save the Pivot table as a report namedPurchase s b y Product .

1._{ClickSave as and selectReport.}

2._{In theSave as Repor t dialog box:}

2.a_{Enter theTitle "Purchases by Product".}

2.b_{(Optional) Add theDescription "Table of Product Purchases".}

2.c_{Include aTime Range Picker .}

3._ClickSave.

4.In theYour Report Has B een Cre ated dialog box, clickView.