Mastering Splunk -- Table of Contents -- Mastering Splunk -- Credits -- About the Author -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers, and more -- Why subscribe? -- Free access for Packt account holders -- Instant updates on new Packt books -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Downloading the color images of this book -- Errata -- Piracy -- Questions -- 1. The Application of Splunk -- The definition of Splunk -- Keeping it simple -- Universal file handling -- Confidentiality and security -- The evolution of Splunk -- The Splunk approach -- The correlation of information -- Conventional use cases -- Investigational searching -- Searching with pivot -- The event timeline -- Monitoring -- Alerting -- Reporting -- Visibility in the operational world -- Operational intelligence -- A technology-agnostic approach -- Decision support - analysis in real time -- ETL analytics and preconceptions -- The complements of Splunk -- ODBC -- Splunk - outside the box -- Customer Relationship Management -- Emerging technologies -- Knowledge discovery and data mining -- Disaster recovery -- Virus protection -- The enhancement of structured data -- Project management -- Firewall applications -- Enterprise wireless solutions -- Hadoop technologies -- Media measurement -- Social media -- Geographical Information Systems -- Mobile Device Management -- Splunk in action -- Summary -- 2. Advanced Searching -- Searching in Splunk -- The search dashboard -- The new search dashboard -- The Splunk search mechanism -- The Splunk quick reference guide -- Please assist me, let me go -- Basic optimization -- Fast, verbose, or smart? -- The breakdown of commands -- Understanding the difference between sparse and dense.

Searching for operators, command formats, and tags -- The process flow -- Boolean expressions -- You can quote me, I'm escaping -- Tag me Splunk! -- Assigning a search tag -- Tagging field-value pairs -- Wild tags! -- Wildcards - generally speaking -- Disabling and deleting tags -- Transactional searching -- Knowledge management -- Some working examples -- Subsearching -- Output settings for subsearches -- Search Job Inspector -- Searching with parameters -- The eval statement -- A simple example -- Splunk macros -- Creating your own macro -- Using your macros -- The limitations of Splunk -- Search results -- Some basic Splunk search examples -- Additional formatting -- Summary -- 3. Mastering Tables, Charts, and Fields -- Tables, charts, and fields -- Splunking into tables -- The table command -- The Splunk rename command -- Limits -- Fields -- An example of the fields command -- Returning search results as charts -- The chart command -- The split-by fields -- The where clause -- More visualization examples -- Some additional functions -- Splunk bucketing -- Reporting using the timechart command -- Arguments required by the timechart command -- Bucket time spans versus per_* functions -- Drilldowns -- The drilldown options -- The basic drilldown functionality -- Row drilldowns -- Cell drilldowns -- Chart drilldowns -- Legends -- Pivot -- The pivot editor -- Working with pivot elements -- Filtering your pivots -- Split -- Column values -- Pivot table formatting -- A quick example -- Sparklines -- Summary -- 4. Lookups -- Introduction -- Configuring a simple field lookup -- Defining lookups in Splunk Web -- Automatic lookups -- The Add new page -- Configuration files -- Implementing a lookup using configuration files - an example -- Populating lookup tables -- Handling duplicates with dedup -- Dynamic lookups -- Using Splunk Web.

Using configuration files instead of Splunk Web -- External lookups -- Explanation -- Time-based lookups -- An easier way to create a time-based lookup -- Seeing double? -- Command roundup -- The lookup command -- The inputlookup and outputlookup commands -- The inputcsv and outputcsv commands -- Summary -- 5. Progressive Dashboards -- Creating effective dashboards -- Views -- Panels -- Modules -- Form searching -- An example of a search form -- Dashboards versus forms -- Going back to dashboards -- The Panel Editor -- The Visualization Editor -- XML -- Let's walk through the Dashboard Editor -- Constructing a dashboard -- Constructing the framework -- Adding panels and panel content -- Adding a panel -- Specifying visualizations for the dashboard panel -- The time range picker -- Adding panels to your dashboard -- Controlling access to your dashboard -- Cloning and deleting -- Keeping in context -- Some further customization -- Using panels -- Adding and editing dashboard panels -- Visualize this! -- The visualization type -- The visualization format -- Dashboards and XML -- Editing the dashboard XML code -- Dashboards and the navigation bar -- Color my world -- More on searching -- Inline searches -- A saved search report -- The inline pivot -- The saved pivot report -- Dynamic drilldowns -- The essentials -- Examples -- No drilldowns -- Real-world, real-time solutions -- Summary -- 6. Indexes and Indexing -- The importance of indexing -- What is a Splunk index? -- Event processing -- Parsing -- Indexing -- Index composition -- Default indexes -- Indexes, indexers, and clusters -- Managing Splunk indexes -- Getting started -- Dealing with multiple indexes -- Reasons for multiple indexes -- Creating and editing Splunk indexes -- Important details about indexes -- Other indexing methods -- Editing the indexes.conf file -- Using your new indexes.

Sending all events to be indexed -- Sending specific events -- A transformation example -- Searching for a specified index -- Deleting your indexes and indexed data -- Deleting Splunk events -- Not all events! -- Deleting data -- Administrative CLI commands -- The clean command -- Deleting an index -- Disabling an index -- Retirements -- Configuring indexes -- Moving your index database -- Spreading out your Splunk index -- Size matters -- Index-by-index attributes -- Bucket types -- Volumes -- Creating and using volumes -- Hitting the limits -- Setting your own minimum free disk space -- Summary -- 7. Evolving your Apps -- Basic applications -- The app list -- More about apps -- Out of the box apps -- Add-ons -- Splunk Web -- Installing an app -- Disabling and removing a Splunk app -- BYO or build your own apps -- App FAQs -- The end-to-end customization of Splunk -- Preparation for app development -- Beginning Splunk app development -- Creating the app's workspace -- Adding configurations -- The app.conf file -- Giving your app an icon -- Other configurations -- Creating the app objects -- Setting the ownership -- Setting the app's permissions -- Another approach to permissions -- A default.meta example -- Building navigations -- Let's adjust the navigation -- Using the default.xml file rather than Splunk Web -- Creating an app setup and deployment -- Creating a setup screen -- The XML syntax used -- Packaging apps for deployment -- Summary -- 8. Monitoring and Alerting -- What to monitor -- Recipes -- Pointing Splunk to data -- Splunk Web -- Splunk CLI -- Splunk configuration files -- Apps -- Monitoring categories -- Advanced monitoring -- Location, location, location -- Leveraging your forwarders -- Can I use apps? -- Windows inputs in Splunk -- Getting started with monitoring -- Custom data -- Input typing.

What does Splunk do with the data it monitors? -- The Splunk data pipeline -- Splunk -- Where is this app? -- Let's Install! -- Viewing the Splunk Deployment Monitor app -- All about alerts -- Alerting a quick startup -- You can't do that -- Setting enabling actions -- Listing triggered alerts -- Sending e-mails -- Running a script -- Action options - when triggered, execute actions -- Throttling -- Editing alerts -- Editing the description -- Editing permissions -- Editing the alert type and trigger -- Editing actions -- Disabling alerts -- Cloning alerts -- Deleting alerts -- Scheduled or real time -- Extended functionalities -- Splunk acceleration -- Expiration -- Summary indexing -- Summary -- 9. Transactional Splunk -- Transactions and transaction types -- Let's get back to transactions -- Transaction search -- An example of a Splunk transaction -- The Transaction command -- Transactions and macro searches -- A refresher on search macros -- Defining your arguments -- Applying a macro -- Advanced use of transactions -- Configuring transaction types -- The transactiontypes.conf file -- An example of transaction types -- Grouping - event grouping and correlation -- Concurrent events -- Examples of concurrency command use -- What to avoid - stats instead of transaction -- Summary -- 10. Splunk - Meet the Enterprise -- General concepts -- Best practices -- Definition of Splunk knowledge -- Data interpretation -- Classification of data -- Data enrichment -- Normalization -- Modeling -- Strategic knowledge management -- Splunk object management with knowledge management -- Naming conventions for documentation -- Developing naming conventions for knowledge objects -- Organized naming conventions -- Object naming conventions -- Hints -- An example of naming conventions -- Splunk's Common Information Model -- Testing -- Testing before sharing.

Levels of testing.