Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Splunk Operational Intelligence Cookbook
Splunk Operational Intelligence Cookbook

Splunk Operational Intelligence Cookbook: With Splunk, reporting and communicating insight is simple – find out with this Splunk book, created to help you unlock more effective Business Intelligence

eBook
Can$49.99 Can$55.99
Paperback
Can$69.99
Subscription
Free Trial

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Splunk Operational Intelligence Cookbook

Chapter 2. Diving into Data – Search and Report

In this chapter, we will cover the basic ways to search the data in Splunk. We will learn about:

  • Making raw event data readable
  • Finding the most accessed web pages
  • Finding the most used web browsers
  • Identifying the top-referring websites
  • Charting web page response codes
  • Displaying web page response time statistics
  • Listing the top viewed products
  • Charting the application's functional performance
  • Charting the application's memory usage
  • Counting the total number of database connections

Introduction

In the previous chapter, we learned about the various ways to get data into Splunk. In this chapter, we will dive right into the data and get our hands dirty.

The ability to search machine data is one of Splunk's core functions, and it should come as no surprise that many other features and functions of Splunk are heavily driven-off searches. Everything from basic reports and dashboards through to data models and fully featured Splunk applications are powered by Splunk searches behind the scenes.

The Search Processing Language (SPL)

Splunk has its own search language known as the Search Processing Language (SPL). This SPL contains hundreds of search commands, most of which also have several functions, arguments, and clauses. While a basic understanding of SPL is required in order to effectively search your data in Splunk, you are not expected to know all of the commands! Even the most seasoned ninjas do not know all the commands and regularly refer to the Splunk manuals...

Making raw event data readable

When a basic search is executed in Splunk from the search bar, the search results are displayed in a raw event format by default. To many users, this raw event information is not particularly readable, and valuable information is often clouded by other less valuable data within the event. Additionally, if events span several lines, only a few events can be seen on screen at any one time.

In this recipe, we will write a Splunk search to demonstrate how we can leverage Splunk commands to make raw event data readable, tabulating events and displaying only the fields we are interested in.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and search results area.

How to do it...

Follow the given steps to search and tabulate the selected event data:

  1. Log in to your Splunk server.
  2. Select the Search &amp...

Finding the most accessed web pages

One of the data samples we loaded in Chapter 1, Play Time – Getting Data In, contained access logs from our web server. These have a Splunk sourcetype of access_combined and detail all pages accessed by users of our web application. We are particularly interested in knowing which pages are being accessed the most, as this information provides great insight into how our e-commerce web application is being used. It could also help influence changes to our web application such that rarely visited pages are removed, or our application is redesigned to be more efficient.

In this recipe, we will write a Splunk search to find the most accessed web pages over a given period of time.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker to the right of it.

How to do...

Finding the most used web browsers

Users visiting our website use a variety of devices and web browsers. By analyzing the web access logs, we can understand which browsers are the most popular and, therefore, which browsers our site must support as a minimum. We can also use this same information to help identify the types of devices that people are using.

In this recipe, we will write a Splunk search to find the most used web browsers over a given period of time. We will then make use of both the eval and replace commands to clean up the data a bit.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker to the right of it.

How to do it...

Follow the given steps to search for the most used web browsers:

  1. Log in to your Splunk server.
  2. Select the Search & Reporting application.
  3. Ensure that the time range...

Identifying the top-referring websites

Our web access logs continue to give us great information about our website and the users visiting the site. Understanding where our users are coming from provides insight into potential sales leads and/or which marketing activities might be working better than others. For this information, we look for the referer_domain field value within the log data.

In this recipe, we will write a Splunk search to find the top-referring websites.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker.

How to do it...

Follow the given steps to search for the top-referring websites:

  1. Log in to your Splunk server.
  2. Select the Search & Reporting application.
  3. Ensure that the time range picker is set to Last 24 hours and type the following search into the Splunk search bar. Then, click...

Introduction


In the previous chapter, we learned about the various ways to get data into Splunk. In this chapter, we will dive right into the data and get our hands dirty.

The ability to search machine data is one of Splunk's core functions, and it should come as no surprise that many other features and functions of Splunk are heavily driven-off searches. Everything from basic reports and dashboards through to data models and fully featured Splunk applications are powered by Splunk searches behind the scenes.

The Search Processing Language (SPL)

Splunk has its own search language known as the Search Processing Language (SPL). This SPL contains hundreds of search commands, most of which also have several functions, arguments, and clauses. While a basic understanding of SPL is required in order to effectively search your data in Splunk, you are not expected to know all of the commands! Even the most seasoned ninjas do not know all the commands and regularly refer to the Splunk manuals, website...

Making raw event data readable


When a basic search is executed in Splunk from the search bar, the search results are displayed in a raw event format by default. To many users, this raw event information is not particularly readable, and valuable information is often clouded by other less valuable data within the event. Additionally, if events span several lines, only a few events can be seen on screen at any one time.

In this recipe, we will write a Splunk search to demonstrate how we can leverage Splunk commands to make raw event data readable, tabulating events and displaying only the fields we are interested in.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and search results area.

How to do it...

Follow the given steps to search and tabulate the selected event data:

  1. Log in to your Splunk server.

  2. Select the Search & Reporting...

Finding the most accessed web pages


One of the data samples we loaded in Chapter 1, Play Time – Getting Data In, contained access logs from our web server. These have a Splunk sourcetype of access_combined and detail all pages accessed by users of our web application. We are particularly interested in knowing which pages are being accessed the most, as this information provides great insight into how our e-commerce web application is being used. It could also help influence changes to our web application such that rarely visited pages are removed, or our application is redesigned to be more efficient.

In this recipe, we will write a Splunk search to find the most accessed web pages over a given period of time.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker to the right of it.

How to do it...

Follow the...

Finding the most used web browsers


Users visiting our website use a variety of devices and web browsers. By analyzing the web access logs, we can understand which browsers are the most popular and, therefore, which browsers our site must support as a minimum. We can also use this same information to help identify the types of devices that people are using.

In this recipe, we will write a Splunk search to find the most used web browsers over a given period of time. We will then make use of both the eval and replace commands to clean up the data a bit.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker to the right of it.

How to do it...

Follow the given steps to search for the most used web browsers:

  1. Log in to your Splunk server.

  2. Select the Search & Reporting application.

  3. Ensure that the time range picker...

Identifying the top-referring websites


Our web access logs continue to give us great information about our website and the users visiting the site. Understanding where our users are coming from provides insight into potential sales leads and/or which marketing activities might be working better than others. For this information, we look for the referer_domain field value within the log data.

In this recipe, we will write a Splunk search to find the top-referring websites.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker.

How to do it...

Follow the given steps to search for the top-referring websites:

  1. Log in to your Splunk server.

  2. Select the Search & Reporting application.

  3. Ensure that the time range picker is set to Last 24 hours and type the following search into the Splunk search bar. Then, click on the...

Charting web page response codes


Log data often contains seemingly cryptic codes that have all sorts of meanings. This is true of our web access logs, where there is a status code that represents a web page response. This code is very useful, as it can tell us whether certain events were successful or not. For example, error codes found in purchase events are less than ideal, and if our website was at fault, then we might have lost a sale.

In this recipe, we will write a Splunk search to chart web page responses against the various web pages on the site.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker.

How to do it...

Follow the given steps to chart web page response codes over time:

  1. Log in to your Splunk server.

  2. Select the Search & Reporting application.

  3. Ensure that the time range picker is set to Last...

Displaying web page response time statistics


No one likes to wait for a web page to load, and we certainly do not want users of our web application waiting either! Within our web access logs, there is a field named response that tracks the total time the page has taken to load in milliseconds.

In this recipe, we will track the average page load time over the past week at different times of the day.

Getting ready

To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with the Splunk search bar and the time range picker.

How to do it...

Follow the given steps to search and calculate web page response time statistics over the past week:

  1. Log in to your Splunk server.

  2. Select the Search & Reporting application.

  3. Ensure that the time range picker is set to Last 7 Days and type the following search into the Splunk search bar. Then, click on the magnifying glass icon or hit Enter.

    sourcetype...
Left arrow icon Right arrow icon

Description

This book is intended for users of all levels who are looking to leverage the Splunk Enterprise platform as a valuable operational intelligence tool. The recipes provided in this book will appeal to individuals from all facets of a business – IT, Security, Product, Marketing, and many more!

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Oct 31, 2014
Length: 414 pages
Edition : 1st
Language : English
ISBN-13 : 9781849697859
Category :
Tools :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Oct 31, 2014
Length: 414 pages
Edition : 1st
Language : English
ISBN-13 : 9781849697859
Category :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just Can$6 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just Can$6 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total Can$ 209.97
Mastering Splunk
Can$69.99
Splunk Operational Intelligence Cookbook
Can$69.99
Implementing Splunk: Big Data Reporting and Development for Operational Intelligence
Can$69.99
Total Can$ 209.97 Stars icon

Table of Contents

11 Chapters
1. Play Time – Getting Data In Chevron down icon Chevron up icon
2. Diving into Data – Search and Report Chevron down icon Chevron up icon
3. Dashboards and Visualizations – Make Data Shine Chevron down icon Chevron up icon
4. Building an Operational Intelligence Application Chevron down icon Chevron up icon
5. Extending Intelligence – Data Models and Pivoting Chevron down icon Chevron up icon
6. Diving Deeper – Advanced Searching Chevron down icon Chevron up icon
7. Enriching Data – Lookups and Workflows Chevron down icon Chevron up icon
8. Being Proactive – Creating Alerts Chevron down icon Chevron up icon
9. Speed Up Intelligence – Data Summarization Chevron down icon Chevron up icon
10. Above and Beyond – Customization, Web Framework, REST API, and SDKs Chevron down icon Chevron up icon
Index Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.2
(15 Ratings)
5 star 60%
4 star 26.7%
3 star 0%
2 star 0%
1 star 13.3%
Filter icon Filter
Top Reviews

Filter reviews by




Chad Jan 08, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Amazing book for getting to know Splunk! The fact they run you through real world exercises with sample data is incredibly helpful.
Amazon Verified review Amazon
owen1 Jul 19, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great book and is an easy read with a lot of references and guides with step by step instructions. I recommend it to anyone in the InfoSec world that focuses on Splunk!
Amazon Verified review Amazon
A. Beeber Nov 20, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I have had a keen interest in Splunk for over 2 years and have seen the product grown and evolve from 4.2 to the current release of 6.2. Coming from the IT/Legal Compliance background, I have found the product at times challenging (learning regular expressions... anyone?). When Splunk Operational Intelligence came out for pre-order, it quickly caught my eye and was quick to add it to my wish list.This latest publication has been a real blessing. It includes the latest features within Splunk, like pivot tables and includes steps on how to build your own applications. So far I have found the book very helpful. I like how the information is arranged and how the how-to steps are presented in a very visual format. The author's use of examples are also very helpful and very easy to implement in any environment. To be fair I am only halfway through this book. But will post an update when I have completed it.My recommendation is that if you are new to Splunk, then get this book. It will help you get up to speed on the product and can help you navigate the extensive material provided by Splunk. If you are an experienced Splunker, some of the book's contents maybe redundant, but even so a walk through on some of the new features cant hurt. I've found a few useful nuggets of information as I worked through the book. I hope this review helps. Go get the latest version from splunk.com, get this book and get splunking!Disclaimer, I was fortunate enough to receive a electronic copy of this book by the publisher. My review was independent of this as I was about to order to the ebook this week. That said, I'll probably will buy the hard back copy because I have found it to be really helpful. I hope the author continues to provided revised editions as the product continues to evolve and perhaps develop a book more geared for Splunk deployments, the clustering of Indexers and SplunkWeb servers and walking the reader on setting up SSO Proxy servers using IIS and Apache.
Amazon Verified review Amazon
BENJAMIN AFOLABI Dec 01, 2014
Full star icon Full star icon Full star icon Full star icon Full star icon 5
One of the best Splunk book available in the market..This will definitely get you started and even help advance users.
Amazon Verified review Amazon
Lee Gorby Jul 05, 2016
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Really good for beginners!
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.