Technology Posts

Awesome, I was able to move from those 2 slides that took a lot of content and energy our of my brain! – The slides I’m referring to are the ones you get when you assist Splunk’s class for System Administration, basically the posts are my notes (This blog) which is an extraction of the

Splunk can be installed in Windows and Linux for Production environments, there are some tweaks that you can configure to make your environment run better and with no issues, this class makes few recommendations that are very new to me so I will list them here to keep adding to my notes. Linux Settings Recommendations

Getting back from where we left over from yesterday. Here is a quick and interesting view of the components, processes and the Installation planning of the solution. I know, these post maybe repetitive in nature, but its the foundation of a well implemented solution Core Components and Processes This section is dedicated to describe all

As I continue being exposed to Splunk in the wild as well as in class 🙂 – I decided to write a bit on the class that I just took. The System Administrator Class This class is one of the many requirements to become a Splunk Certified Architect, which is what I’m going for in

Introduction to Knowledge objects These are tools you use to discover and analyze various aspects of your data * Data Interpretation – Fields and field extractions * Data Classification – Event types * Data Enrichment – Lookups and Workflow Actions * Normalization – Tasks and Field Aliases * Datasets – Data models Knowledge objects can

Introduction to Transactions A transaction is a group of related events that span time. Events can come from multiple applications or hots. For example, One email message can create multiple events as it travels through various queues, also visiting a single website normally generates multiple HTTP requests Transaction field-list can be one list field or

Introduction to Eval Commands The eval commands are great to perform calculations, convert values, road values, format values and even use conditional statements. It is recommended to use search and were commands to filter calculated results. Eval commands allow you to calculate and manipulate field values in your report Supports a variety of functions Results

Visualizations When a search returns statistical values, the results can be viewed with different visualization types, some of the Visualization types: Statistical Values Charts: Line, column, pie Single Value Visualizations Maps Charts – Line Chart (Time Series) Chart – Bubble Cluster Map Choropleth Map What is next? Filtering/Formatting Data About the Author: Andres Sarmiento, CCIE

SO we got to this point, looking at the Fundamentals 2 section of my training. This training builds on the Fundamentals 1 course. Which is pretty much all tools you can use for searching and understanding data in Splunk What is part fo Fundamentals 2: Transforming commands and Visualizations Filter/Format results of a Search Correlate

Fields are searchable key/value pairs in your event data Fields can be searched by their name, for example: area_code=404 action=purchase status=200 When you look for multiple items in the editor an implied AND will be implied unless specified otherwise (AND, OR, NOT) to the search as follows action=purchase AND status=200 Field Discovery Splunk automatically discovers

Every search is also a job, which can be paused, stopped, saved and exported. Here are some interesting things you need to know about Search jobs: Jobs are available for 10 Minutes (By Default) Jobs can have the following permissions as part of the configuration when they are saved Private – Only the creator can

Basic search The search assistant provides a nice way to begin looking up for something in particular. At this stage, you can determine a few different search criteria, such as a term in particular or search directly into a specific Index. The search assistant lets you be flexible and presents you with different options. Before

Splunk Index Time Process Data ingestion for Splunk is broken down into 3 different phases Input Phase – Data is handled at the source and is usually done by a forwarder Parsing Phase – Handled by the indexer or Heavy Forwarders, the data is broken into events Indexing Phase – The license meter runs as

Addition Splunk Components There are additional components for a Splunk deployment, here is a list Deployment Server Cluster Master License Master Standalone Deployment This deployment is only in 1 server, and all functions needed for this deployment reside on the same server Searching Indexing Parsing Input It is recommended to have 1 test or dev

Splunk – Indexer This is the engine that is in charge of processing machine data, stores the results in indexes as events. This is what allows enabling fast searches and analysis As data is indexed, Splunk creates files organized in sets of directories by age. Splunk – Search Head Splunk has its own Search language,

What is Splunk Splunk is many things to different groups in an organization, but mostly is an engine that looks you to visualize data in a way that could be understood by the business, what are few of the things that Splunk can help with: Application Management Operations Management Security and Compliance Splunk allows you