Splunk .conf2011: Search Language: Intermediate

Search Language - Intermediate

Karen Hodges, Sr. Instructor

© Copyright Splunk 20112The 2nd Annual Splunk Worldwide Users’ Conference

Karen Hodges – Senior Instructor – SplunkOver 20 years of experience in software training and education in:- UNIX System Administration- Intergraph GIS Systems- Relational Database Management Systems- BMC Remedy- Mortgage Fraud Detection- Real Property Title Search- Splunk

Your presenter . . .


Knowledge Objects- Tags- Event types- Saved searches and alerts

Advanced searching techniques- Comparison operators- The search pipeline

Topics

© Copyright Splunk 20114The 2nd Annual Splunk Worldwide Users’ Conference4

Knowledge Objects


Type in keywords, hit return, get results . . .

Splunk as “Search Engine”


Splunk allows you to “store” knowledge alongside your IT data

Institutional knowledge - For example: server function or device location

Learned knowledge- For example: identify crash precursors or suspicious activity patterns

You store these in Splunk using Knowledge Objects

So Much More than a “Search Engine”


Server names aren’t always very helpful!Sometimes they pack too much information into the name

Sometimes they make them reflect their hobbies/obsessions

Scenario – Confusing Server Names


Tags are metadata you can add to field values

Knowledge Objects – Tags to the Rescue


Search all hosts tagged as “webfarm”

Using Tags


IT data is full of strange and confusing messageSome are alarming!

Some are low key, but should be alarming

Scenario – So Many Different Needles and Hays


Event types are fields based on a search – similar to a saved search

Knowledge Objects – Event Types


For example: 2 events in linux_secure

Save event types to differentiate these 2 events- pwd_fail_known and pwd_fail_unknown

Event Type Example - Different Events


For example: 2 different types of firewalls- CheckPoint firewall “action=reject”- Netscreen firewall “action=deny”

Event Type Example – Same Event


Using Event Types•Use the eventtype as you would any other field


Servers and devices run 24/7Hackers, bugs and crashes (oh my!) are lurking 24/7Humans aren’t 24/7 – they need things like sleep, vacations, lunch, or just a few minutes away from staring at a screen in a freezing cold server room!

Scenario – 24/7 Monitoring


Searches can be run on a schedule and be setup to “do something” based on the results

We call these Alerts

Splunk Alerts Never Sleep!


Hackers need a user name AND a password to log in to your systems

Public web pages often contain names of CEOs, sales folks, etc. splunk.com is no exception

Alerting Scenario – Public User Logins


Since only certain users appear on the web page, we can give those users the tag=publicID

We can use the “pwd_fail_known” Event Type we created earlier

Leverage Tagging and Event Types


Craft the search that searches for login attempts from public users then create the alert

Click next to define alert conditions

Craft Your Search and Create the Alert


You can specify alert conditions which will trigger the alert

In our case we are looking for four or more login attempts since after that legitimate users are locked out

Alert Conditions


Can send email, create RSS feed, or trigger shell script

We have opted to have the results included in our email so we can evaluate the severity of the attack easily

Tracking allows us to view fired alerts in the Alert manager

Alert Actions


Use the Alerts menu item in the main Splunk navigation to display the Alerts manager window.

Click Results to view the events that triggeredthe alert

Click Edit to edit the alert settings

Alert Manager

Failed Logins

Failed Logins


Advanced Searching Techniques


Comparison operators make your searches more exacting

Splunk’s full-featured search language permits you to organize and analyze data in amazing ways!

So Much More than a “Search Engine”- Part II


Comparison operators!= > < <= >=

Towards More Sophisticated Searches


Search is a data generating commandYou can organize and analyze data using the search pipeline

The Search Pipeline

sourcetype=syslog ERROR | top user | fields - percent

Fetch events from disk that

match

Summarize into table of top 10 users

Remove column showing

percentage

Intermediateresults table

Intermediate results table

Final results table

DiskDisk


After the search command use the “|” symbol to pipe your search results to a subsequent command

For example here we are changing the sort order to sort by user name descending – grouping all the logins together

Organize and Analyze Your Data


We’ve already seen sort, there are many MANY more . . .-dedup removes duplicates

‣ Weeding out duplicate entries makes results easier to use AND keeps statistical operations more pure

-regex allows you filter your results using a regular expression‣ REGEX gurus can filter using all the ?’s and *’s they want!

-transaction allows you to group your events by a certain field and time range‣ See all the web pages your boss visited in the past hour from your proxy

data

Data Processing Commands


When you type in a command after the | symbol Splunk’s Search Assistant provides an instant mini “man page”

Splunk Makes Using its Search Language Easy


The table command is useful for visually organizing events

Columns are displayed in the same order of fields entered in the command- Column headers are field names- Rows are field values- Each row represents an event

View Events in a Table

30


The top command finds the most common values of a given field- Returns top 10 results by default

Automatically returns a count and percentage

Adding limit=# after the top command returns the specified number of results

Top Scenario – Getting Top Site Visitors

31


count returns the number of occurrences of a given field

The by clause returns a count for each field value of a named field

Stats Scenario – Counting Product Sales

32


Online trading activity is captured in a log file which includes each trader’s unique identification

Company policy requires that we monitor each trader’s activity in hourly chunks, but the trades are all jumbled up together making it hard to spot patterns in each trader’s trades

Transaction Scenario – Monitor Trading Activity


Use transaction to group each trade by TradeID

Set your time span to an hour and your max pause to one hour in case some traders only have one or two trades per hour

Use Transaction to Group Your Trades


Event types and tags are excellent ways to capture existent knowledge as well as knowledge learned from using Splunk

Splunk’s search language includes many powerful commands which allow you to organize and analyze your data easily

Summary


You’ve just seen some of the many ways Splunk can be used to leverage the intelligence in your IT data

Further your Splunk education with official Splunk trainingUsing Splunk – Gets deeper into basic search, alerts, knowledge objects, quick reports and more…

Searching and Reporting with Splunk – Takes you to the next level leveraging statistical operations and reporting in Splunk

Congratulations!

August 15, 2011

Questions?

Karen Hodges, Sr. Instructor

Date post:	18-Nov-2014
Category:	Technology
Upload:	erin-sweeney
View:	1,545 times
Download:	9 times

Splunk .conf2011: Search Language: Intermediate

Technology