Download - New Features, Pivot and Search Dojo
New Features, Pivot and Search Dojo David Anso
Technical Enablement Manager, GKC
2
Safe Harbor Statement During the course of this presentaDon, we may make forward looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aOer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to include any such feature or funcDonality in a future release.
New Features
Pivot
Search Dojo
AGENDA
6.3 New Features
5
New Features
Demo: Splunk 6.3 Overview App
Pivot
7
Pivot
Demo: Instant Pivot
8
Pivot
Demo: Instant Pivot Pivot Tutorial
9
Pivot
Demo: Instant Pivot Pivot Tutorial Splunk CIM Data Model
Search Dojo
11
Search Dojo
Comment your search: sourcetype=access_combined | eval COMMENT="Examine all web logs" sourcetype=access_combined_wcookie | rename COMMENT AS "Examine all web logs"
12
Search Dojo
13
Search Dojo
14
Search Dojo
Use a subsearch to improve performance. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip ]
15
Search Dojo
Use a subsearch to search for text rather than a field. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip | rename clientip as query ]
16
Search Dojo
Issues with the subsearch approach: Subsearches have a limit of 10,000 results. If there are more result for the subsearch, only 10,000 of them will make it through. While searching text may prove faster, it will prevent you matching any field values that are created by calculated fields, lookups, etc.
17
Search Dojo
Ensuring your search returns a result: | inputlookup malwaredomains.csv |head 10 |append [ |stats count | eval domain="splunk.com" | eval category="exploits" | eval isbad="false" | eval reference="Test match to ensure results from search" ]