machine data 101 workshop audienceversion
TRANSCRIPT
Copyright©2014SplunkInc.
MachineData101:TurningDataintoInsight
AudienceVersion
Agenda
§ Non-TraditionalDataSources
§ DataEnrichment
§ LevelUponSearchandReportingCommands
§ DataModelsandPivot
§ AdvancedVisualizationsandtheWebFramework
2
Non-TraditionalDataSources
Non-TraditionalDataSources
§ NetworkInputs
§ HTTPEventCollector
§ LogEventAlertAction
§ SplunkAppforStream
§ ScriptedInputs
§ DatabaseInputs
§ SplunkODBCDriver
§ ModularInputs
§ zLinux Forwarder
§ MINT
§ Non-SplunkDatastores
4
TraditionalDataSources§ Captureseventsfromlogfilesinrealtime
§ Runsscriptstogathersystemmetrics,connecttoAPIsanddatabases
§ Listenstosyslog andgathersWindowsevents
§ Universallyindexesanydataformatsoitdoesn’tneedadapters
5
Windows• Registry• Eventlogs• Filesystem• sysinternals
Linux/Unix• Configurations• Syslog• Filesystem• Ps,iostat,top
Virtualization• Hypervisor• GuestOS• GuestApps
Applications• Weblogs• Log4J,JMS,JMX• .NETevents• Codeandscripts
Databases• Configurations• Audit/querylogs• Tables• Schemas
Network• Configurations• syslog• SNMP• netflow
NetworkInputs
§ CollectdataoveranyUDPorTCPport§ Somedevicesonlysenddataoveranetworkport
§ BestPractice:usesyslog-ng orrsyslog§ Offerspersistence§ Categorizesdatabyhost
6
HTTPEventCollector(HEC)
§ CollectdataoverHTTPorHTTPSdirectlytoSplunk§ ApplicationDeveloperfocus– fewlinesofcodeinapp
tosenddata§ HECFeaturesInclude:
§ Token-based,notcredentialbased§ IndexerAcknowledgements– guaranteesdataindexing§ RawandJSONformattedeventpayloads§ SSL,CORS(CrossOrigion access),andNetworkRestrictions
7
LogEventAlertAction
§ UseSplunkalertingtoindexacustomlogevent§ Splunksearchableindexofcustomalertevents
§ ConfigurableFeaturesInclude:§ Host§ Source§ Sourcetype§ Index§ Eventtext– constructtheexactsyntaxofthelogevent,
includinganytext,tokens,orotherinformation
8
TheSplunkAppforStream
WireDataEnhancesthePlatformforOperationalIntelligence
Efficient,Cloud-readyWireDataCollection
SimpleDeploymentSupportsFastTimetoValue
9
Stream=BetterInsightsfor*
SolutionArea ContextualData WireData Enriched View
ApplicationManagement
applicationlogs,monitoringdata,metrics,events
protocolconversationsondatabaseperformance,DNSlookups,clientdata,businesstransactionpaths…
Measureapplicationresponsetimes,deeperinsightsforroot-causediagnostics,tracetxpaths,establishbaselines…
IT Operations applicationlogs,monitoringdata,metrics,events
payloaddataincludingprocesstimes,errors,transactiontraces,ICAlatency,SQLstatements,DNSrecords…
Analyzetrafficvolume,speedandpacketstoidentifyinfrastructureperformanceissues,capacityconstraints,changes;establishbaselines…
10
Stream=BetterInsightsfor*SolutionArea ContextualData WireData Enriched View
Security app+infralogs,monitoringdata,events
protocolidentification,protocolheaders,contentandpayloadinformation,flowrecords
Buildanalyticsandcontextforincidentresponse,threatdetection,monitoringandcompliance
DigitalIntelligence
websiteactivity,clickstreamdata,metrics
browser-levelcustomerinteractions
CustomerExperience – analyzewebsiteandapplicationbottleneckstoimprovecustomerexperienceandonlinerevenues
CustomerSupport(online,callcenter)– fasterrootcauseanalysisandresolutionofcustomerissueswithwebsiteorapps
11
ScriptedInputs
12
§ SenddatatoSplunkviaacustomscript§ Splunkindexesanythingwrittentostdout§ Splunkhandlesscheduling§ Supportsshell,Pythonscripts,WINbatch,PowerShell§ Anyotherutilitythatcanformatandstreamdata
StreamingMode§ Splunkexecutesscriptandindexesstdout
§ Checksforanyrunninginstances
WritetoFileMode§ Splunklaunchesscriptwhichproducesoutputfile,noneedforexternalscheduler
§ Splunkmonitorsoutputfile
UseCasesforScriptedInputs
13
§ Alternativetofile-baseornetwork-basedinputs§ Streamdatafromcommand-linetools,suchasvmstat andiostat§ Pollawebservice,APIordatabaseandprocesstheresults§ Reformatcomplexorbinarydataforeasierparsingintoeventsandfields§ Maintaindatasourceswithsloworresource-intensivestartup
procedures§ Providespecialorcomplexhandlingfortransientorunstableinputs§ Scriptsthatmanagepasswordsandcredentials§ Wrapperscriptsforcommandlineinputsthatcontainspecialcharacters
DatabaseInputs
§ Createvaluewithstructureddata§ Enrichsearchresultswithadditionalbusinesscontext
§ Easilyimportdatafordeeperanalysis§ IntegratemultipleDBsconcurrently§ Simpleset-up,non-invasiveandsecure
DBConnectprovidesreliable,scalable,real-timeintegrationbetweenSplunkandtraditionalrelationaldatabases
14
ConfigureDatabaseInputs
15
§ DBConnectApp§ Real-time,scalableintegrationwithrelationalDBs§ Browseandnavigateschemasandtablesbeforedataimport§ Reliablescheduledimport§ SeamlessinstallationandUIconfiguration§ Supportsconnectionpoolingandcaching
§ “Tail”tablesorimportentiretables§ Detectandimportnew/updatedrowsusingtimestampsoruniqueIDs
§ SupportsmanyRDBMSflavors§ AWSRDSAurora,AWSRedShift,IBMDB2forLinux,Informix,MemSQL,MSSQL,MySQL,
Oracle,PostgreSQL,SAPSQLAnywhere(akaSybaseSA),SybaseASEandIQ,Teradata
SplunkODBCDriver
16
§ Interactwith,manipulateandvisualizemachinedatainSplunkEnterpriseusingbusinesssoftwaretools
§ LeverageanalyticsfromSplunkalongsideMicrosoftExcel,TableauDesktoporMicrostrategy AnalyticsDesktop
§ Industry-standardconnectivitytoSplunkEnterprise§ Empowersbusinessuserswithdirectandsecureaccesstomachinedata
§ Combinemachinedatawithstructureddataforbetteroperationalcontext
ODBC:HowitWorks
17
ModularInputs
18
§ Createyourowncustominputs§ Scriptedinputwithstructureandintelligence§ FirstclasscitizenintheSplunkmanagementinterface§ AppearsunderSettings>DataInputs
§ Benefitsoversimplescriptedinput§ Instancecontrol:launchasingleormultipleinstances§ Inputvalidation§ Supportmultipleplatforms§ StreamdataastextorXML§ SecureaccesstomodinputscriptsviaRESTendpoints
ExampleModularInputs
19
Twitter§ StreamJSONdatafromaTwittersourcetoSplunkusingTweepy
AmazonS3OnlineStorage§ IndexdatafromtheAmazonS3onlinestoragewebservice
JavaMessagingService(JMS)§ PollmessagequeuesandtopicsthroughJMSMessagingAPI§ Talkstomultipleproviders:MQSeries (Websphere MQ),ActiveMQ,TibcoEMS,HornetQ,RabbitMQ,NativeJMS,WebLogic JMS,SonicMQ
SplunkWindowsInputs§ RetrieveWINeventlogs,registrykeys,perfmon counters
MoreModularInputs
20
zLinux Forwarder
21
§ EasilycollectandindexdataonIBMmainframes
§ Collectapplicationandplatformdata
§ DownloadasnewForwarderdistributionfors390xLinux
ExtendOperationalIntelligencetoMobileApps
22
DeliverBetterPerforming,MoreReliableApps
DeliverReal-TimeOmni-Channel
Analytics
End-to-EndPerformanceandCapacityInsights
MonitorAppUsageandPerformance
• Improveuserretentionbyquicklyidentifyingcrashesandperformanceissues
• Establishwhetherissuesarecausedbyanapporthenetwork(s)
• Correlateapp,OSanddevicetypetodiagnosecrashandnetworkperformanceissues
23
IntegratedAnalyticsPlatformforDiverseDataStoresFull-featured,IntegratedProduct
FastInsightsforEveryone
WorkswithWhatYouHaveToday
Explore Visualize Dashboards
ShareAnalyze
HadoopClusters NoSQLandOtherDataStores
Hadoop ClientLibraries StreamingResourceLibraries
Bi-directionalIntegrationwithHadoop
ConnecttoNoSQLandOtherDataStores
• Buildcustomstreamingresourcelibraries
• SearchandanalyzedatafromotherdatastoresinHunk
• InpartnershipwithleadingNoSQLvendors
• UseinconjunctionwithDBConnectforrelationaldatabaselookups
VirtualIndexes
§ EnablesseamlessuseofalmosttheentireSplunkstackondata
§ AutomaticallyhandlesMapReduce
§ Technologyispatentpending
DataEnrichment
Agenda
§ Tags – categorizeandaddmeaningtodata
§ FieldAliases – simplifysearchandcorrelation
§ CalculatedFields – shortcutcomplex/repetitivecomputations
§ EventTypes – groupcommoneventsandshareknowledge
§ Lookups – augmentdatawithadditionalexternalfields
28
§ Addsinlinemeaning/context/specificitytorawdata
§ Usedtonormalizemetadataorrawdata
§ Simplifiescorrelationofmultipledatasources
§ CreatedinSplunk
§ Transferredfromexternalsources
WhatisDataEnrichment?
29
§ Addmeaning/context/specificitytorawdata
§ Labelsdescribingteam,category,platform,geography
§ Appliedtofield-valuecombination
§ Multipletagscanbeappliedforeachfield-value
§ Casesensitive
Tags
30
CreateTags
31
§ Searcheventswithtaginanyfield
§ Searcheventswithtaginaspecificfield
§ Searcheventswithtagusingwildcards
FindtheWebServersTagsinAction
32
tag=webserver
tag::host=webserver
tag=web*
§ Tagthehostaswebserver
§ Tagthesourcetypeasweb
1
2
3
4
5
§ Normalizefieldlabelstosimplifysearchandcorrelation§ Applymultiplealiasestoasinglefield
§ Example:Username|cs_username |Userà user§ Example:c_ip |client|client_ipà clientip
§ Processedafterfieldextractions+beforelookups
§ Canapplytolookups
§ Aliasesappearalongsideoriginalfields
FieldAliases
33
Re-LabelFieldtoIntuitiveNameCreateFieldAlias
34
1
2
3
§ Createfieldaliasofclientip=customer
§ Searcheventsinlast15minutes,findcustomerfield
§ Fieldalias(customer)andoriginalfield(clientip)arebothdisplayed
SearchusinganIntuitiveFieldNameFieldAliasinAction
35
1
3
2
sourcetype=access_combined
§ Shortcutforperformingrepetitive/long/complextransformationsusingevalcommand
§ Basedonextractedordiscoveredfieldsonly
§ Donotapplytolookuporgeneratedfields
CalculatedFields
36
ComputeKilobytesfromBytesCreateCalculatedField
37
1
21
2
3
§ Createkilobytes=bytes/1024
§ Searcheventsinlast15minutesforkilobytesandbytes
SearchUsingKilobytesinsteadofBytesCalculatedFieldsinAction
38
1
2
sourcetype=access_combined
§ Classifyandgroupcommonevents
§ Captureandshareknowledge
§ Basedonsearch
§ Useincombinationwithfieldsandtagstodefineeventtopography
EventTypes
39
§ BestPractice:Usepunctfield§ Defaultmetadatafielddescribingeventstructure§ Builtoninterestingcharacters:",;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^! »§ Canusewildcards
CreateEventTypes
40
event punct
####<Jun3,20145:38:22PMMDT><Notice><WebLogicServer><bea03><asiAdminServer><WrapperStartStopAppMain><>WLSKernel<><><BEA-000360><ServerstartedinRUNNINGmode>
####<_,__::__>_<>_<>_<>_<>_<>_
172.26.34.223- - [01/Jul/2005:12:05:27-0700]"GET/trade/app?action=logoutHTTP/1.1"2002953
..._-_-_[:::_-]_\"_?=_/.\"__
§ Showpunctforsourcetype=access_combined
§ Pickapunct,thenwildcarditafterthetimestamp
§ AddNOTstatus=200
§ Saveas“bad”eventtype+Color:red+Priority:1(shiftreloadinbrowsertoshowcoloring)
ClassifyEventsasKnownBadCreateEventType
41
eventtype=bad
sourcetype="access_combined" punct="..._-_-_[//_:::]*" NOT status=200
1
2
3
4
LookupstoEnrichRawData
LDAPAD
WatchLists
CRM/ERP
CMDB
ExternalDataSources
Insightcomesout
DatagoesinCreateadditionalfieldsfromtherawdatawithalookuptoanexternaldatasource
§ Augmentraweventswithadditionalfields§ Providecontextorsupportingdetails
§ Translatefieldvaluestomoredescriptivedata§ Example:addtextdescriptionsforerrorcodes,IDs§ Example:addcontactdetailstousernamesorIDs§ Example:adddescriptionstoHTTPstatuscodes
§ File-basedorscriptedlookups
Lookups
43
44
1.Upload/createtable
2.Assigntabletolookupobject
3.Maplookuptodataset
Convert a Code into a DescriptionConfigure a Static Lookup
§ GetthelookupfromtheSplunkWiki(saveto.csv file)http://wiki.splunk.com/Http_status.csv
§ Lookuptablefiles>Addnew§ Name:http_status.csv (musthave.csv fileextension)§ Upload:<pathto.csv>
§ Verifylookupwascreatedsuccessfully
1.CreateHTTPStatusTable
45
| inputlookup http_status.csv
1
2
3
§ Lookupdefinitions>Addnew§ Name:http_status§ Type:File-based§ Lookupfile:http_status.csv
§ Invokethelookupmanually
2.AddLookupDefinition
46
1
2
sourcetype=access_combined | lookup http_status status OUTPUT status_description
§ Automaticlookups>Addnew§ Name:http_status (cannothavespaces)§ Lookuptable:http_status§ Applyto:sourcetype=access_combined§ Lookupinputfield:status§ Lookupoutputfield:status_description
§ Verifylookupisinvokedautomatically
3.ConfigureAutomaticLookup
47
1
2
sourcetype=access_combined
§ Temporallookupsfortime-basedlookups§ Example:IdentifyusersonyournetworkbasedontheirIPaddress
andthetimestampinDHCPlogs
§ Usesearchresultstopopulatealookuptable§ … | outputlookup <tablename|filename>
§ Callanexternalcommandorscript§ Pythonscriptsonly§ Example:DNSlookupforIPßà Host
§ Createalookuptableusingarelationaldatabase§ ReviewmatchesagainstadatabasecolumnorSQLquery
FancyLookups
48
§ CreatingandManagingAlerts(JobInspector)
§ Macros
§ WorkflowActions
MoreDataEnrichment
49
LevelUponSearch&ReportingCommands
Agenda
§ Doingmorewithbasicsearchcommands
§ Advancedsearchcommands
§ Doingmorewithbasicreportingcommands
51
SearchSyntaxComponents
52
AnatomyofaSearch
53
Disk
§ top– limit§ rare– sameoptionsastop§ timechart– parameters§ stats– functions(sum,avg,list,values,sparkline)§ sort– inlineascendingordescending§ addcoltotals§ addtotals
DoingMorewithBasicSearchCommands
54
§ Commandshaveparametersorqualifiers
§ topandrarehavesimilarsyntax
§ Eachsearchcommandhasitsownsyntax– showinlinehelp
FindMostandLeastActiveCustomersUsingthetop+rareCommands
... | top limit=20 clientip
... | rare limit=20 clientip
IPswiththemostvisits
IPswiththeleastvisits
§ Sortinlinedescendingorascending
56
... | stats count by clientip | sort - count
... | stats count by clientip | sort + count
Numberofrequestsbycustomer- descending
Numberofrequestsbycustomer- ascending
SorttheNumberofCustomerRequestsUsingthesortCommand
§ ShowSearchCommandReferenceDocs§ Functionsforeval+where§ Functionsforstats+chartandtimechart
§ Invokeafunction
§ Renameinline
57
... | stats sum(bytes) by clientip | sort - sum(bytes)
... | stats sum(bytes) as totalbytes by clientip | sort - totalbytes
Totalpayloadbycustomer- descending
Totalpayloadbycustomer- ascending
DetermineTotalCustomerPayloadUsingfunctions+renamecommand
§ Listallvaluesofafield
§ Listonlydistinctvaluesofafield
58
... | stats values(action) by clientip
... | stats list(action) by clientip
Activitybycustomer
Distinctactionsbycustomer
ObserveCustomerActivityUsingthelist+valuesFunctions
§ Showdistinctactionsandcardinalityofeachaction
59
sourcetype=access_combined| stats count(action) as value by clientip, action| eval pair=action + " (" + value + ")"| stats list(pair) as values by clientip
AnalyzeCustomerActivityCombinelist+valuesFunctions
§ Addcolumns
§ Sumspecificcolumns
60
... | stats count by clientip, action
2cols:clientip +action
... | stats sum(bytes) as totalbytes, avg(bytes) as avgbytes, count as totalevents by clientip | addcoltotals totalbytes, totalevents
Sumtotalbytesandtotaleventscolums
BuildingaTableofCustomerActivityAddColumnsandSumColumns
61
... | stats sum(bytes) as totalbytes, sum(other) as totalother by clientip | addtotals fieldname=totalstuff
Foreachrow,addtotalbytes+totalother
Abetterexample:physicalmemory+virtualmemory=
totalmemory
BuildingaTableofCustomerActivitySumAcrossRows
62
... | stats sparkline(count) as trendline by clientip
Incontextoflargereventset
... | stats sparkline(count) as trendline sum(bytes) by clientip
Inlineintables
TrendIndividualCustomerActivitySparklinesinAction
AdvancedSearchCommandsCommand ShortDescription Hints
transaction Groupeventsbyacommonfieldvalue. Convenient,but resourceintensive.cluster Clustersimilareventstogether. Canbeusedon_raworfield.associate Identifiescorrelationsbetweenfields. Calculatesentropybtn fieldvalues.correlate Calculatesthecorrelationbetween
differentfields.Evaluatesrelationshipof allfieldsinaresultset.
contingency Buildsacontingencytablefortwofields. Computesco-occurrence,or%twofieldsexistinsameevents.
anomalies Computesanunexpectednessscoreforanevent.
Computessimilarityofevent(X)toasetofpreviousevents(P).
anomalousvalue Findsandsummarizesirregular,oruncommon,searchresults.
Considers frequencyofoccurrenceornumberofstdev fromthemean
§ Seweventstogether+createsduration+eventcount
§ Sparklinesinlineintables
64
... | transaction JSESSIONID | table JSESSIONID, action, product_id
GroupbyJSESSIONID
ViewCustomerActivitybySessionUsingthetransactionCommand
§ Intelligentgroup(createscluster_countandcluster_label)
65
... | cluster showcount=1 | table _raw, cluster_count, cluster_label
AutomaticallyGroupCustomerActivityUsingtheclusterCommand
§ Predictovertime
§ ChartOverlaywithandwithoutstreamstats
§ Mapswithiplocation+geostats
§ Singlevalue
§ Meteredvisualswithgauge
DoMorewithBasicReportingCommands
66
§ Predictfuturevaluesusinglower/upperbounds– singleandmultipleseries
67
... | timechart count as traffic | predict traffic
PredictWebsiteTrafficUsingthepredictCommand
68
sourcetype=access_combined (action=view OR action=purchase)| timechart span=10m count(eval(action="view")) as Viewed,
count(eval(action="purchase")) as Purchased
CompareBrowsingvs.BuyingActivitySimpleChartOverlay
69
... | iplocation clientip | geostats count by clientip
CombineIPlookupwithgeomapping
MapCustomerActivity GeographicallyGeolocation inAction
70
... | stats count
DisplayaSimpleCountofEventsSingleValueinAction
DisplayCountsUsingGaugesSingleValue,RadialandFillerGaugesinAction
71
... | stats count | gauge count 10000 20000 30000 40000 50000
DataModelandPivot
Agenda
§ Whatisadatamodel?
§ Buildadatamodel
§ PivotInterface
§ Accelerateadatamodel
73
PowerfulAnalyticsAnyoneCanUse
Enablesnon-technicaluserstobuildcomplexreportswithoutthesearchlanguage
Providesmoremeaningfulrepresentationofunderlyingrawmachinedata
Accelerationtechnologydeliversupto1000xfasteranalyticsoverSplunk5
74
Pivot
DataModel
AnalyticsStore
DefineRelationshipsinMachineDataDataModel• Describeshowunderlyingmachinedataisrepresentedandaccessed
• Definesmeaningfulrelationshipsinthedata
• Enablessingleauthoritativeviewofunderlyingrawdata
Hierarchicalobjectviewofunderlyingdata
Addconstraintstofilteroutevents
TransparentAcceleration
• Automaticallycollected– Handlestimingissues,
backfill…• Automaticallymaintained– Usesaccelerationwindow
• Storedontheindexers– Peertothebuckets
• Faulttolerantcollection
Timewindowofdatathatisaccelerated
Checktoenableaccelerationofdatamodel
HighPerformanceAnalyticsStore
Easy-to-UseAnalytics
• Drag-and-dropinterfaceenablesanyusertoanalyzedata
• Createcomplexqueriesandreportswithoutlearningsearchlanguage
• Clicktovisualizeanycharttype;reportsdynamicallyupdatewhenfieldschange
Selectfieldsfromdatamodel
Timewindow
Allcharttypesavailableinthecharttoolbox
Savereporttoshare
Pivot
§ Definesleastcommondenominatorforadatadomain
§ Standardmethodtoparse,categorize,normalizedata
§ Setoffieldnamesandtagsbydomain§ PackagedasaDataModelsinaSplunkApp
§ Domains:security,web,inventory,JVM,performance,networksessions,andmore
§ MinimalsetuptousePivotinterface
CommonInformationModel(CIM)App
78
§ Apps>FindMoreApps>
§ Search:“CommonInformationModel”
§ Installfree
§ Showfieldsforweb+WebDataModel
DownloadCIMApp
79
1
2
3
4
DataModel&PivotTutorial
http://docs.splunk.com/Documentation/Splunk/latest/PivotTuto
rial/WelcometothePivotTutorial
80
CustomVisualizationsandtheWebFrameworkToolkit
Agenda
§ DeveloperPlatform
§ WebFrameworkToolkit(WFT)
§ RESTAPIandSDKs
§ GetaFlyingStart
82
OptimizingtheAnalyticsProcess
83
Focusonthedata– intuitivetoolstoenabletheanalyst
Nosinglevisualizationexiststohandlealldatasets.
Neverlosesightoftherawdata
SplunkAnalytics
Explore
Context
Visualize
Algorithms
6.0+6.1:Simple,Interactive,andExtensible
84
VISUALIZATIONEXPLORATION
CUSTOMIZABLEFRAMEWORK
POWERFULANALYTICS
PivotDataModels
InteractiveFormsContextualDrilldown
DashboardEditorWebFramework
TheSplunkEnterprisePlatform
Collection
Indexing
SearchProcessingLanguage
CoreFunctions
Inputs,Apps,OtherContent
SDKContent
CoreEngine
UserandDeveloperInterfaces
WebFramework
RESTAPI
What’sPossiblewiththeSplunkEnterprisePlatform?
PowerMobileApps
LogDirectly
ExtractData
CustomerDashboards
IntegrateBITools
IntegratePlatformServices
Developer Platform
PowerfulPlatformforEnterpriseDevelopersDevelopersCanCustomizeandExtend
RESTAPI
BuildSplunkApps ExtendandIntegrateSplunk
SimpleXML
JavaScript
HTML5
WebFramework
JavaJavaScriptPython
RubyC#PHP
DataModels
SearchExtensibility
ModularInputs
SDKs
SplunkSoftwareforDevelopers
GainApplicationIntelligence
BuildSplunkApps
IntegrateandExtendSplunk
AWealthofSplunk AppsOver1,100appsavailableontheSplunkappssite
APISDKs UI
Server, Storage, Network
Server Virtualization
Operating Systems
Custom Applications
Business Applications
Cloud Services
App Performance MonitoringTicketing/ and
Other
WebIntelligence
Mobile Applications
Stream
§ Interactive,cut/pasteexamplesfrompopularsourcerepositories:D3,GitHub,jQuery
§ Splunk6.xDashboardExamplesApphttps://apps.splunk.com/app/1603
§ CustomSimpleXML ExtensionsApphttps://apps.splunk.com/app/1772
§ SplunkWebFrameworkToolkitApphttps://apps.splunk.com/app/1613
ExampleAdvancedVisualizations
90
91
http://www.d3js.org
AddaD3BubbleChart
92
1. GotoFindMoreAppsandInstalltheSplunk6.xDashboardExamplesApp
2. EntertheApp3. GotoExamples>CustomVisualizations>
D3BubbleChart4. Copyautodiscover.js (file)+components/bubblechart (dir)
from:$SH/etc/apps/simple_xml_examples/appserver/staticto:$SH/apps/search/appserver/static
5. CopyandpastesimpleXMLtonewdashboard
Resources
SplunkDocumentation
94
• http://docs.splunk.com• OfficialProductDocs• Wikiandcommunitytopics• Updateddaily• Canbeprintedto.PDF
SplunkAnswers
95
• http://answers.splunk.com• Communitydriven• Splunksupported• Knowledgeexchange• Q&A
SplunkEducation
96
• RecommendedforUsers– UsingSplunk– Searching&Reporting
• RecommendedforUI/DashboardDevelopers– DevelopingApps
• Instructor-LedCourses– Web– Onsite