Thursday, May 7, 2020

Splunk Intermediate

Splunk Tutorial
---------------

https://docs.splunk.com/Documentation/Splunk/latest/Search/ViewsearchjobpropertieswiththeJobInspector


Booleans
AND OR NOT

Fields
--
status=400
status=50*
status!=300

sourcetype=access_combined | fields clientip, action

Table
--
sourcetype=access_combined | fields clientip, action

Rename
--
sourcetype=access_combined | rename clientip as "userip"

Dedup
--
sourcetype=access_combined | dedup clients

sort cmonnad
lookup command

Module 2
--------
Field name are case sensitive
Field values are not case sensitive
Fiend values from a lookup are case sensitive by default
Booleans oparator are case sensitive

time - index - source - host - sourcetype

fast mode - performance
verbose mode - completness
smart mode - combination of fast and verbose mode

Module 3 - Commands for Visualization
-------------------------------------
chart command
--
over - X axis
any stats function can be applied to the chart command

index=web sourcetype=access_combined status>299 | chart count over status
index=web sourcetype=access_combined status>299 | chart count over status by host
index=web sourcetype=access_combined status>299 | chart count by status,host
index=web sourcetype=access_combined status>299 | chart count over host by product_name
index=web sourcetype=access_combined status>299 | chart count over host by product_name usenull=f
index=web sourcetype=access_combined status>299 | chart count over host by product_name useother=f
index=web sourcetype=access_combined status>299 | chart count over host by product_name limit=5
index=web sourcetype=access_combined status>299 | chart count over host by product_name limit=0

Timechart command
-----------------
index=sales sourcetype=vendor_sales | timechart count
index=sales sourcetype=vendor_sales | timechart sum(price) by product_name
index=sales sourcetype=vendor_sales | timechart sum(price) by product_name limit=5
index=sales sourcetype=vendor_sales | timechart span=12hr sum(price) by product_name limit=0

Timewrap Command
----------------
index=sales sourcetype=vendor_sales product_name="Dream Crusher"| timechart span=1d sum(price) by product_name | timewrap 7d

index=sales sourcetype=vendor_sales product_name="Dream Crusher"| timechart span=1d sum(price) by product_name | timewrap 7d
|rename _time as Day | eval Day = strftime(Day,"%A")

Visualization Examples,
----------------------
Line Graph
Formation Option
Chart Overlay
Area Chart
Column Chart
Bar Graph
Pie Chart
Scatter Chart
Bubble Chart
Trellis Layout


https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizDevOverview


Module 4 - Advanced Visualizations
----------------------------------
Use Geographical Info

iplocation command
--
index=security sourcetype=linux_secure action=success src_ip!=10.* | iplocation src_ip

Geostats Command
--
index=sales sourcetype=vendor_sales | geostats latfield=VendorLatitude longfield=VendorLangitude count by product_name globallimit=4
index=security sourcetype=linux_secure action=success src_ip!=10.* | iplocation src_ip | geostats latfield=lat longfield=lon count

Choropleth Map
--
.kmz - Keyhold Markup Language File
Geom command - Adds field with geographical data structures mathing polygons on map.
--
index=sales sourcetype=vendor_sales VendorID>=5000 AND VendorID<=5055 | stats count as Sales by VendorCountry
|geom geo_countries featureidField=VendorCountry

Single Value Visualization
--
index=web sourcetype=access_combined action=purchase | stats sum(price) as total
index=web sourcetype=access_combined action=purchase | timechart sum(price)
index=web sourcetype=access_combined action=purchase | stats sum(price) as total | gauge total 0 30000 600000 700000

Trendline Command - Computes moving avarages of field values.
--
Trendtype:
simple moving average
exponential moving avaerage
weighted moving avarage

index=web sourcetype=access_combined action=purchase status=200 | timechart sum2(price) as sales | trendline wma2(sales) as trendline

Field Formation

Addtotals Command
--
index=web sourcetype=access_combined file=*| chart sum(bytes) over host by file | addtotals
index=web sourcetype=access_combined file=*| chart sum(bytes) over host by file | addtotals col=true label="Total"
index=web sourcetype=access_combined file=*| chart sum(bytes) over host by file | addtotals col=true label="Total" labelfiedl="host" row=false

http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomVizDevOverview

Module 5 - Filtering and Formatting
---------------------------------
Eval command
--
- arthmetic,concatination,boolean valuse supported
- results can be written to new field or replace exising field
- Newly created field values are case sensitive

sourcetype=cisco_wsa_squid s_hostname=* | stats values(s_hostname) by cs_username
sourcetype=cisco_wsa_squid s_hostname=* | stats values(s_bytes) as Bytes by Usage
sourcetype=cisco_wsa_squid s_hostname=* | stats values(s_bytes) as Bytes by Usage | eval bandwidth= Bytes/1024/1024
sourcetype=cisco_wsa_squid s_hostname=* | stats values(s_bytes) as Bytes by Usage | eval bandwidth= round(Bytes/1024/1024,2)
|sort -bandwidth | rename bandwidth as "Bandwidth(MB)" | fields - Bytes


Eval Mathematical Functions
--
index=web sourcetype=access_c* product_name=* action=purchase | stats sum(price) as total_list_price,sum(sale_price) as total_sale_price by product_name
| eval discount= round(((total_list_price - total_sale_price) / total_list_price)*100) | sort - discount
| eval discount = discount."%"


Eval Convert Values
--
Tostring Function - convert numerical values to strings. (cannot sort)
--
index=web sourcetype=access_c* product_name=* action=purchase | stats sum(price) as total_list_price,sum(sale_price) as total_sale_price by product_name
| eval total_list_price = "$" + tostring(total_list_price,"commas")



Fieldformat command - Format values without changing characteristics of underlying values.(can abot to sort)
--
index=web sourcetype=access_c* product_name=* action=purchase | stats sum(price) as total_list_price,sum(sale_price) as total_sale_price by product_name
| eval total_list_price = "$" + tostring(total_list_price,"commas")
| fieldformat total_sale_price = "$"+ tostring(total_list_price,"commas")

Data in the index does not change.

Multiple eval commands
--
index=web sourcetype=access_c* product_name=* action=purchase | stats sum(price) as total_list_price,sum(sale_price) as total_sale_price by product_name
| eval current_discount = round(((list_price - sale_price)/list_price)*100)
| eval new_discount = (current_discount - 5)
| eval new_sale_price = list_price - (list_price * (new_discount/100))
| eval price_change_revenue = (new_sale_price - sale_price)

Eval Command IF Function
--
index=sales sourcetype=vendor_sales
| eval SalesTerritory = if(VendorID < 4000,"North America","Rest of the World")
| stats sum(price) as TotalRevenue by SalesTerritory

Eval Case Function
--
index=web sourcetype=access_combined
| eval httpCategory=case(status>=200 AND stats<300,"Success",status>=300 AND status<400,"Redirect",
status>=400 AND status<500,"Client Error",status>=500,"Server Error",true(),"Something Other")

Eval with Stats
--
index=web sourcetype=access_combined
| stats count(eval(status<300)) as "Success",count(eval(status>=400 AND status<500)) as "Clinet Error",
count(eval(status>500)) as "Server Error"

Search command
--
index=network sourcetype=cisco_wsa_squid usage=Violation
| stats count(usage) as Visits by cs_username | search Visits > 1

Where Commands
--
index=network sourcetype=cisco_wsa_squid
| stats count(eval(usage="Personal")) as Personal,count(eval(usage="Business")) as Business by username
| where Personal > Business | where username!="sie" | sort -Personal

Eval/Where tips
---
_ char to match one
% char for the wildcard

index=web sourcetype=access_combined action=purchase | stats count by product_name
| where product_name like "Worl%"

null and isnotnull
--
index=sales sourcetype=vendor_sales | timechart sum(price) as sales | where isnull(sales)
index=sales sourcetype=vendor_sales | timechart sum(price) as sales | where isnotnull(sales)

Fillnull Command
--
index=sales sourcetype=vendor_sales | chart sum(price) over product_name by VendorCountry
| fillnull value="Nothing here"

Module 6 - Correlating Events
-----------------------------

Transaction Overview
Transaction command
---
index=web sourcetype=access_combined
| transaction clientip
| table clientip,action,product_name

Transaction Definitions
---
maxspan - Allows setting of maximum total time between earliest and latest events.
maxpause - Allowed maximum total time between events.
startswith - Allows forming transaction starting with specified {terms, field values, evaluations}
endswith - Allows forming transaction ending with specified {terms, field values, evaluations}

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

index=web sourcetype=access_combined
| transaction clientip
 startswith="addtocard" endswith="purchase"
| table clientip,action,product_name

Investigate with Transaction
---
index=network sourcetype=cisco_esa
| transaction mid dcid icid
| search REJECT

Transaction vs Stats
---
transaction
 - Use to see events correlated togather.
 - Use when events need to be grouped on start and end values.
stats
 - Use to see results of a calculation.
 - Use when events need to be grouped on a field value.

index=web sourcetype=access_combined
| transaction  clientip startswith=action="addtocart" endswith=action="purchase"
| table clientip, JSESSIONID, product_name, action, duration, eventcount, price

(index=network sourcetype=cisco_wsa_squid) OR
(index=web sourcetype=access_combined) status>399
| fields sourcetype, status
| transaction status maxspan=5m
| search sourcetype=access_combined AND sourcetype=cisco_wsa_squid
| timechart count by status
| addtotals
| search Total>4



Module 7 - Knowledge Objects
----------------------------
Naming conversion - {Group,Type,Platform,Categor,Time,Description}
example - OPS_WFA_Network_Security_na_IPwhoisAction
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Developnamingconventionsforknowledgeobjecttitles

Module 8 - Field Extractions
----------------------------
Field extraction with Regex and Delimiter

Module 9 - Aliases and Calc Fields
----------------------------------
Field Aliases
--

Calculated Fields
 - must be based on extracted or discovered fields
 - Fiedls from a Lookup table or generated from a search command cannot be used


Module 10 - Tags and Event Types
--------------------------------
Tags
- Alllow you to designate descriptive names for key-value pairs
- enable you to search for events that contain particular field value

Tag values are case sensitive

Event Types
-Categorize events based on search strings
-Use tags to organize
-"eventtype" field within a search string
- Time range NOT available

Saved Reports
-Fixed search criteria
-Time range & formatting needed
-share with splunk users
-add to dashborads

(index=web sourcetype=access_combined) OR (index=network sourcetype=cisco_wsa_squid) status> 500
eventtype="web_error"


Module 11 - Macros
------------------
Macros
-Reusable search strings or porttions of search strings
-Useful for frequent searches with complicated search syntax

- Store entire search strings
- Time range independent
- Pass arguments to the search

https://docs.splunk.com/Documentation/CIM/4.15.0/User/Web

index=sales sourcetype=vendor_sales | stats sum(sale_price) as total_sales by Vendor
| eval total_sales = "$" + tostring(round(tatal_sales,2),"commas")

`ConvertUSD` = eval total_sales = "$" + tostring(round(tatal_sales,2),"commas")

Ctrl + Shift + E = Search Explansion Window

index=sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR VendorCountry=Italy
| stats sum(price) as USD by product_name
| eval USD = "$"+tostring(round(USD,2),"commas")

`Europe_sales`

index=sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR VendorCountry=Italy
| stats sum(price) as USD by product_name
| `Europe_sales`

sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR VendorCountry=Italy
| stats sum(price) as USD by product_name
| eval euro = "€" + tostring(round(USD*0.79,2), "commas"), USD = "$" +tostring(USD, "commas")

stats sum(price) as USD by product_name
| eval $currency$="$symbol$".tostring(round(USD*$rate$,2),"commas"),USD="$" +tostring(USD,"commas")


index= sales sourcetype=vendor_sales VendorCountry=Germany OR VendorCountry=France OR VendorCountry=Italy
|  `convert_sales(euro,€,.79)`

index=sales sourcetype=vendor_sales VendorCountry="United Kingdom"
| `convert_sales(GBP,£,.64)`

index=sales sourcetype=vendor_sales VendorCountry="India"
| `convert_sales(INR,₹,68)`



Module 12 - Workflow Actions
----------------------------
Create links to interact with external resources or narrow search.
GET and POST


Module 13 - Data Models
-----------------------

Data Models consist of: Events searches Transactions
Data Model Framework - Pivot is interface to the data

strftime(_time,"%m-%d %A")


Module 14 - CIM Common Information Model
-----------------------------------------
Maps all data to defined method
Normalizes to common language
Data can be normalized at index time or search time
CIM schema shoud be used for: Field extractions, Event types , Aliases, Tags
Knowledge objects can be shared globally across all apps.
at No comments:
Labels: ,

Splunk Admin Notes

Splunk admin
------------

indexer
search head
forwarder
deployment server
licence master
cluster master

Indexer
-
Indexing
parsing
searching

Hardware requirement for indexer
--
2cpu 6x2Ghz cores each
12GB RAM
1GbE NIC
64-bit linux
800 IOPS

Search Head Hardware requirement
--
4cpu 4x2Ghz cores each
12GB RAM
1GbE NIC
2x10K RPM 300GB
SAS drives - RAID 1

Forwaders requirement
--
1cpu 2x1.5GHz Cores
1GB RAM

Permission
--
splunk user - No root user
OR windows user

Time sync is must
----
ntp

splunk process
--
splunkd

Ports
--
8089 - splunkd
search commands
licence and deployment servers
REST API
Command line interface

8000 - splunk web

8065 - Application Server(not expose outside)
8191 - KVstore
9997 - Forwaders

Splunk install
--
untar splunk to /opt
#tar zxvf splunk-install.tgz -C /opt
#cd /opt/splunk/bin
#./splunk start --accept-licence
#./splunlk enable boot-start -user splunk

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ulimitErrors
http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/SplunkandTHP
http://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate

License
--
Data Not Metered:
- Replicated in cluster
- Summary indexed
- Splunk internal logs
- Metadata files

.conf files
--
etc
-system
--search
--launcher
---default default.conf
---local
-apps
-users

.conf
- system settings
- Data input configurations
- Authentication,authorization info
- INdex mappings and settings
- Deployment,cluster configurations
- Knowkedge objects
- Saved searches

props.conf
allows setting of process properties:
-linet-breaking
-character encoding
-time stamp recognition
-event segmentation
-Automated host,source type mathing overrides
-Search-time field extraction definitions

transforms.conf
Allow data tranformation configuration:
-Anonymizing sensitive data
-Regex-based host & sourcetype overrides
-Routing events to chosen indexs
-Creating index-time field extraction
-Multiple value extraction on same field
-Lookup table setup for external sources



Module 5 - Indexes
------------------

Indexes are repositories of data stored in flat files.

summary - used by summary indexing
_internal - splunk internal logs and metrics
_audit - Stores audit trails and optional andit information
_introspection - Splunk system perfomance and resouce usage
_thefishbucket - Checkpoint info for file monitoring inputs

var -lib -splunk -dafaultdb - db(hot)warm,colddb(cold),thaweddb(thawed)

https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Automatearchiving
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata
https://docs.splunk.com/Documentation/Splunk/latest/admin/Indexesconf#indexes.conf.spec


cd /opt/splunk/etc/apps/search/local
indexes.conf

Module 6 - User Administration
------------------------------


Module 7
--
upload files for index

Monitor Input Option
--

Universal Forwarder Input Option
--------------------------------
Receiver 9997

Forwaders
--
cd /opt/splunkforwarder/bin
./splunk start --accept-licence
./splunk add forward-server ip:9997 -auth
http://docs.splunk.com/Documentation/Splunk/6.2.1/Updating/Planadeployment


Heavy Forwarder
---------------
A Heavy forwarder parses the data and forwards to indexer for indexing.
Smaller footprint then Enterprise
Can not do distributed searches

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Deployaheavyforwarder

http://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutsecuringdatafromforwarders


Module 8 - Grow Deployment
--------------------------
Distributed search -->search peers


outputs.conf
----------

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = IP:9997, IP:9997

http://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

Splunkbase - app repositories







at No comments:
Labels: ,
Subscribe to: Comments (Atom)

Create rpm and deb using fpm

Create rpm and deb using fpm  fpm -s dir -t rpm -n unbound-exporter -v 1.0 --prefix /usr/bin unbound_exporter   fpm -s dir -t rpm -n unbound...

  • How to run ansible playbook with sudo command
    #Following steps will cover how to run ansible playbook with sudo passwd saved  1) Install Ansible (...
  • Splunk Admin Notes
    Splunk admin ------------ indexer search head forwarder deployment server licence master cluster master Indexer - Indexing par...
  • Sed All in One Guide
    SED Guide -------------- ###FEATURES COMMON TO BE BOTH AWK & SED ####  1. Both are scripting languages  2. Both work primarily w...