Splunk – Monitoring Files

Splunk – Monitor Files ”; Previous Next Splunk Enterprise monitors and indexes the file or directory as new data appears. You can also specify a mounted or shared directory, including network file systems, as long as Splunk Enterprise can read from the directory. If the specified directory contains subdirectories, the monitor process recursively examines them for new files, as long as the directories can be read. You can include or exclude files or directories from being read by using whitelists and blacklists. If you disable or delete a monitor input, Splunk Enterprise does not stop indexing the files: input references. It only stops checking those files again. You specify the path to a file or directory and the monitor processor consumes any new data written to that file or directory. This is how you can monitor live application logs such as those coming from Web access logs, Java 2 Platform or .NET applications, and so on. Add files to Monitor Using Splunk web interface, we can add files or directories to be monitored. We go to Splunk Home → Add Data → Monitor as shown in the below image − On clicking Monitor, it brings up the list of types of files and directory you can use to monitor the files. Next, we choose the file we want to monitor. Next, we choose the default values as Splunk is able to parse the file and configure the options for monitoring automatically. After the final step, we see the below result which captures the events from the file to be monitored. If any of the value in the event changes, then the above result gets updated to show the latest result. Print Page Previous Next Advertisements ”;

Splunk – Custom Chart

Splunk – Custom Chart ”; Previous Next The charts created in Splunk has many features to customize them as per the user need. These customizations help in displaying the data completely or changing the interval for which the data is calculated. After initially creating the chart, we dive into the customization features. Let us consider the below search query for getting the statistics of various measurements of byte size of the files by week day. We choose a column chart to display the graph and see the default values in the X-axis and Y-Axis values. Axis Customization We can customize the axes displayed in the chart by choosing the Format → X-axis button. Here, we edit the Title of the chart. We also edit the Label Rotation option to choose an inclined label to fit better into the chart. After editing these, results can be seen in the chart as highlighted using the green boxes below. Legend Customization The legends of the chart can also be customized by using the option Format → Legend. We edit the option Legend Position to mark it at Top. We also edit the Legend Truncation option to Truncate the End of the legend if required. The below cart shows the legends displayed at the top with colors and values. Print Page Previous Next Advertisements ”;

Splunk – Removing Data

Splunk – Removing Data ”; Previous Next Removing data from Splunk is possible by using the delete command. We first create the search condition to fetch the events we want to mark for delete. Once the search condition is acceptable, we add the delete clause at the end of the command to remove those events from Splunk. After deletion, not even a user with admin privilege is able to view this data in Splunk. Removal of data is irreversible. If you still want the removed data back into Splunk then you should have the original source data copy with you which can be used to re-index the data in Splunk. It will be a process similar to creating a new index. Assigning Delete Privilege Any user including admin user does not have access to delete the data by default. By default, only the “can_delete” role has the ability to delete events. So, we create a new user, assign this role and then login with the credentials of this new user to perform the delete operation. The below image shows how we create a new user with “can_delete” role. We arrive at this screen by following the path Settings → Access Controls → Users → New User. We then log out of Splunk interface and login back with this newly created user. Identifying the data to be removed First, we need to identify the list of events we want to remove. It is done using a normal search query specifying the filter condition. In the below example, we choose to look for the events from the host web_application which has the field http status value as 505. Our goal is to delete only the set of data containing these values to be removed from the search result. The below image shows this set of data selected. Deleting the Selected Data Next, we use the delete command to remove the above selected data from the result set. It involves just adding the word delete after ‘|’ at the end of the search query as shown below − After running the search query above, we can see the next screen where those events have got deleted. You can also further run the search query to verify that these events are not returned in the result set. Print Page Previous Next Advertisements ”;

Splunk – Subseraching

Splunk – Subsearching ”; Previous Next Subsearch is a special case of the regular search when the result of a secondary or inner query is the input to the primary or outer query. It is similar to the concept of subquery in case of SQL language. In Splunk, the primary query should return one result which can be input to the outer or the secondary query. When a search contains a subsearch, the subsearch is run first. Subsearches must be enclosed in square brackets in the primary search. Example We consider the case of finding a file from web log which has maximum byte size. But that may vary every day. Then we want to find only those events where the file size is equal to the maximum size, and is a Sunday. Create the Subsearch We first create the subsearch to find the maximum file size. We use the function Stat max with the field named bytes as the argument. This identifies the maximum size of the file for the time frame for which the search query is run. The below image shows the search and the result of this subsearch − Adding the Subsearch Next, we add the subsearch query to the primary or the outer query by putting the subsearch inside square brackets. Also the search clause is added to the subsearch query. As we see, the result contains only the events where the file size is equal to the max file size found by considering all the events, and the event day is a Sunday. Print Page Previous Next Advertisements ”;

Splunk – Reports

Splunk – Reports ”; Previous Next Splunk reports are results saved from a search action which can show statistics and visualizations of events. Reports can be run anytime, and they fetch fresh results each time they are run. The reports can be shared with other users and can be added to dashboards. More sophisticated reports can allow a drill down function to see underlying events which create the final statistics. In this chapter, we will see how to create and edit a sample report. Report Creation Report creation is a straight forward process where we use the Save As option to save the result of a search operation choosing the RepSave Asorts option. The below diagram shows the option. By clicking on the Reports option from the dropdown, we get the next window which asks for additional inputs like the name of the report, the description and choosing the time picker. If we choose the time picker, it allows the time range to be adjusted when we run the report. Below diagrams show how we fill the required details and then click save. Report Configuration After clicking save to create the report in the above step, we get the next screen asking for configuring the report as shown below. Here, we can configure the permissions, scheduling the report, etc. We also get an option to go to the next step and add the report to a dashboard. If we click on View in the above step, we can see the report. We also get configuration options after the report is created. Modifying Report Search Option While we can edit the permissions, schedule, etc., sometimes we need to modify the original search string. This can be done by choosing the Open in Search option as given in the above image. That will open the original search option again which we can be edited to a new search. Refer to the below image − Print Page Previous Next Advertisements ”;