Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Advanced Splunk
  • Table Of Contents Toc
  • Feedback & Rating feedback
Advanced Splunk

Advanced Splunk

By : Tulsiram Yadav
3.8 (4)
Buy this Book
close
close
Advanced Splunk

Advanced Splunk

3.8 (4)
By: Tulsiram Yadav
Buy this Book

Overview of this book

Master the power of Splunk and learn the advanced strategies to get the most out of your machine data with this practical advanced guide. Make sense of the hidden data of your organization – the insight of your servers, devices, logs, traffic and clouds. Advanced Splunk shows you how. Dive deep into Splunk to find the most efficient solution to your data problems. Create the robust Splunk solutions you need to make informed decisions in big data machine analytics. From visualizations to enterprise integration, this well-organized high level guide has everything you need for Splunk mastery. Start with a complete overview of all the new features and advantages of the latest version of Splunk and the Splunk Environment. Go hands on with uploading data, search commands for basic and advanced analytics, advanced visualization techniques, and dashboard customizing. Discover how to tweak Splunk to your needs, and get a complete on Enterprise Integration of Splunk with various analytics and visualization tools. Finally, discover how to set up and use all the new features of the latest version of Splunk.
Table of Contents (14 chapters)
close
close
close
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
1. What's New in Splunk 6.3?
chevron up
1. What's New in Splunk 6.3?
Splunk's architecture
Search parallelization
Data integrity control
Intelligent job scheduling
The app key-value store
Splunk Enterprise Security
Authentication using SAML
Summary
2
2. Developing an Application on Splunk
2. Developing an Application on Splunk
Splunk apps and technology add-ons
Developing a Splunk app
Developing a Splunk add-on
Managing Splunk apps and add-ons
Splunk apps from the app store
Summary
3
3. On-boarding Data in Splunk
3. On-boarding Data in Splunk
Deep diving into various input methods and sources
Adding data to Splunk – new interfaces
Data processing
Managing event segmentation
Improving the data input process
Summary
4
4. Data Analytics
4. Data Analytics
Data and indexes
Search
Subsearch
Time
Fields
Results
Summary
5
5. Advanced Data Analytics
5. Advanced Data Analytics
Reports
Geography and location
Anomalies
Predicting and trending
Correlation
Machine learning
Summary
6
6. Visualization
6. Visualization
Prerequisites – configuration settings
Tables
Single value
Charts
Drilldown
Summary
7
7. Advanced Visualization
7. Advanced Visualization
Sunburst sequence
Geospatial visualization
Punchcard visualization
Calendar heatmap visualization
The Sankey diagram
Parallel coordinates
The force directed graph
Custom chart overlay
Custom decorations
Summary
8
8. Dashboard Customization
8. Dashboard Customization
Dashboard controls
Multi-search management
Tokens
Null search swapper
Switcher
Summary
9
9. Advanced Dashboard Customization
9. Advanced Dashboard Customization
Layout customization
Custom look and feel
The custom alert action
Summary
10
10. Tweaking Splunk
10. Tweaking Splunk
Index replication
Indexer auto-discovery
Sourcetype manager
Field extractor
Search history
Event pattern detection
Data acceleration
Splunk buckets
Search optimizations
Splunk health
Summary
11
11. Enterprise Integration with Splunk
11. Enterprise Integration with Splunk
The Splunk SDK
Installing the Splunk SDK
The Splunk SDK for Python
Splunk with R for analytics
Splunk with Tableau for visualization
Summary
12
12. What Next? Splunk 6.4
12. What Next? Splunk 6.4
Storage optimization
Machine learning
Management and admin
Indexer and search head enhancement
Visualizations
Multi-search management
Enhanced alert actions
Summary
13
Index
Index

The app key-value store

The app key-value store is a feature provided by Splunk Enterprise to manage and maintain the state of the application. Using an app key-value store, users can save and retrieve data from Splunk apps.

System requirements

The app key-value store feature is only available in the 64-bit distribution of Splunk Enterprise. It is not available in the 32-bit version of Splunk. It uses the 8191 port by default, but it can be configured from Server.conf located at $SPLUNK_HOME\etc\system\local by modifying the [kvstore] code block.

Uses of the key-value store

The following are some of the uses of a key-value store:

  • It can be used to manage the app state of the user interface by storing the session/application state information
  • It creates a checkpoint of the uploaded data in case of modular inputs
  • It enlists the environment variable used, accessed, or modified by users
  • It is the metadata storage of the user
  • It caches results from search queries

Components of the key-value store

The key-value store saves data in the collections of the key-value pair. The key-value store files are located on the search heads. The following are the various components of the key-value store:

  • Collections: Collections are containers for data storage similar to a database table.
  • Records: Records store the entry of data in the collection.
  • Fields: Fields contain the value of data in the JSON format file. Fields correspond to the key name similar to columns in the database table.
  • _key: This is the reserved field that contains a unique ID for each record. It is an autogenerated field that is not explicitly specified.
  • _user: This is also a reserved field that is used to map the user ID of each record.
  • Accelerations: This is used to improve search performance that contains the accelerated fields.

Let's take a look at how to create a key-value store collections via a config file. To use a key-value store, we need to create a key-value store collection using the following steps:

  1. Create a collections.conf file in the application's default or local directory, as follows $SPLUNK_HOME\etc\apps\APPNAME\default\collections.conf or $SPLUNK_HOME\etc\apps\APPNAME\local\collections.conf.
  2. Modify collections.conf by specifying the name of the collection and optionally, the schema of the data. Listed in the following sublist is the description of the parameters which need to be configured in collections.conf file:
    • [collection_name]: This is the collection name
    • enforceTypes: This is set to True or False to enforce the data types of values when inserting them into the collection.
    • field.name: This is an optional field. The available data types are string, time, Boolean, and number. If the data type is not set explicitly, then it is set to JSON.

Any change in collections.conf needs a restart of the Splunk instance to apply the changes on the search heads. Refer to the following example for better understanding:

[AndroidCollections]  #collection_name

The screenshot that follows shows a code snippet of the sample JSON data:

Components of the key-value store

The following screenshot is the code snippet of the enforce data type for the preceding JSON data:

Components of the key-value store

The following screenshot shows the sample code snippet for hierarchical JSON data:

Components of the key-value store

The following screenshot shows how a data type can be enforced on hierarchical data using a dot (.) notation:

Components of the key-value store

Managing key-value store collections via REST

The Splunk REST API can be used to create, read, delete, update, and manage key-value store data and collections. The Splunk REST API accesses Splunk via the management port (by default, 8089). The following are the REST endpoints for the key-value store:

  • storage/collections/config:
    • GET: This fetches a list of collections in a specific app
    • POST: This creates a new collection in a specific app
  • storage/collections/config/{collection}:
    • GET: This fetches information about a specific collection
    • DELETE: This deletes a collection
    • POST: This updates a collection
  • storage/collections/data/{collection}:
    • GET: This fetches records from a specific collection
    • POST: This inserts a new record into a specific collection
    • DELETE: This deletes all records from a specific collection
  • storage/collections/data/{collection}/{id}:
    • GET: This fetches records in a collection by a key ID
    • POST: This updates records in a collection by a key ID
    • DELETE: This deletes a record in a collection by a key ID
  • storage/collections/data/{collection}/batch_save:
    • POST: This runs one or more save (insert and replace) operations in a specific collection

Examples

There are various notations used in the following examples, such as username, password, IPAddress, and others. Users need to replace them with their own corresponding values to execute the examples. The following are the examples:

  • Fetching a list of collections for an android app:
    curl -k -u username:password \ 
https://IPAddress:8089/servicesNS/nobody/android/storage/collections/config
  • Creating a new collection called AndroidCollections in the android app:
    curl -k -u username:password \ -d name= AndroidCollections \ 
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config
  • Defining a collection schema:
    curl -k -u username:password \ 
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections \ 
-d field.Devicename = string \ 
-d field.DeviceID = number \
-d field.DeviceInfo.DeviceBuild = string \
-d field.DeviceInfo.DeviceAndroidVersion = string
  • Adding data of the hierarchical JSON format to a collection:
    curl -k -u username:password \
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections \
-H 'Content-Type: application/json' \
-d '{ "Devicename" : "Test Device", "DeviceID" : 9661, "DeviceInfo" : { "DeviceBuild" : "Test build 9661C", "DeviceAndroidVersion" : "Marshmallow 6.0", "DeviceIMEI" : 12345678909876, "DeviceMAC" : "AA:BB:CC:DD:EE:FF" }} '
  • Getting all data from the collection:
    curl -k -u username:password \
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections
  • Getting a specific range of records from collections, for example, records from 10 to 15:
    curl -k -u username:password \
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections?sort=Devicename&skip=10&limit=5
  • Getting a record of a specific key ID:
    curl -k -u username:password \
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections/KEYID

    Where the key ID is the unique _key of collections for which the record is to be fetched.

  • Deleting the record of the specific key ID:
    curl -k -u username:password –X DELETE \
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections/KEYID
  • Deleting all records of the AndroidCollections collection:
    curl -k -u username:password –X DELETE \
https://IPAddress:8089/servicesNS/nobody/android/storage/ collections/config/ AndroidCollections

Replication of the key-value store

In case of a distributed environment, the key-value store can be replicated to a large number of search heads by enabling replication. By default, the key-value store is not replicated to indexers in distributed deployment of Splunk.

To enable replication, the collections.conf file is to be modified and we need to add replicate = true to the file.

End of Section 6
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY