SplunkLive Auckland 2015 - New Features, Pivot and Search dojo
0 likes233 views
The document discusses new features in Splunk 6.3 including instant pivot tables, pivot tutorials, and the Search Dojo tool. It provides demos and examples of using instant pivot to explore data, pivot tutorials to learn the tool, and the Search Dojo to comment on and improve searches by using subsearches, ensuring results, and searching text fields.
![14
Search
Dojo
Use
a
subsearch
to
improve
performance.
sourcetype=access_combined
[|inputlookup ip_watchlist.csv | search
type=malicious | fields clientip ]](https://image.slidesharecdn.com/sm3lettwzjufi8nexvqy-signature-9899d5dfda83ed5ae56d018da73865e7a9acfd852564de5947ca9db9c7d8a1eb-poli-151202043621-lva1-app6891/85/SplunkLive-Auckland-2015-New-Features-Pivot-and-Search-dojo-14-320.jpg)
![15
Search
Dojo
Use
a
subsearch
to
search
for
text
rather
than
a
field.
sourcetype=access_combined
[|inputlookup ip_watchlist.csv | search
type=malicious | fields clientip | rename
clientip as query ]](https://image.slidesharecdn.com/sm3lettwzjufi8nexvqy-signature-9899d5dfda83ed5ae56d018da73865e7a9acfd852564de5947ca9db9c7d8a1eb-poli-151202043621-lva1-app6891/85/SplunkLive-Auckland-2015-New-Features-Pivot-and-Search-dojo-15-320.jpg)
![17
Search
Dojo
Ensuring
your
search
returns
a
result:
| inputlookup malwaredomains.csv |head 10 |
append [ |stats count | eval
domain="splunk.com" | eval
category="exploits" | eval isbad="false" |
eval reference="Test match to ensure results
from search" ]](https://image.slidesharecdn.com/sm3lettwzjufi8nexvqy-signature-9899d5dfda83ed5ae56d018da73865e7a9acfd852564de5947ca9db9c7d8a1eb-poli-151202043621-lva1-app6891/85/SplunkLive-Auckland-2015-New-Features-Pivot-and-Search-dojo-17-320.jpg)
SplunkLive Auckland 2015 - New Features, Pivot and Search dojo
- 1. New Features, Pivot and Search Dojo David Anso Technical Enablement Manager, GKC
- 2. 2 Safe Harbor Statement During the course of this presentaDon, we may make forward looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aOer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to include any such feature or funcDonality in a future release.
- 3. New Features Pivot Search Dojo AGENDA
- 5. 5 New Features Demo: Splunk 6.3 Overview App
- 6. Pivot
- 7. 7 Pivot Demo: Instant Pivot
- 8. 8 Pivot Demo: Instant Pivot Pivot Tutorial
- 9. 9 Pivot Demo: Instant Pivot Pivot Tutorial Splunk CIM Data Model
- 10. Search Dojo
- 11. 11 Search Dojo Comment your search: sourcetype=access_combined | eval COMMENT="Examine all web logs" sourcetype=access_combined_wcookie | rename COMMENT AS "Examine all web logs"
- 12. 12 Search Dojo
- 13. 13 Search Dojo
- 14. 14 Search Dojo Use a subsearch to improve performance. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip ]
- 15. 15 Search Dojo Use a subsearch to search for text rather than a field. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip | rename clientip as query ]
- 16. 16 Search Dojo Issues with the subsearch approach: Subsearches have a limit of 10,000 results. If there are more result for the subsearch, only 10,000 of them will make it through. While searching text may prove faster, it will prevent you matching any field values that are created by calculated fields, lookups, etc.
- 17. 17 Search Dojo Ensuring your search returns a result: | inputlookup malwaredomains.csv |head 10 | append [ |stats count | eval domain="splunk.com" | eval category="exploits" | eval isbad="false" | eval reference="Test match to ensure results from search" ]