SlideShare a Scribd company logo

SplunkLive! Zurich 2018: Getting Started & Hands On

Download as PPTX, PDF
Splunk, profile picture
Splunk

This presentation introduces Splunk, an industry-leading platform for analyzing machine data. It provides an overview of Splunk capabilities including searching, dashboards, alerts and analytics. It then demonstrates how to install Splunk and import sample data, and provides examples of common searches over the data including filtering by status codes, visualizing results with charts, and performing field extractions. The presentation concludes with information on resources for learning more about Splunk.

Technology
1 of 66
Downloaded 27 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
SplunkLive! Dirk Beerbohm | Senior Sales Engineer
Set Up Before You Can Play Download the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
Getting Started With Splunk Enterprise
© 2018 SPLUNK INC. 1. Splunk Overview 2. Using Splunk – Live Demonstration/Walk-Through • Installing & Onboarding Data • Searching • Field Extraction • Dashboards • Alerting • Analytics 3. Wrap-up/Q&A Agenda
Big Data Comes From Machines Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Splunk’s Mission: Make machine data accessible, usable, and valuable to everyone
What Does Machine Data Look Like? Order Processing Twitter Care IVR Middleware Error ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} SOURCES
Machine Data Contains Critical Insights Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID SOURCES
Machine Data Contains Critical Insights SOURCES Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID
Industry Leading Platform For Machine Data Custom dashboards Report and analyze Monitor and alert Developer Platform Ad hoc search On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Machine Data: Any Location, Type, Volume Answer Any Question Any Amount, Any Location, Any Source No back-end database Schema on-the-fly No need to filter data Quick time to value Agile reporting and analytics Real-time architecture
Installing and Using Splunk Live Demonstration & Walk-Through
Set Up Before You Can Play Get the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
▶ IMPORT THE ZIP FILE, not individual files within it: http://www.splunkbook.com (sample data is located under ‘related links’ section – *same tutorialdata.zip from first page) ▶ Log in to Splunk – http://127.0.0.1:8000 username=admin password=changeme ▶ To add the file to Splunk: • Click Add Data • Click Upload files from my computer • Drag and drop your sample data zip file • Review and finish Getting Data Into Splunk We will import sample web e-commerce store events
▶ License expired (already had older version installed) • Close browser, empty cache, open browser. If that doesn’t work: • Stop Splunk • Uninstall all Splunk versions • Windows Control Panel->Uninstall programs->Splunk • OS X. Finder->Applications->Right click Splunk, Move to trash • Reinstall • Start Splunk ▶ Can’t start Splunk • Windows, Search Control panel ->Services->Splunk start • Linux; cd <SPLUNK dir>/splunk/bin;./splunk start Common Problems at This Point
Let’s Dive In
© 2018 SPLUNK INC. ▶ See Slide Note at right about adding in step-by-step instructions here. Dashboard
▶ buttercupgames ▶ buttercupgames 400 ▶ buttercupgames 400 OR 500 ▶ buttercupgames status=400 OR status=500 ▶ buttercupgames status=400 OR status=500 | timechart count by status limit=10 ▶ buttercupgames status=* ▶ buttercupgames status=* | timechart count by status limit=10 ▶ buttercupgames status=* AND status!=200 | timechart count by status limit=10 ▶ index=* sourcetype=access_combined_wcookie Searches Used
SplunkLive! Zurich 2018: Getting Started & Hands On
▶ index=* sourcetype=access_combined_wcookie | top limit=20 browser_type (field extraction necessary) ▶ buttercupgames status!=200 ▶ buttercupgames status!=200 | stats count by status | where count > 100 ▶ buttercupgames status=* | iplocation clientip ▶ buttercupgames status=* | iplocation clientip | geostats count by action Searches Used (Continued)
▶ SplunkLive! Presentations • http://splunklive.splunk.com/presentations.html ▶ Documentation • http://www.splunk.com/base/Documentation ▶ Technical Support • http://www.splunk.com/support ▶ Videos • http://www.splunk.com/videos ▶ Education • http://www.splunk.com/view/education/SP- CAAAAH9 ▶ Community • http://answers.splunk.com ▶ Splunk Book • http://splunkbook.com Time to Start SPLUNKING!!! Where do I go for help?
Thriving Community dev.splunk.com 75,000+ questions and answers 1,000+ apps Local user groups and SplunkLive! events
▶Save the Date 2018 October 1-4, 2018 ▶ 8,750+ Splunk Enthusiasts ▶ 300+ Sessions ▶ 100+ Customer Speakers Plus Splunk University: ▶ Three Days: September 29-October 1, 2018 ▶ Get Splunk Certified for FREE! ▶ Get CPE credits for CISSP, CAP, SSCP Walt Disney World Swan and Dolphin Resort in Orlando conf .splunk.com SAVE THE DATE!
Wrap-Up/Q&A
Thank You! Don't forget to rate this session on Pony Poll https://ponypoll.com/Zurich2018
▶ Splunk Usergroup Zürich ▶ Regular Splunk User get-togethers ▶ Frequent Splunk Ninja Presentations (D/E) ▶ Meetings throughout all major german speaking cities (not only Zurich) ▶ Amtssprache deutsch ▶ Not a sales thing ▶ Kick-off soon ▶ Join now: ▶ https://usergroups.splunk.com/group/splunk- user-group-zurich.html Splunk Usergroup Zurich http://bit.do/SPLUGZ
© 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You
Appendix: Detailed Walk-Through
SplunkLive! Zurich 2018: Getting Started & Hands On
© 2018 SPLUNK INC. Download Splunk Enterprise for your OS and architecture.
© 2018 SPLUNK INC. Download tutorialdata.zip
© 2018 SPLUNK INC. With Firefox, Chrome or Safari – head to http://127.0.0.1:8000 User = admin Password = changeme
© 2018 SPLUNK INC. You’ve successfully installed Splunk and logged in! Let’s add the tutorialdata.zip via “Add Data.”
© 2018 SPLUNK INC. You can also “Add Data” from Settings at the top.
© 2018 SPLUNK INC. Click on upload.
© 2018 SPLUNK INC. Let’s drag tutorialdata.zip into “Drop your data file here.”
© 2018 SPLUNK INC. Click Next
© 2018 SPLUNK INC. Splunk can auto detect the source type. Let’s change host field to buttercup-web01, and then click Review.
© 2018 SPLUNK INC. Looks good, click Submit.
© 2018 SPLUNK INC. Let’s Start Searching our data.
© 2018 SPLUNK INC. We’re brought into a search with filters applied to search the data we just uploaded.
© 2018 SPLUNK INC. Let’s type “buttercupgames” in the search bar, and double-click into a bar on the histogram.
© 2018 SPLUNK INC. Notice the time picker changed with our drill into the histogram bar.
© 2018 SPLUNK INC. Given that this data is web access, let’s do a string search for 400, which is a “Bad Request” code. Notice that there are 188 events returned (number will vary for you).
© 2018 SPLUNK INC. Let’s also add 500 into the mix, and notice that my event count is higher now.
© 2018 SPLUNK INC. We can see the 400 and 500 status codes, but other status codes also show up in our results. That’s because the string search doesn’t explicitly search for status values – it’ll string match any event that contains “400” or “500.”
© 2018 SPLUNK INC. Let’s explicitly search for status codes equaling values we want to see returned.
© 2018 SPLUNK INC. Great, we’ve now returned all the events containing the two status codes we searched for. Click on “Top values by time,” which will build out a timechart for us.
© 2018 SPLUNK INC. Notice how our search query changed, there’s a | (pipe), and a timechart command added. The pipe followed by a command allows further operation on your filtered data set.
© 2018 SPLUNK INC. Let’s change our search to: buttercupgames status=* And – drill into one bar on the histogram.
© 2018 SPLUNK INC. Click on “top values by time” under the status field on the left, which will produce the timechart at right.
© 2018 SPLUNK INC. Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
© 2018 SPLUNK INC. After changing from Line to Column, let’s Stack the results (middle stack under Stack Mode). Much better!
© 2018 SPLUNK INC. Let’s now save this to a dashboard, a place we can go to view this search without having to remember what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then, View dashboard.
© 2018 SPLUNK INC. Click on Search to get us back to our Search bar, and let’s key in: buttercupgames. Development wants to know what web browsers are being used to access the site, but no fields currently exist. No problem – let’s extract the browser field. Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time.” The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
© 2018 SPLUNK INC. Click Regular Expression (Splunk will build a regular expression to extract our fields), and click Next. Highlight the value of the field you’d like to create, and let’s name the field: browser_type Click Add Extraction.
© 2018 SPLUNK INC. Let’s verify that the extracted field contains values that are indeed types of browsers. Good, click Next to proceed. Now, open the permissions to “App,” which will allow users of the App the ability to leverage this extraction. Click Next.
© 2018 SPLUNK INC. Success! Let’s explore the fields just created in Search, by clicking the link.
© 2018 SPLUNK INC. You’ll now be taken to Search, with the filter set to the sourcetype that the field extraction has been applied to. Note – field extractions are coupled to a sourcetype. Click on “Top values.”
© 2018 SPLUNK INC. Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to pie.
Let’s add this search to our dashboard, and then view the dashboard. Click Edit -> Edit Panels to drag the different panels to different positions.
© 2018 SPLUNK INC. Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful). Add the stats and where clause above, to return when there are more than 100 unsuccessful status codes.
© 2018 SPLUNK INC. Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression. Instead of 48, change to minutes a few ahead of your current time (i.e., if it’s 9:00 a.m., change to 05).
© 2018 SPLUNK INC. Add to Triggered Alerts and Save.
© 2018 SPLUNK INC. You should see an alert trigger once your scheduled search runs at the Cron expression you defined. * Note – it was mentioned that alerts wouldn’t work on a trial license. * Correction – alerts will work until the trial license expires.
© 2018 SPLUNK INC. Let’s go back to search and: buttercupgames status=* | iplocation clientip We want to look up the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
© 2018 SPLUNK INC. Now, business is interested in seeing plots on a map of web users and what they’re doing with the website. Let’s append a geostats command that counts the events by the values of the action field. Pretty cool! This is definitely dashboard worthy Let’s add to dashboard.
© 2018 SPLUNK INC. Awesome! Now we have a single pane of glass that Operations, Development and Business all care about – from one data source! Talk about value!

More Related Content

PPTX
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
PDF
Needlesand haystacks i360-dublin
Derek King
 
PDF
Keep your Hadoop cluster at its best!
Sheetal Dolas
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
PPTX
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
PDF
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
PPTX
Cisco OpenSOC
James Sirota
 
PPTX
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
Needlesand haystacks i360-dublin
Derek King
 
Keep your Hadoop cluster at its best!
Sheetal Dolas
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
( Ethical hacking tools ) Information grathring
Gouasmia Zakaria
 
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Cisco OpenSOC
James Sirota
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
chrissanders88
 

What's hot (20)

PDF
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
PDF
SplunkSummit 2015 - Security Ninjitsu
Splunk
 
PPTX
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
PPTX
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
PPTX
Using Splunk for Information Security
Shannon Cuthbertson
 
PDF
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
PPTX
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
PPTX
Splunk Enterpise for Information Security Hands-On
Splunk
 
PDF
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
PPTX
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
PDF
Breach and attack simulation tools
Bangladesh Network Operators Group
 
PDF
Managing your black friday logs - Code Europe
David Pilato
 
PPTX
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
DOCX
Dc project plan
Splunk
 
DOCX
Getting Started with Splunk Enterprise - Demo
Splunk
 
PPT
Live data collection_from_windows_system
Maceni Muse
 
PDF
Conf2014_SplunkSecurityNinjutsu
Splunk
 
PDF
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Georg Knon
 
PDF
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
PPTX
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
SplunkSummit 2015 - Security Ninjitsu
Splunk
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
 
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
Using Splunk for Information Security
Shannon Cuthbertson
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council
 
Splunk Enterpise for Information Security Hands-On
Splunk
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Managing your black friday logs - Code Europe
David Pilato
 
Purpose Driven Hunt (DerbyCon 2017)
Jared Atkinson
 
Dc project plan
Splunk
 
Getting Started with Splunk Enterprise - Demo
Splunk
 
Live data collection_from_windows_system
Maceni Muse
 
Conf2014_SplunkSecurityNinjutsu
Splunk
 
Splunk App for Stream - Einblicke in Ihren Netzwerkverkehr
Georg Knon
 
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
Ad

Similar to SplunkLive! Zurich 2018: Getting Started & Hands On (20)

PPTX
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
PPTX
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
PDF
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
Splunk
 
PDF
Anz summit 2015 http event collector - sydney
Splunk
 
PDF
Machine Data Is EVERYWHERE: Use It for Testing
TechWell
 
PPTX
SplunkLive! Paris 2018: Plenary Session
Splunk
 
PDF
Pivotal - Advanced Analytics for Telecommunications
Hortonworks
 
PDF
Data Onboarding
Splunk
 
PDF
Data Onboarding
Splunk
 
PPTX
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
PDF
#startathon2.0 - Spark Core
sl2square
 
PPTX
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
PPTX
Getting Started with Splunk Breakout Session
Splunk
 
PDF
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNCERT
 
PPTX
Getting Started with Splunk Enterprise
Splunk
 
KEY
Move out from AppEngine, and Python PaaS alternatives
tzang ms
 
PPTX
SnorGen User Guide 2.0
Sungho Yoon
 
SplunkLive! Munich 2018: Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Enterprise
Splunk
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Harry McLaren
 
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
 
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
Splunk
 
Anz summit 2015 http event collector - sydney
Splunk
 
Machine Data Is EVERYWHERE: Use It for Testing
TechWell
 
SplunkLive! Paris 2018: Plenary Session
Splunk
 
Pivotal - Advanced Analytics for Telecommunications
Hortonworks
 
Data Onboarding
Splunk
 
Data Onboarding
Splunk
 
Country domination - Causing chaos and wrecking havoc
Tiago Henriques
 
#startathon2.0 - Spark Core
sl2square
 
Getting Started with Splunk Enterprise
Shannon Cuthbertson
 
Getting Started with Splunk Enterprise
Splunk
 
Getting Started with Splunk Breakout Session
Splunk
 
MNSEC 2018 - Observations from the APNIC Community Honeynet Project
MNCERT
 
Getting Started with Splunk Enterprise
Splunk
 
Move out from AppEngine, and Python PaaS alternatives
tzang ms
 
SnorGen User Guide 2.0
Sungho Yoon
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Encapsulation theory and applications.pdf
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

SplunkLive! Zurich 2018: Getting Started & Hands On

  • 1. SplunkLive! Dirk Beerbohm | Senior Sales Engineer
  • 2. Set Up Before You Can Play Download the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
  • 4. © 2018 SPLUNK INC. 1. Splunk Overview 2. Using Splunk – Live Demonstration/Walk-Through • Installing & Onboarding Data • Searching • Field Extraction • Dashboards • Alerting • Analytics 3. Wrap-up/Q&A Agenda
  • 5. Big Data Comes From Machines Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Splunk’s Mission: Make machine data accessible, usable, and valuable to everyone
  • 6. What Does Machine Data Look Like? Order Processing Twitter Care IVR Middleware Error ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} SOURCES
  • 7. Machine Data Contains Critical Insights Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID SOURCES
  • 8. Machine Data Contains Critical Insights SOURCES Order Processing Twitter Care IVR Middleware Error Customer ID Order ID ORDER, 2018-01-21T14:04:12.484,10098213, 569281734,67.17.10.12,43CD1A7B8322,SA-2100 JAN 21 14:04:12.996 wl-01.acme.com Order 569281734 failed for customer 10098213. Exception follows: weblogic.jdbc.extensions.ConnectionDeadSQLException: weblogic.common.resourcepool.ResourceDeadException: Could not create pool connection. The DBMS driver exception was: [BEA][Oracle JDBC Driver] Error establishing socket to host and port: ACMEDB-01:1521. Reason: Connection refused 01/21/18 16:33:11.238 [CONNEVENT] Ext 1207130 (0192033): Event 20111, CTI Num:ServID:Type 0:19:9, App 0, ANI T7998#1, DNIS 5555685981, SerID 40489a07-7f6e-4251-801a- 13ae51a6d092, Trunk T451.16 01/21/18 16:33:11:242 [SCREENPOPEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 CUSTID 10098213 01/21/18 16:37:49.732 [DISCEVENT] SerID 40489a07-7f6e-4251-801a-13ae51a6d092 {actor:{displayName: “Go Cowboys!!”,followersCount:1366,friendsCount:789,link: http://dallascowboys.com/,location:{displayName:“Dallas, TX”,objectType:“place”}, objectType:“person”,preferredUsername:“Cowb0ysF@n80”,statusesCount:6072},body: “Can’t buy this device from @ACME. Site doesn’t work! Called, gave up on waiting for them to answer! RT if you hate @ACME!!”,objectType:“activity”,postedTime:“2018-01-21T16:39:40.647-0600”} Order ID Customer’s Twitter ID Customer ID Customer ID Time waiting on hold Customer’s Tweet Company’s Twitter ID Product ID
  • 9. Industry Leading Platform For Machine Data Custom dashboards Report and analyze Monitor and alert Developer Platform Ad hoc search On-Premises Private Cloud Public Cloud Storage Online Shopping Cart Telecoms Desktops Security Web Services Networks Containers Web Clickstreams RFID Smartphones and Devices Servers Messaging GPS Location Packaged Applications Custom Applications Online Services DatabasesCall Detail Records Energy MetersFirewall Intrusion Prevention Platform Support (Apps / API / SDKs) Enterprise Scalability Universal Indexing Machine Data: Any Location, Type, Volume Answer Any Question Any Amount, Any Location, Any Source No back-end database Schema on-the-fly No need to filter data Quick time to value Agile reporting and analytics Real-time architecture
  • 10. Installing and Using Splunk Live Demonstration & Walk-Through
  • 11. Set Up Before You Can Play Get the following at splunk.com ▶ Splunk Enterprise: • https://www.splunk.com/download ▶ Tutorial Data: • http://splk.it/2ey34P8 ▶ Search Tutorial • http://splk.it/2ePSYKB
  • 12. ▶ IMPORT THE ZIP FILE, not individual files within it: http://www.splunkbook.com (sample data is located under ‘related links’ section – *same tutorialdata.zip from first page) ▶ Log in to Splunk – http://127.0.0.1:8000 username=admin password=changeme ▶ To add the file to Splunk: • Click Add Data • Click Upload files from my computer • Drag and drop your sample data zip file • Review and finish Getting Data Into Splunk We will import sample web e-commerce store events
  • 13. ▶ License expired (already had older version installed) • Close browser, empty cache, open browser. If that doesn’t work: • Stop Splunk • Uninstall all Splunk versions • Windows Control Panel->Uninstall programs->Splunk • OS X. Finder->Applications->Right click Splunk, Move to trash • Reinstall • Start Splunk ▶ Can’t start Splunk • Windows, Search Control panel ->Services->Splunk start • Linux; cd <SPLUNK dir>/splunk/bin;./splunk start Common Problems at This Point
  • 15. © 2018 SPLUNK INC. ▶ See Slide Note at right about adding in step-by-step instructions here. Dashboard
  • 16. ▶ buttercupgames ▶ buttercupgames 400 ▶ buttercupgames 400 OR 500 ▶ buttercupgames status=400 OR status=500 ▶ buttercupgames status=400 OR status=500 | timechart count by status limit=10 ▶ buttercupgames status=* ▶ buttercupgames status=* | timechart count by status limit=10 ▶ buttercupgames status=* AND status!=200 | timechart count by status limit=10 ▶ index=* sourcetype=access_combined_wcookie Searches Used
  • 18. ▶ index=* sourcetype=access_combined_wcookie | top limit=20 browser_type (field extraction necessary) ▶ buttercupgames status!=200 ▶ buttercupgames status!=200 | stats count by status | where count > 100 ▶ buttercupgames status=* | iplocation clientip ▶ buttercupgames status=* | iplocation clientip | geostats count by action Searches Used (Continued)
  • 19. ▶ SplunkLive! Presentations • http://splunklive.splunk.com/presentations.html ▶ Documentation • http://www.splunk.com/base/Documentation ▶ Technical Support • http://www.splunk.com/support ▶ Videos • http://www.splunk.com/videos ▶ Education • http://www.splunk.com/view/education/SP- CAAAAH9 ▶ Community • http://answers.splunk.com ▶ Splunk Book • http://splunkbook.com Time to Start SPLUNKING!!! Where do I go for help?
  • 20. Thriving Community dev.splunk.com 75,000+ questions and answers 1,000+ apps Local user groups and SplunkLive! events
  • 21. ▶Save the Date 2018 October 1-4, 2018 ▶ 8,750+ Splunk Enthusiasts ▶ 300+ Sessions ▶ 100+ Customer Speakers Plus Splunk University: ▶ Three Days: September 29-October 1, 2018 ▶ Get Splunk Certified for FREE! ▶ Get CPE credits for CISSP, CAP, SSCP Walt Disney World Swan and Dolphin Resort in Orlando conf .splunk.com SAVE THE DATE!
  • 23. Thank You! Don't forget to rate this session on Pony Poll https://ponypoll.com/Zurich2018
  • 24. ▶ Splunk Usergroup Zürich ▶ Regular Splunk User get-togethers ▶ Frequent Splunk Ninja Presentations (D/E) ▶ Meetings throughout all major german speaking cities (not only Zurich) ▶ Amtssprache deutsch ▶ Not a sales thing ▶ Kick-off soon ▶ Join now: ▶ https://usergroups.splunk.com/group/splunk- user-group-zurich.html Splunk Usergroup Zurich http://bit.do/SPLUGZ
  • 25. © 2018 SPLUNK INC. Don't forget to rate this session in the SplunkLive! mobile app Thank You
  • 28. © 2018 SPLUNK INC. Download Splunk Enterprise for your OS and architecture.
  • 29. © 2018 SPLUNK INC. Download tutorialdata.zip
  • 30. © 2018 SPLUNK INC. With Firefox, Chrome or Safari – head to http://127.0.0.1:8000 User = admin Password = changeme
  • 31. © 2018 SPLUNK INC. You’ve successfully installed Splunk and logged in! Let’s add the tutorialdata.zip via “Add Data.”
  • 32. © 2018 SPLUNK INC. You can also “Add Data” from Settings at the top.
  • 33. © 2018 SPLUNK INC. Click on upload.
  • 34. © 2018 SPLUNK INC. Let’s drag tutorialdata.zip into “Drop your data file here.”
  • 35. © 2018 SPLUNK INC. Click Next
  • 36. © 2018 SPLUNK INC. Splunk can auto detect the source type. Let’s change host field to buttercup-web01, and then click Review.
  • 37. © 2018 SPLUNK INC. Looks good, click Submit.
  • 38. © 2018 SPLUNK INC. Let’s Start Searching our data.
  • 39. © 2018 SPLUNK INC. We’re brought into a search with filters applied to search the data we just uploaded.
  • 40. © 2018 SPLUNK INC. Let’s type “buttercupgames” in the search bar, and double-click into a bar on the histogram.
  • 41. © 2018 SPLUNK INC. Notice the time picker changed with our drill into the histogram bar.
  • 42. © 2018 SPLUNK INC. Given that this data is web access, let’s do a string search for 400, which is a “Bad Request” code. Notice that there are 188 events returned (number will vary for you).
  • 43. © 2018 SPLUNK INC. Let’s also add 500 into the mix, and notice that my event count is higher now.
  • 44. © 2018 SPLUNK INC. We can see the 400 and 500 status codes, but other status codes also show up in our results. That’s because the string search doesn’t explicitly search for status values – it’ll string match any event that contains “400” or “500.”
  • 45. © 2018 SPLUNK INC. Let’s explicitly search for status codes equaling values we want to see returned.
  • 46. © 2018 SPLUNK INC. Great, we’ve now returned all the events containing the two status codes we searched for. Click on “Top values by time,” which will build out a timechart for us.
  • 47. © 2018 SPLUNK INC. Notice how our search query changed, there’s a | (pipe), and a timechart command added. The pipe followed by a command allows further operation on your filtered data set.
  • 48. © 2018 SPLUNK INC. Let’s change our search to: buttercupgames status=* And – drill into one bar on the histogram.
  • 49. © 2018 SPLUNK INC. Click on “top values by time” under the status field on the left, which will produce the timechart at right.
  • 50. © 2018 SPLUNK INC. Let’s exclude 200 status codes by adding AND status!=200, and change Line to Column.
  • 51. © 2018 SPLUNK INC. After changing from Line to Column, let’s Stack the results (middle stack under Stack Mode). Much better!
  • 52. © 2018 SPLUNK INC. Let’s now save this to a dashboard, a place we can go to view this search without having to remember what we had just searched for. Click Save AS -> Dashboard Panel. Fill in, and click Save. Then, View dashboard.
  • 53. © 2018 SPLUNK INC. Click on Search to get us back to our Search bar, and let’s key in: buttercupgames. Development wants to know what web browsers are being used to access the site, but no fields currently exist. No problem – let’s extract the browser field. Find an event that contains a value that you’re looking for, and click the “>” arrow just to the left of “Time.” The event will expand with a down arrow, and Extract Fields will be under Event Actions. Click Extract Fields.
  • 54. © 2018 SPLUNK INC. Click Regular Expression (Splunk will build a regular expression to extract our fields), and click Next. Highlight the value of the field you’d like to create, and let’s name the field: browser_type Click Add Extraction.
  • 55. © 2018 SPLUNK INC. Let’s verify that the extracted field contains values that are indeed types of browsers. Good, click Next to proceed. Now, open the permissions to “App,” which will allow users of the App the ability to leverage this extraction. Click Next.
  • 56. © 2018 SPLUNK INC. Success! Let’s explore the fields just created in Search, by clicking the link.
  • 57. © 2018 SPLUNK INC. You’ll now be taken to Search, with the filter set to the sourcetype that the field extraction has been applied to. Note – field extractions are coupled to a sourcetype. Click on “Top values.”
  • 58. © 2018 SPLUNK INC. Notice how the search changed. And, instead of a bar graph, we want a pie chart, so drop down the “bar” option and change it to pie.
  • 59. Let’s add this search to our dashboard, and then view the dashboard. Click Edit -> Edit Panels to drag the different panels to different positions.
  • 60. © 2018 SPLUNK INC. Let’s go back to search, and search for buttercupgames AND status!=200 (we want to see events that aren’t successful). Add the stats and where clause above, to return when there are more than 100 unsuccessful status codes.
  • 61. © 2018 SPLUNK INC. Let’s create an alert. Save As -> Alert. Fill out the Title, Scheduled, Earliest + Latest, and Cron Expression. Instead of 48, change to minutes a few ahead of your current time (i.e., if it’s 9:00 a.m., change to 05).
  • 62. © 2018 SPLUNK INC. Add to Triggered Alerts and Save.
  • 63. © 2018 SPLUNK INC. You should see an alert trigger once your scheduled search runs at the Cron expression you defined. * Note – it was mentioned that alerts wouldn’t work on a trial license. * Correction – alerts will work until the trial license expires.
  • 64. © 2018 SPLUNK INC. Let’s go back to search and: buttercupgames status=* | iplocation clientip We want to look up the clientip values against the MaxMind database to pull in City, Country, State, Lat, Lon of the IPs.
  • 65. © 2018 SPLUNK INC. Now, business is interested in seeing plots on a map of web users and what they’re doing with the website. Let’s append a geostats command that counts the events by the values of the action field. Pretty cool! This is definitely dashboard worthy Let’s add to dashboard.
  • 66. © 2018 SPLUNK INC. Awesome! Now we have a single pane of glass that Operations, Development and Business all care about – from one data source! Talk about value!