Splunk
Tools/Skills: Splunk, adding an app, exploring/searching data, creating dashboards, extracting fields
Completed Splunk4Rookies Workshop (hosted by Splunk) on 01/11/24
LOGIN TO INSTANCE
Splunk provided an instance for each individual who attended the workshop. With the account info provided, I logged into mine.
ADD NEW APP
I created an app within the instance for the use case of today's lesson. It's where I chose what data I wanted to monitor and created a dashboard based on specific searches.
ADD DATA
The application is configured to collect weblogs into the splunk4rookies app I just created.
EXPLORE DATA
In the workshop, there were several specific searches to perform to practice searching the data. After this practice, there were two challenge tasks to try. These are the challenge tasks and my answers to them.
Q1 ANSWER
Q2 ANSWER
CREATE DASHBOARD PANEL: WEBSITE SUCCESSES/FAILURES
I narrowed the search by specifying I'd like the data organized by time and separated based on the 10 most common status codes (count by status limit = 10).
After creating the dashboard panel, I added it to a new dashboard, "Buttercup Enterprise." I set it as absolute control, which allowed me complete control to configure how the dashboard is set up.
CREATE DASHBOARD PANEL: CUSTOMER OS's
I performed a basic query on events within the last 60 minutes. From one of the events, I extracted the OS field and saved it as "platform". This would allow me to sort and query data based on what platform a user was utilizing.
I performed a search to create a dashboard for the most popular operating systems using the web app. Then, I saved this as a panel to the existing dashboard.
CREATE DASHBOARD PANEL: BROWSERS WITH THE MOST FAILURES
The search for the browsers with the most failures, specifies that I only want to see failure (status>=400) and that I would like it to be organized by the top 5 browser types (useragent, limit) within time (timechart).
Once created, I saved this panel to the existing dashboard, "Buttercup Enterprise."
CREATE DASHBOARD PANEL: LOST REVENUE
I started with a basic lookup of the table product_codes.csv to see what it looked like.
I then created a search that looked for purchase (action=purchase) failures (status>=400). I then cross queried the table product_codes.csv. This table shared the product_id column with the log data. By temporarily merging these tables on this column, I could ask the search to calculate the sum of the product_prices that were part of the purchase failures. This information gives some insight into the revenue that could be lost from failures.
I saved this panel to the existing dashboard.
DASHBOARD PANEL: WEBSITE ACTIVITY BY LOCATION
I performed a search of where the web activity is coming from. I did this by using iplocation to match the clients' ip addresses to their location and then using geostats to count how many are in each city. I used a cluster map to visualize this.
I saved this panel to the existing dashboard.
CHALLENGE: CREATE A MAP EXCLUDING THE U.S.A.
The challenge question asked me to update the search to remove the United States. I added in a line that specifically said the Country shouldn't be the United States. I added this after I called on the iplocation so that the program had the information to sort out the US locations. I also specified search at the beginning of the argument because any search that happens after the main query in the beginning needs to be specified as a "search".
CHALLENGE ANSWER
FINAL DASHBOARD
The final dashboard was easy enough to arrange. I imported a background that was recommended by the Splunk workshop instructor. I moved the various panels to where they were recommended to be. I made each panel transparent. I also got rid of some of the keys/legends that weren't necessary.
Summary
In the end, I learned a lot in this workshop. I learned how to go from having an instance to creating an app (or apps) based on specific data in that instance and performing and saving queries as panels to a dashboard. I then learned how to reconfigure the dashboard so that it is even easier to read and work with.
Last updated