Posts tagged ‘event log parser’

Splunk Overview

Splunk is powerful and versatile IT search software that takes the pain out of tracking and utilizing the information in your data center. If you have Splunk, you won’t need complicated databases, connectors, custom parsers or controls–all that’s required is a web browser and your imagination. Splunk handles the rest.
Use Splunk to:

  • Continually index all of your IT data in real time.
  • Automatically discover useful information embedded in your data, so you don’t have to identify it yourself.
  • Search your physical and virtual IT infrastructure for literally anything of interest and get results in seconds.
  • Save searches and tag useful information, to make your system smarter.
  • Set up alerts to automate the monitoring of your system for specific recurring events.
  • Generate analytical reports with interactive charts, graphs, and tables and share them with others.
  • Share saved searches and reports with fellow Splunk users, and distribute their results to team members and project stakeholders via email.
  • Proactively review your IT systems to head off server downtimes and security incidents before they arise.
  • Design specialized, information-rich views and dashboards that fit the wide-ranging needs of your enterprise.

Index new data

Splunk offers a variety of flexible data input methods to index everything in your IT infrastructure in real time, including live log files, configurations, traps and alerts, messages, scripts, performance data, and statistics from all of your applications, servers, and network devices. Monitor file systems for script and configuration changes. Enable change monitoring on your file system or Windows registry. Capture archive files and SNMP trap data. Find and tail live application server stack traces and database audit tables. Connect to network ports to receive syslog and other network-based instrumentation.
No matter how you get the data, or what format it’s in, Splunk indexes it the same way–without any specific parsers or adapters to write or maintain. It stores both the raw data and the rich index in an efficient, compressed, filesystem-based datastore–with optional data signing and auditing if you need to prove data integrity.

Search and investigate

Now you’ve got all that data in your system…what do you want to do with it? Start by using Splunk’s powerful search functionality to look for anything, not just a handful of predetermined fields. Combine time and term searches. Find errors across every tier of your IT infrastructure and track down configuration changes in the seconds before a system failure occurs. Splunk identifies fields from your records as you search, providing flexibility unparalleled by solutions that require setup of rigid field mapping rulesets ahead of time. Even if your system contains terrabytes of data, Splunk enables you to search across it with precision.

Capture knowledge

Freeform searching on raw data is just the start. Enrich that data and improve the focus of your searches by adding your own knowledge about fields, events, and transactions. Tag high-priority assets, and annotate events according to their business function or audit requirement. Give a set of related server errors a single tag, and then devise searches that use that tag to isolate and report on events involving that set of errors. Save and share frequently-run searches. Splunk surpasses traditional approaches to log management by mapping knowledge to data at search time, rather than normalizing the data up front. It enables you to share searches, reports, and dashboards across the range of Splunk apps being used in your organization.

Automate monitoring

Any search can be run on a schedule, and scheduled searches can be set up to trigger notifications or when specific conditions occur. This automated alerting functionality works across the wide range of components and technologies throughout your IT infrastructure–from applications to firewalls to access controls. Have Splunk send notifications via email or SNMP to other management consoles. Arrange for alerting actions to trigger scripts that perform activities such as restarting an application, server, or network device, or opening a trouble ticket. Set up alerts for known bad events and use sophisticated correlation via search to find known risk patterns such as brute force attacks, data leakage, and even application-level fraud.

Analyze and report

Splunk’s ability to quickly analyze massive amounts of data enables you to summarize any set of search results in the form of interactive charts, graphs, and tables. Generate reports on-the-fly that use statistical commands to trend metrics over time, compare top values, and report on the most and least frequent types of conditions. Visualize report results as interactive line, bar, column, pie, scatterplot and heat-map charts.

Searching in Splunk

The first time you use Splunk, you’ll probably start by just searching the raw data to investigate problems — whether it’s an application error, network performance problem, or security alert. Searching in Splunk is free form — you can use familiar Boolean operators, wildcards and quoted strings to construct your searches. Type in keywords, such as a username, an IP address, a particular message… You’re never limited to a few predetermined fields and you don’t need to confront a complicated query builder, learn a query language, or know what field to search on. You can search by time, host and source.

Go to the Search app

After logging into Splunk, you will see either the Welcome view or Splunk Home view.

  • If you’re in the Welcome view, select Launch search app.
  • If you’re in Splunk Home, select Search.
  • If you are in another app, select the Search app from the App menu, which is located in the upper right corner of the window.

This takes you to the Summary dashboard of the Search app. For more information about what you will find in the Search App.

Start with simple terms

To begin your Splunk search, type in terms you might expect to find in your event data. For example, if you want to find events that might be HTTP 404 errors, type in the keywords:

http 404

Your search results are all events that have both HTTP and 404 in the raw text; this may or may not be exactly what you want to find. For example, your search results will include events that have website URLs, which begin with "http://", and any instance of "404", including a string of characters like "ab/404".
You can narrow the search by adding more keywords:

http 404 "not found"

Enclosing keywords in quotes tells Splunk to search for literal, or exact, matches. If you search for "not" and "found" as separate keywords, Splunk returns events that have both keywords, though not necessarily the phrase "not found".
You can also use Boolean expressions to narrow your search further.

Add Boolean expressions

Splunk supports the Boolean operators: AND, OR, and NOT; the operators have to be capitalized. You can use parentheses to group Boolean expressions. For example, if you wanted all events for HTTP client errors not including 404 or 403, search with:

http client error NOT (403 OR 404)

In a Splunk search, the AND operator is implied; the previous search is the same as:

http AND client AND error NOT (403 OR 404)

This search returns all events that have the terms "HTTP", "client", and "error" and do not have the terms "403" or "404". Once again, the results may or may not be exactly what you want to find. Just as the earlier search for http 404 may include events you don’t want, this search may both include events you don’t want and exclude events you want.
Note: Splunk evaluates Boolean expressions in the following order: first, expressions within parentheses; then, OR clauses; finally, AND or NOT clauses.

Search with wildcards

Splunk supports the asterisk (*) wildcard for searching. Searching for * by itself means "match all" and returns all events up to the maximum limit. Searching for * as part of a word matches based on that word.
The simplest beginning search is the search for *. Because this searches your entire index and returns an unlimited number of events, it’s also not an efficient search. We recommend that you begin with a more specific search on your index.
If you wanted to see only events that matched HTTP client and server errors, you might search for:

http error (40* OR 50*)

This indicates to Splunk that you want events that have "HTTP" and "error" and 4xx and 5xx classes of HTTP status codes. Once again, though, this will result in many events that you may not want. For more specific searches, you can extract information and save them as fields.

Search with fields

When you index data, Splunk automatically adds fields to your event data for you. You can use these fields to search, edit the fields to make them more useful, extract additional knowledge and save them as custom fields. For more information about fields and how to use, edit, and add fields.
 Splunk lists fields that it has extracted in the Field Picker to the left of your search results in Splunk Web. Click a field name to see information about that field, add it to your search results, or filter your search to display only results that contain that field. When you filter your search with a field from the Field Picker, Splunk edits the search bar to include the selected field.
Alternately, you can type the field name and value directly into your search bar. A field name and value pair can be expressed in two ways: fieldname="fieldvalue" or fieldname=fieldvalue.
Note: Field names are case sensitive.
Let’s assume that the event type for your Web access logs is eventtype=webaccess and you saved a field called status for the HTTP status codes in your event data. Now, if you wanted to search for HTTP 404 errors, you can restrict your search to the specific field:

Use wildcards to match multiple field values

If you’re interested in seeing multiple values for the status field, you can use wildcards. For example, to search for Web access events that are HTTP client errors (4xx) or HTTP server errors (5xx), type:

eventtype=webaccess status=40* OR status=50*

Use comparison operators to match field values

You can use comparison operators to match a specific value or a range of field values.






Field values that exactly match "foo".



Field values that don’t exactly match "foo".



Numerical field values that are less than x.



Numerical field values that are greater than x.



Numerical field values that are less than and equal to x.



Numerical field values that are greater than and equal to x.

Note: You can only use <, >, <=, and >= with numerical field values, and you can only use = and != with multi-valued fields.

P.S. Thanks to Manik