Analyzing Machine Data with Splunk



About Me


Analyzing Log Files

Why Learn Splunk?

Basic Windows Administration

Basic Linux Administration

Windows Environment

Hadoop Sandbox


Why machine data?

Splunk Terms

Careers in Splunk

Machine Data

Machine Data

Data generated by machines, computer processing, applications and sensor data.

Machine data is everywhere. In fact you are generating it right now!

Server & Workstation Logs

  • Linux/Windows
  • Log files
  • Access
  • File system

splunk analyzing machine server workstation logs


  • Firewall
  • Warnings
  • Alerts
  • IP addresses

splunk analyzing machine networks


  • Audit logs
  • Configurations
  • Schemas
  • Tables
  • Queries

plunk analyzing machine database


  • Transactions
  • Click-stream
  • Location
  • Browser
  • Time

plunk analyzing machine web


  • Test logs
  • log4j alerts
  • Event logs
  • Code check-in

plunk analyzing machine dev ops


  • GPS
  • RFID
  • Biometric
  • Temperature
  • Limitless

plunk analyzing machine iot

Splunk Terms

Splunk Workflow

splunk analyzing machine workflow
splunk web browser
  • Index
  • Events
  • Search
  • Pivot
  • Dashboard
  • Forwarder

splunk analyzing index

Splunk Careers

Security is one of the fastest growing sectors in IT

splunk analyzing iot

Who Is Splunk For?

who is splunk for


Definition of Splunk

Understand machine data

A look at Splunkarchitecture

Careers in Splunk

Setting up the Splunk Environment


How Splunk is licensed

Where to get Splunk

Installing Splunk

Running Splunk

Splunk Licensing

Flavors of Splunk

flavors of splunk

Capped at 500MB of data

Splunk Cost

splunk cost

Get Splunk


Splunk Website

Register with

Installing Splunk for Windows


Installing Splunk

Example Data


Logging into Splunk

Testing the environment


  • Splunk documentation
  • Explained Splunk cost
  • Walked through installing Splunk
  • Up and running with Splunk

Basic Splunking Techniques


  • Adding more data
  • Deep dive into Splunk search
  • Reporting in Splunk
  • Alert based reports

More Data


Windows System Logs

Windows Security Logs

Search in Splunk

splunk search
  • Analyze data
    • Date Time
    • Event IDs
    • Etc
  • Testing Data
    • Setup alerts
    • Create dashboards

splunk analyze data and testing


Searching in Splunk

Search Commands


SplunkProcessing Language

Search Commands

source="WinEventLog:*" host="Henson-Lap"

Chaining Commands

source="WinEventLog:*" host="Henson-Lap"| command 1 | command 2...

Filtering Results

source="WinEventLog:*" host="Henson-Lap"| search EventCode=100

Allows for users to filter results in query. For example show results where event code = 100

Remove Duplicates

source="WinEventLog:*" host="Henson-Lap"| dedup EventCode

Only shows unique events. For example show only Event Codes once

splunk analyze query

Reports in Splunk

splunk stone
  • Ongoing Analysis
    • Trends
    • Daily Awareness
  • Management
    • Status
    • Pattern

ongoing analysis and management


Developing saved reports

Custom Alerts

splunk analyzing
  • Warnings
    • Real-time
    • Scheduled
  • Problems
    • Quicker resolution
    • Actionable

splunk yield


Alerting in Splunk


  • Added more data from local machine
  • Understanding of search
  • Created reports based of searches
  • Developed custom alerts

Splunking in the Enterprise


  • Move logs in Splunk
  • Different forwarding options
  • Enterprise architecture
  • Walk through setting up forwarder


splunk circit


Instance of Splunk that sends data to another instance of Splunk.

Universal Forwarder

  • No Alerts
  • No Indexing
  • Limited Parsing of Data
  • CLI Configuration

Heavy Forwarder

  • Full SplunkInstance
  • Disable Features
  • Web/CLI Configuration

Light forwarder is deprecated as of Splunk6.0

Enterprise Splunk Architecture

splunk db server
splunk active directory
enterprise splunk architecture

Benefits of Forwarding

splunk benefit of forwarding
splunk forwarding
splunk analyzing forwarding

Load Balancer

Distributing data across multiple Splunk environments

Installing Forwarders

splunk analyzing windows
  • Windows
  • Linux
  • Solaris
  • Mac

splunk linux log files
splunk analyzin forwarder


  • Download Forwarder
  • Ubuntu Server


  • Explained Splunk Forwarders
  • Discussed Forwarder Architecture
  • Installed Forwarder in VM

Splunking for DevOps and Security


  • Devops optimization with Splunk
  • Security strength with Splunk
  • Splunk Use Cases in Enterprise

Splunk in DevOps


Increased communication between software developers, QA and IT operations.

  • Quicker development time
  • Less down time
  • Faster release of patches
  • Enhanced culture

splunk code and database


Uploading DevOps log file

Splunk in Security

splunk security is hard
  • Fraud Detection
  • Outside threats
  • Data breaches
  • Insider threats

splunk desktop

Security Monitoring

  • Card Readers
  • Security log files
  • Local Event Logs
  • Video Surveillance
  • Files & Directories
  • Registry
  • Active Directory

Enterprise Use Cases

splunk chief financial officer
splunk chief marketing office

Data Monitoring

  • Social Media
  • Clickstream
  • Video Analytics
  • Marketing Results
  • Supply Chain
  • Inventory Logs
  • GEO Data
  • A/B Testing


  • How to use Splunk for DevOps
  • Demo analyzing log4j file
  • Talked about Security
  • Splunk in Marketing

Application Development in Splunkbase


  • Splunkbase defined
  • Walk through Splunkbase universe
  • Creating apps in Splunkbase
  • Setting up Splunkbase environment

What Is Splunkbase?

splunk windows server

New Workflows

splunk new workflows
splunk you


Market place for Splunk plug-ins and application. Community driven application with licensed and non-licensed options for Splunk application.

splunk app for dropbox
  • Microsoft Exchange App
  • Isilon Splunk App
  • Splunk App for Dropbox


Navigating the Splunkbase

Creating Apps for Splunk

  • Dashboard Editor

splunk dashboard editor
splunk add panel
  • Dashboard Editor
  • XML

splunk dashboard editor xml
splunk dashboard editor xml
  • Dashboard Editor
  • XML Editor
  • HTML Dashboards

splunk html dashboard
splunk app hbasexml
  • Dashboard Editor
  • XML Editor
  • HTML Dashboards
  • SplunkJS

splunk dashboard editor
splunk app hbasexml html

SDK Option

splunk sdk option


Installing Splunkbase API

Benefits Building in Splunkbase



Limitless Splunk


  • Learned what Splunkbase
  • Toured the Splunkbase
  • Discussed benefits of Splunkbase
  • Looked at how to create Splunk App

Splunking on Hadoop with Hunk


  • Explain Hadoop
  • Walk through Hadoop Environment
  • Hunk
  • Setup Hunk Environment
  • Analyze data in HDFS with Hunk

What Is Hadoop?


Programing framework that processes large data sets in a distributed environment. Two major components MapReduce and HDFS.


splunk analyzing the
splunk map reduce

HDFS Hadoop Distributed File System

splunk h d f s

Schema on Write

  • Relational Databases
  • Quicker querying
  • Rigid

Schema on Read

  • NoSQL Databases
  • Batch Processing
  • Flexible


  • Hadoop Distributions
  • HDFS Demo
  • Hortonworks
  • Cloudera
  • Pluralsight
    • HDFS Getting Started

splunk hortonwork

Hunk Defined

Hadoop + Splunk= Hunk


splunk hunk
splunk hunk apache hadoop
  • Apache Hadoop
  • Hortonworks
  • MapR
  • Pivotal HD
  • Cloudera
  • Amazon EMR


  • Hunk download
  • Hunk install


HDFS data in Hunk

splunk analyzing machine data
setup splunk cluster
  • Setup Splunk Cluster
  • Learn Hadoop
  • Other analytic tools


  • Understanding of Splunk platform
  • Setup dev Splunk environment
  • Comfortable in Splunk search
  • Value of forwarding in Splunk
  • Non IT operations Splunk
  • Splunk Marketplace
  • Hadoop and Splunk


Thanks for you