Upload
splunk
View
663
Download
2
Tags:
Embed Size (px)
Citation preview
Copyright © 2014 Splunk Inc.
Ma:hias Maier Sales Engineer, Splunk
Dashboard Fun CreaCng an interacCve TransacCon Profiler
Disclaimer
2
During the course of this presentaCon, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cauCon you that such statements reflect our current expectaCons and
esCmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presentaCon are being made as of the Cme and date of its live presentaCon. If reviewed aPer its live presentaCon, this presentaCon may not contain current or accurate informaCon. We do not assume any obligaCon to update any forward-‐looking statements we may make. In addiCon, any informaCon about our roadmap outlines our general product direcCon and is subject to change at any Cme without noCce. It is for informaConal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaCon either to develop the features or funcConality described or to
include any such feature or funcConality in a future release.
Who I am
3
! Sales Engineer in Germany ! Splunker nearly 2 years ! Like to get hands on real world scenarios ! CISSP ! Worked in the past for McAfee (Security) and Tibco (AnalyCcs)
Self AnalyCcs / TransacCon Profiler Dashboard
• Goals: – Self exploraCon of data – Gaining Ideas from other departmental users for new use cases and
business insight ê “Do we have this informaCon available?” ê “Can we add this?” ê “Can we correlate with this?”
– How to get to this stage?
4
Adding Value
5
I loaded 1.000.000 Records. Start to add value for other departments
You might want to provide an impressive starCng point for other people to explore the Data
(Next to the RAW Searches and DATA Models)
Challenge for Machine Data in Business Context
! Not every user who can benefit might have SPLK Language skills ! Not every user is creaCve with data in the first step ! YOU as a Splunk Data Analyst might not be able to interpret business data for Business Insights
6
DemonstraCon
7
Demo (That is what you learn how to create/get this aPer my session):
Profiling Dashboard
TransacCon Profiler With IP Traffic
8
Start With One Single “TransacCon”
1. Search and InvesCgate a TransacCon Field ‒ Filter down to one session
9
Sample “transac7on” fields
Username + Session InformaCon
TransacCon ID
Order-‐ID
E-‐Mail Address
Service Name
IP-‐Address/Hostname/System name
Interview
2. Go to a object ma:er expert and let them explain what happened in this session
10
DemonstraCon
11
Demo (raw search, explain data-‐set)
TransacCon Profiler With IP Traffic
12
Create Dashboards 3. Create consistent dashboards by using some of the following
methods
13
Search Descrip7on
… | Cmechart count Easiest one ever
… | stats dc(<fieldname>) by <fieldname> DisCnct count gives a lot of interesCng insights: • Why is this user logging on from so many different systems • Why has this transacCon id so many different status codes • Why is this IP communicaCng to so many desCnaCon ports
… | transacCon <fieldname> | table duraCon
As single value How long did it take?
… | head 1 | table _Cme … | tail 1 | table _Cme
• When was the first “session”, • When was the last “interacCon with the system”
DemonstraCon
14
Demo (dashboard with some single values + stats +
Cme charts based on ONE TransacCon)
My IP Profiler
15
Create Drop Down Lists
4. Create drop down lists and input fields to make the dashboard interacCve ‒ Thanks to Version 6.1 it can be done via the Gui without coding ‒ Review the dashboard example app for addiConal visualizaCon tricks
5. Tokenize the searches to make them flexible
16
DemonstraCon
17
Demo (add free text field, pickers (dynamic), token
fields + replace single transacCon id with token)
My IP Profiler
18
Example
19
We are not done
6. Make sure you add default values for each of the drop down fields. So in case someone wants to see something, you guide him to the right choice to get a dashboard populated.
20
DemonstraCon
21
Demo (add default values and show first user experience accessing the dashboard)
22
23
24
TransacCon Profiler Use Cases for… ! Helpdesk ! Support Desk ! Second + Third Level Support ! Developers of In House
ApplicaCons ! Service Level Manager ! MarkeCng Departments ! IT-‐Security / SIEM Use Cases ! Business Fraud DetecCon
Search and InvesCgate a Single TransacCon
Review transacCon with a subject ma:er expert from the
business
Create a Dashboard for a single transacCon
Create drop downs for exploraCon Tokenize the searches
Set default values
Gain new ideas and business insight from Machine Data • Give this in the hand’s of Business People for
• gather Feedback and tune
Special Offer: Try Splunk MINT Express for Free! Splunk MINT offers a fast path to mobile intelligence. How fast?
Find out with a 6-‐month trial*
• Register for your free trial: h:p://mint.splunk.com/conf2014offer
• Download the Splunk MINT SDKs • Add the Splunk MINT line of SDK code and publish**
• Start gexng digital intelligence at your fingerCps!
*Offer valid for .conf2014 a5endees and coworkers of a5endees only.
**Trial allows monitoring of up to 750,000 monthly acDve users (MAUs).
25
THANK YOU Contact: ma:[email protected]