In the second part of the series on Splunk, we will analyze data and calculate a few measures. We will use Splunk 7.0.1 that we installed in the earlier post for all our work.
Let us look at the services that got installed as part of the previous installation:
We can see that Splunkd Service and splunkweb (legacy purposes only) are installed. But, only Splunkd Service is of consequence. The description for this service is replicated below:
Splunkd is the indexing and searching engine for Splunk, a data platform for operational intelligence. It is required for Splunk instances acting as an indexer. If it is stopped, Splunk will not process data and will be unavailable for search. Splunkweb depends on Splunkd. Please see www.splunk.com for more information. Questions can be submitted to www.splunk.com/answers or for supported customers www.splunk.com/page/submit_issue
Without this service the application will not run. Let us shut down this service and start it on command line as shown below:
Once it is stopped, start the command line and navigate to the directory as shown below:
cd C:\Program Files\Splunk\bin
Then, run below command:
splunk start
Then, wait for the Splunk Service to start and then below command to check status:
splunk status
The results are shown below:
To know more details about splunk, run below commands. If you are prompted for the username and password, enter credentials:
splunk show servername
splunk show splunkd-port
splunk show web-port
The results are shown below:
Since the services are up and running, we can start Splunk Enterprise by clicking on the icon as shown below:
Once logged in, click on Add Data:
Click on Skip below:
On the below screen, click on Upload:
Click on Select File to select employees.csv from our earlier posts. Read the FAQ below. Click on Next:
Click on Next again:
Click on Review. Read FAQ before that:
Click on Submit:
Click on Start Searching:
We can see the records classified as events:
Note the search criteria under New Search. We can add filters to get the information that we are seeking. In the below example, we look for employees whose first names start with Ke:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "Ke*"
The above search criteria are all applied at the same time meaning the searches criteria are all ANDed.
The results are shown below:
We can further narrow down the search by adding another condition as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "Ke*" (LAST_NAME = "C*" OR LAST_NAME = "F*")
The results are shown below:
One more criteria is added on a number field:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "Ke*" (LAST_NAME = "C*" OR LAST_NAME = "F*") SALARY > 3500
The results are shown below:
The next query shows the use of sort of salary in ascending order:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | sort SALARY asc
The results are shown below:
We can select only a few columns passing the results of above query using | as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | sort SALARY asc | table FIRST_NAME LAST_NAME SALARY
The results are shown below:
Lastly, we calculate measures based on SALARY:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | sort SALARY asc | table FIRST_NAME LAST_NAME SALARY | stats count(SALARY) sum(SALARY) avg(SALARY) max(SALARY) min(SALARY)
The results are shown below:
Let us look at the services that got installed as part of the previous installation:
We can see that Splunkd Service and splunkweb (legacy purposes only) are installed. But, only Splunkd Service is of consequence. The description for this service is replicated below:
Splunkd is the indexing and searching engine for Splunk, a data platform for operational intelligence. It is required for Splunk instances acting as an indexer. If it is stopped, Splunk will not process data and will be unavailable for search. Splunkweb depends on Splunkd. Please see www.splunk.com for more information. Questions can be submitted to www.splunk.com/answers or for supported customers www.splunk.com/page/submit_issue
Without this service the application will not run. Let us shut down this service and start it on command line as shown below:
Once it is stopped, start the command line and navigate to the directory as shown below:
cd C:\Program Files\Splunk\bin
Then, run below command:
splunk start
Then, wait for the Splunk Service to start and then below command to check status:
splunk status
The results are shown below:
To know more details about splunk, run below commands. If you are prompted for the username and password, enter credentials:
splunk show servername
splunk show splunkd-port
splunk show web-port
The results are shown below:
Since the services are up and running, we can start Splunk Enterprise by clicking on the icon as shown below:
Once logged in, click on Add Data:
Click on Skip below:
On the below screen, click on Upload:
Click on Select File to select employees.csv from our earlier posts. Read the FAQ below. Click on Next:
Click on Next again:
Click on Review. Read FAQ before that:
Click on Submit:
Click on Start Searching:
We can see the records classified as events:
Note the search criteria under New Search. We can add filters to get the information that we are seeking. In the below example, we look for employees whose first names start with Ke:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "Ke*"
The above search criteria are all applied at the same time meaning the searches criteria are all ANDed.
The results are shown below:
We can further narrow down the search by adding another condition as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "Ke*" (LAST_NAME = "C*" OR LAST_NAME = "F*")
The results are shown below:
One more criteria is added on a number field:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "Ke*" (LAST_NAME = "C*" OR LAST_NAME = "F*") SALARY > 3500
The results are shown below:
The next query shows the use of sort of salary in ascending order:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | sort SALARY asc
The results are shown below:
We can select only a few columns passing the results of above query using | as shown below:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | sort SALARY asc | table FIRST_NAME LAST_NAME SALARY
The results are shown below:
Lastly, we calculate measures based on SALARY:
source="employees.csv" host="SPLUNK-SERVER" sourcetype="csv" FIRST_NAME = "N*" | sort SALARY asc | table FIRST_NAME LAST_NAME SALARY | stats count(SALARY) sum(SALARY) avg(SALARY) max(SALARY) min(SALARY)
The results are shown below:
