Search with Splunk

Transcript

Search IT

INTRODUCTION:

Hi, my name is Johnvey Hwang, and I’m the UI Manager here at Splunk. Today, I’m going to be talking about Searching with Splunk. Search is a concept that is familiar to everyone. You use it everyday to find what you’re looking for on the internet, and Splunk brings that power into your datacenter. Allowing you to troubleshoot by typing a single term, whether it be an IP address or an e-mail address or user name. Problem solving begins with simply typing stuff into a box. Interacting with our users and having design sessions with them, have, over the last 3 years, shown that they really really like the search box concept. And, our users, once they get that, it becomes the most compelling feature. It really makes them believe in what Splunk does.

Today I’m going to cover some of the features about Search, and what it can do for you.


DEMO:

Let's take a look at how to search through terabytes of IT Data with Splunk.
You get results right away. And the results are interactive so you can navigate through your data by clicking! Here is a quick example
Say you work at a help desk.
A customer calls up who is having problems with your website.
You get their IP address and type it into Splunk.
Typeahead helps you complete the search.
You get every event across every IT data source that includes this customer's IP address _instantaneously._
Now scroll through the results and check out the interactive timeline to see where you are."

If you decide to focus on a particular event, like the http GET events from the access logs here, you can just click on 'GET' right in your results to add it to your search.

You can quickly eliminate the successful web requests for this customer's IP by clicking on http success codes like '200' and '304 while holding down the alt key.

Splunk updates your search with 'NOTs' for each code you click. Freeform search is just part of the picture.

The next search feature that's really great is fields. Splunk automatically extracts and names fields in your IT data. Let's see how easy it is. Click on the status field menu so you can break down the different http errors for this customer. The timeline bars highlight as you mouse over each status code and you can quickly see there was a cluster of 503 errors in just a few minutes.

Click on the 503 status code to filter results down since the customer's description of the problem sounded like a 500-series server error.

The timeline lets you zoom in and out by time.

There you go.

You see this 503 problem has been happening intermittently about an hour apart for the past few hours. Narrow your search to the time of one of the 503 errors by clicking on the event's timestamp.

Here's where it gets interesting.

Change your search to look for all events that happened at the same second as one of the 503 errors. Now you quickly find errors where the web server couldn't connect to the appserver.

To look at just those events, you hold down the ctrl key while clicking on the term 'connection_refused'.

With a simple starting search and a few clicks you were able to verify a customer's problem report, establish the exact time of the web server errors and get to the root cause on the appserver.

You didn't need access to the production servers or need to write any homegrown scripts to parse the data.


CONCLUSION:

Okay, so I’ve shown you some of the basic Search features. Now, there’s a whole lot more to the product, so if you are interested, go to Splunk.com, and download Splunk for free. It only takes 5 minutes to install, so there are no excuses.

If you have any questions, just let us know.


Splunk Search Features:

Search all your IT Data from one place

Fast, free form search on anything: no knowledge of specific data formats required.

Boolean, nested, quoted string and wildcard searches.

Find system failures and configuration changes fast, before major impact.