Share Knowledge with Splunk
You must have Flash installed and Javascript
enabled to view this video.
Description:
Christina Noren, VP of Product Management at Splunk, presents an overview of Splunk sharing and collaboration features.
Download the movie to your computer by right-clicking here. Size, 104MB.
Date: Feb 25, 2008 | Runtime: 02:35
Permalink
http://www.splunk.com/view/SP-CAAACGV
Transcript
Share Intro
Hi, I'm Christina Noren, VP of Product Development, here at Splunk. I'd like to tell you about sharing, which is one of my favorite aspects of Splunk. Sharing is the way that you can leverage Splunk in order avoid ever having to answer the same question twice. Sharing will help you let other members of your team leverage your knowledge in order to resolve problems faster, and you can even tap into the broader Splunk community, using Splunkbase. Let me show you how.
Capture Knowledge
Splunk makes it effortless to capture the knowledge you have about your own IT data as you search. Then when your colleagues hit the same issues, they don't need to ask you about it or figure it out all over again. Here's an example of some errors coming off of DB2, having to do with an inability to get a lock on a SQL database, that I found out was causing some web transaction errors. So what I can do now is I can save this search as an event type. I'm going to call it a DB2 locking error. And I'm going to give it a tag such a "root cause and transaction failure, " so I know that this event is the cause of some transaction failures.
Now that we've done that, I'm going to enable the event type field and we'll see that the event type of DB2 locking error appears next to every one of these events along with the tags "requires action" and "transaction failure." That's going to make it easier for other people who hit the same events to understand what they mean.
We can also build other kinds of knowledge. One of the nice things about Splunk is that it extracts all kinds of fields and figures out a lot about the events just on its own. You can see that it's extracted lots and lots of fields from these really well-structured DB2 events on their own.
But say I want a report on the table name, and the table name is something that hasn't been extracted. What I can do here is, right in line, I can do some field extraction and I can give it an example and say that I want to extract this string, which is the table name, and give it the name of "table." And very quickly I'll see that it correctly extracted all the different table names that were mentioned in this DB2 diag log.
And now, when I re-run this search, I now have a value for table and I can go ahead and use that field in a report if I want, or I can use it in filtering, or I can use it for a more precise search. And that field is available to all the other users of the same Splunk server across my company.
So I've made Splunk smarter without a lot of extra effort, just while doing my job.
Browsing Applications from Splunkbase
Splunk sharing can go beyond the boundaries of your team or organization too. You can tap into the knowledge of the Splunk community by downloading applications from Splunk Base. You can browse and install these apps from within your Splunk web interface. Let's see how. In your admin area, you'll see an applications section. You can browse applications that are available on Splunk Base but not installed locally on your Splunk server yet. Here you see a whole bunch of applications that are available in Splunk Base. You can browse them by category.
I'm specifically looking for some reports to help me with doing web analytics on the access logs for my web application we were just looking at. Let's see what's available there. Let's take a look at business intelligence.
Here's something that looks like what I need. It's a bunch of web access reports, and I can go ahead and install that one for free. It'll prompt me to log into Splunk Base with my Splunk.com user name and password, the same one I set up when I first downloaded Splunk.
And now it's actually installed the application. It'll prompt me to restart the server, so all those reports that I just downloaded are available. Now I can log in again and I'll see all my new reports. If I take a look in my saved search menu, I suddenly have a whole bunch of saved searches about my web usage, and I can try one of them out.
Now this report is showing me what my bytes of web traffic were over time, which is a pretty useful way of looking at my web traffic.
Sharing Applications from Splunkbase
I just downloaded a pretty simple and useful application with some Web access reports by browsing Splunkbase from within my own Splunk server. Now, if I want to go ahead and share something with Splunk Base and make that available to other members of the community, I can go do that on Splunkbase.com. And I can go ahead and share any application that I've built by logging into Splunkbase.com and going into the share area. I can give it a description, tell it a little bit about what's in the application. As you can see, I can share a wide range of aspects of knowledge and configuration for Splunk. And I can associate it with a category, and now I've shared it with the community.
Sharing Conclusion
I think you now see why Splunk's sharing features excite me so much. Not only do get enormous value "out of the box" with Splunk, but as more and more people use it, it grows in value over time.