product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
"This is convenient! New feature of Splunk Ver6.3!" | Splunker's Blog
September 24, 2015 The annual .conf 2015, where Splunk users gather from all over the world, was held in Las Vegas again this year. This time, there were various new product announcements such as machine learning functions and new apps, but Ver. 6.3 was also announced at the same time as the event. Today, I would like to introduce a feature that I was particularly happy about in the new version: "Field extraction."
"Splunk is schema-less"
Splunk is useful for utilizing huge amounts of big data, but when importing data, it has a function that allows it to recognize character strings within the data as items. That becomes an item, or "extract field." Until now, field definitions were either written in the configuration file for each item, or defined individually.
Starting from Ver.6.3, the settings screen for the definition has become easier to use! Now, let's take a look at the extraction function for that field.
First, import the machine data by specifying the index. Once imported, try searching by specifying the index name on the search screen.
>index=”demo”
This is the usual Splunk screen. If you press > on the left side of the displayed event, a field menu will appear.
Click the ">Event Action▽" button above the type. Select Extract Field from the menu.
There is a list of fields on the left side, select "Field Definition" from the list.
The field definition screen will open in a separate window. First, select the line containing the string you want to define. I love that it's interactive.
With Ver.6.3, two round icons have appeared at the bottom of the screen! ! Choose either regular expression or delimiter (specified delimiter) method. Let's choose a regular expression.
・・・・・・
・・・・・・
・・・・・・
... Nothing happens.
Please be careful here. After clicking on the two icons, the selected icons will be colored and you will not be able to proceed unless you press "Next" on the wizard progress screen above.
When you press Next, the log will be displayed below, so trace the string you want to extract with your mouse and highlight it. After selection, it will be recognized and the string will be reversed. If you look further below, you can see the part recognized as a sample highlighted.
If you do so, a field name input screen will appear for the specified string. Field names will be used in searches and formulas, so be sure to use English characters.
Splunk now recognizes the machine data string as an item, or field name.
Click Next to move to the confirmation screen. If an error occurs here, you can cancel by clicking the highlighted part again. While regular expressions allow detailed string manipulation, they register each field name one by one, so attempting to register multiple fields will result in an error.
Being able to extract data while checking the contents on-demand with a wizard is really like a wizard compared to when you had to write a conf file each time!
When you click Next, you will be taken to a confirmation screen where you can check the extraction results in advance.
If you have mistakenly recognized and extracted it at this point, you can remove it by pressing the cross mark in the upper right corner of the highlighted text. This will update the sample screen and further improve the accuracy of extraction.
Splunk automatically recognizes major formats. However, custom logs and those with unusual formats must be recognized by string manipulation.
We have a command reference for Splunk's regular expressions and commands, so please use the request for information.
Delimiter function
Another thing that impresses me is the delimiter and character separation automatic recognition function. Next, let's select the delimiter screen on the right.
First, select the line you want to recognize. The screen will switch to the delimiter setting screen. There are selection buttons for spaces, tabs, commas, etc. in the center of the screen, so let's select Space here.
After a few moments, all the strings will be separated and displayed as a list. That's excellent! !
Furthermore, there will be characters with a number attached to the field name. If you press the pencil mark here, you can name the field of your choice. Recognizing them in delimiter mode is easier because you can set them all at once, but it may make the system a bit slow.
Once the fields have been extracted, a link to the search screen will appear, so get excited and move on to the search screen! !
You will be freed from configuration work such as setting SIEM rules, troublesome schema settings for log management tools, and installing connectors for each model, and you will be able to significantly shorten the time for system construction and operation management!
Next time, let's introduce what we found interesting in 6.3!
Splunk> Ninjas are too busy!
Inquiry/Document request
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
