![Page 1: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/1.jpg)
New Features, Pivot and Search Dojo David Anso
Technical Enablement Manager, GKC
![Page 2: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/2.jpg)
2
Safe Harbor Statement During the course of this presentaDon, we may make forward looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aOer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to include any such feature or funcDonality in a future release.
![Page 3: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/3.jpg)
New Features
Pivot
Search Dojo
AGENDA
![Page 4: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/4.jpg)
6.3 New Features
![Page 5: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/5.jpg)
5
New Features
Demo: Splunk 6.3 Overview App
![Page 6: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/6.jpg)
Pivot
![Page 7: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/7.jpg)
7
Pivot
Demo: Instant Pivot
![Page 8: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/8.jpg)
8
Pivot
Demo: Instant Pivot Pivot Tutorial
![Page 9: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/9.jpg)
9
Pivot
Demo: Instant Pivot Pivot Tutorial Splunk CIM Data Model
![Page 10: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/10.jpg)
Search Dojo
![Page 11: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/11.jpg)
11
Search Dojo
Comment your search: sourcetype=access_combined | eval COMMENT="Examine all web logs" sourcetype=access_combined_wcookie | rename COMMENT AS "Examine all web logs"
![Page 12: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/12.jpg)
12
Search Dojo
![Page 13: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/13.jpg)
13
Search Dojo
![Page 14: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/14.jpg)
14
Search Dojo
Use a subsearch to improve performance. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip ]
![Page 15: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/15.jpg)
15
Search Dojo
Use a subsearch to search for text rather than a field. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip | rename clientip as query ]
![Page 16: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/16.jpg)
16
Search Dojo
Issues with the subsearch approach: Subsearches have a limit of 10,000 results. If there are more result for the subsearch, only 10,000 of them will make it through. While searching text may prove faster, it will prevent you matching any field values that are created by calculated fields, lookups, etc.
![Page 17: SplunkLive Auckland 2015 - New Features, Pivot and Search dojo](https://reader031.vdocuments.net/reader031/viewer/2022022414/58718a6b1a28ab2c198b6169/html5/thumbnails/17.jpg)
17
Search Dojo
Ensuring your search returns a result: | inputlookup malwaredomains.csv |head 10 |append [ |stats count | eval domain="splunk.com" | eval category="exploits" | eval isbad="false" | eval reference="Test match to ensure results from search" ]