new features, pivot and search dojo
TRANSCRIPT
![Page 1: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/1.jpg)
New Features, Pivot and Search Dojo David Anso
Technical Enablement Manager, GKC
![Page 2: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/2.jpg)
2
Safe Harbor Statement During the course of this presentaDon, we may make forward looking statements regarding future events or the expected performance of the company. We cauDon you that such statements reflect our current expectaDons and esDmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in this presentaDon are being made as of the Dme and date of its live presentaDon. If reviewed aOer its live presentaDon, this presentaDon may not contain current or accurate informaDon. We do not assume any obligaDon to update any forward looking statements we may make. In addiDon, any informaDon about our roadmap outlines our general product direcDon and is subject to change at any Dme without noDce. It is for informaDonal purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligaDon either to develop the features or funcDonality described or to include any such feature or funcDonality in a future release.
![Page 3: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/3.jpg)
New Features
Pivot
Search Dojo
AGENDA
![Page 4: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/4.jpg)
6.3 New Features
![Page 5: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/5.jpg)
5
New Features
Demo: Splunk 6.3 Overview App
![Page 6: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/6.jpg)
Pivot
![Page 7: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/7.jpg)
7
Pivot
Demo: Instant Pivot
![Page 8: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/8.jpg)
8
Pivot
Demo: Instant Pivot Pivot Tutorial
![Page 9: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/9.jpg)
9
Pivot
Demo: Instant Pivot Pivot Tutorial Splunk CIM Data Model
![Page 10: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/10.jpg)
Search Dojo
![Page 11: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/11.jpg)
11
Search Dojo
Comment your search: sourcetype=access_combined | eval COMMENT="Examine all web logs" sourcetype=access_combined_wcookie | rename COMMENT AS "Examine all web logs"
![Page 12: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/12.jpg)
12
Search Dojo
![Page 13: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/13.jpg)
13
Search Dojo
![Page 14: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/14.jpg)
14
Search Dojo
Use a subsearch to improve performance. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip ]
![Page 15: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/15.jpg)
15
Search Dojo
Use a subsearch to search for text rather than a field. sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip | rename clientip as query ]
![Page 16: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/16.jpg)
16
Search Dojo
Issues with the subsearch approach: Subsearches have a limit of 10,000 results. If there are more result for the subsearch, only 10,000 of them will make it through. While searching text may prove faster, it will prevent you matching any field values that are created by calculated fields, lookups, etc.
![Page 17: New Features, Pivot and Search Dojo](https://reader033.vdocuments.net/reader033/viewer/2022052915/588966b41a28ab44758b46f9/html5/thumbnails/17.jpg)
17
Search Dojo
Ensuring your search returns a result: | inputlookup malwaredomains.csv |head 10 |append [ |stats count | eval domain="splunk.com" | eval category="exploits" | eval isbad="false" | eval reference="Test match to ensure results from search" ]