New  Features,  Pivot  and  Search  Dojo  David  Anso  

Technical  Enablement  Manager,  GKC  

2  

Safe  Harbor  Statement  During   the   course   of   this   presentaDon,   we  may  make   forward   looking   statements   regarding   future  events  or  the  expected  performance  of  the  company.  We  cauDon  you  that  such  statements  reflect  our  current  expectaDons  and  esDmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  please  review  our  filings  with  the  SEC.    The  forward-­‐looking  statements  made  in  this  presentaDon  are  being  made  as  of  the  Dme  and  date  of  its  live  presentaDon.  If  reviewed  aOer  its  live  presentaDon,  this  presentaDon  may  not  contain  current  or  accurate  informaDon.    We  do  not  assume  any  obligaDon  to  update  any  forward  looking  statements  we  may  make.    In  addiDon,  any  informaDon  about  our  roadmap  outlines  our  general  product  direcDon  and  is  subject  to  change  at  any  Dme  without  noDce.   It   is   for   informaDonal  purposes  only  and  shall  not  be   incorporated   into  any  contract   or   other   commitment.   Splunk   undertakes   no   obligaDon   either   to   develop   the   features   or  funcDonality  described  or  to  include  any  such  feature  or  funcDonality  in  a  future  release.  

New  Features  

Pivot  

Search  Dojo  

AGENDA

6.3  New  Features  

5  

New  Features  

Demo:  Splunk  6.3  Overview  App  

Pivot  

7  

Pivot  

Demo:  Instant  Pivot  

8  

Pivot  

Demo:  Instant  Pivot    Pivot  Tutorial  

9  

Pivot  

Demo:  Instant  Pivot    Pivot  Tutorial    Splunk  CIM  Data  Model  

Search  Dojo  

11  

Search  Dojo  

Comment  your  search:    sourcetype=access_combined | eval COMMENT="Examine all web logs" sourcetype=access_combined_wcookie | rename COMMENT AS "Examine all web logs"

12  

Search  Dojo  

13  

Search  Dojo  

14  

Search  Dojo  

Use  a  subsearch  to  improve  performance.    sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip ]

15  

Search  Dojo  

Use  a  subsearch  to  search  for  text  rather  than  a  field.    sourcetype=access_combined [|inputlookup ip_watchlist.csv | search type=malicious | fields clientip | rename clientip as query ]

16  

Search  Dojo  

Issues  with  the  subsearch  approach:    Subsearches  have  a  limit  of  10,000  results.    If  there  are  more  result  for  the  subsearch,  only  10,000  of  them  will  make  it  through.    While  searching  text  may  prove  faster,  it  will  prevent  you  matching  any  field  values  that  are  created  by  calculated  fields,  lookups,  etc.

17  

Search  Dojo  

Ensuring  your  search  returns  a  result:   | inputlookup malwaredomains.csv |head 10 |append [ |stats count | eval domain="splunk.com" | eval category="exploits" | eval isbad="false" | eval reference="Test match to ensure results from search" ]