Wiki source code of Connecteur Splunk

Last modified by jhurst on 2024/04/02 14:25
Show last authors
1 {{ddtoc/}}
2
3 = Prerequisite =
4
5 * A Splunk server with identifiers (see next point)
6
7 = Selecting a new datasource =
8
9 DigDash Enterprise allows you to retrieve information from your Splunk account.
10
11 Select the type of report you want to work with, in the toolbar at the bottom of the page.
12
13 [[image:splunk_connector_en_html_1074d530141bae54.gif]]
14
15 [[image:splunk_connector_en_html_c2c4f1dc2c148d83.png||height="129" width="488"]]
16
17
18 **OR** click on **New model** in the datasource manager tab and choose **Splunk...**.
19
20 [[image:splunk_connector_en_html_b8afd4123c6cdaec.png||height="58" width="283"]]
21
22
23 [[image:splunk_connector_en_html_6621cb98529bfc04.png||height="369" width="255"]]
24
25
26 = Authentication =
27
28 [[image:splunk_connector_en_html_9bac2c2b81cbad16.png||height="138" width="494"]]
29
30
31 //__Screenshot: Interface for authentication and loading Splunk indexes__//
32
33 DigDash requires the following information to connect to your Splunk account:
34
35 * **Server URL: **it is your Splunk server URL as <protocol>:~/~/<host>:<port>** **
36 * **User**: it is your Splunk user name
37 * **Password**: it is your Splunk password
38
39 = Listing all Splunk indexes =
40
41 A drop-down list in the User Interface allows you to have all available Splunk indexes of your server once authenticated.
42
43
44 [[image:splunk_connector_en_html_29dd31ef2228ace3.png||height="142" width="483"]]
45
46
47 //__Screenshot: Drop-down list displaying all Splunk indexes after authentication__//
48
49
50 = Splunk search text field =
51
52 You can retrieve Splunk information using command lines.
53
54 [[image:splunk_connector_en_html_b5538053a29cfbe5.png||height="166" width="554"]]
55
56
57 //__Screenshot: Splunk search text field__//
58
59 The syntax for CLI (command lines) searches is similar to the syntax for searches you run from Splunk Web.
60
61 [[http:~~/~~/docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CLIsearchsyntax>>url:http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CLIsearchsyntax]]
62
63 But some peculiarities must be taken into account.
64
65 == Search command ==
66
67 Splunk search strings absolutely have to start with the //search// command. Yet, you can choose to omit it, DigDash takes it into account in your search string implicitly.
68
69 __Example__ :
70
71 Entering the search string
72
73 « index=_internal * | head 10 »
74
75 is the same as
76
77 « search index=_internal * | head 10 »
78
79 == Index selection ==
80
81 Selecting an index automatically inserts the filter : « //index=<index-name>// » into your search string after the //search// command.
82
83 (% class="box" %)
84 (((
85 __Examples__ : Let’s consider the index « _internal » is selected in the list.
86 )))
87
88 [[image:splunk_connector_en_html_5acb93b113aae240.png||height="111" width="254"]]
89 \\
90
91 //__Screenshot : the index « _internal » is selected__//
92
93 1/ Entering the search string
94
95 « * | head 10 »
96
97 is the same as
98
99 « search index=_internal * | head 10 »
100
101 2/ Entering the search string
102
103 « search * | head 10 »
104
105 is the same as
106
107 « search index=_internal * | head 10 »
108
109
110 If no index is selected, you may directly mention an index name in your search string.
111
112 (% class="box" %)
113 (((
114 __Example__ : Let’s consider no index is selected from the index list.
115 )))
116
117 [[image:splunk_connector_en_html_b0d796e9d222d112.png||height="97" width="250"]]
118 \\
119
120 __Screenshot : No index is selected__
121
122 Entering the search string
123
124 « index=_internal * | head 10 »
125
126 is the same as
127
128 « search index=_internal * | head 10 »
129
130 == Time ranges ==
131
132 Just as Splunk Web, you can specify a static period of time to get data related to this time range, mentioning two filters: //earliest// and //latest//.
133
134 If none of these filters are mentioned in your search string, the filters earliest=-1h and latest=now will be taken into account.
135
136 You can specify two types of time ranges:
137
138 - Absolute time ranges: an absolute time range uses specific dates and times, for example, from 12 A.M. November 1, 2017 to 12 A.M. November 13, 2017.
139
140 - Relative time ranges: a relative time range is dependent on when the search is run. For example, a relative time range of -60m means 60 minutes ago. If the current time is 3 P.M., the search returns events from the last 60 minutes, or 2 P.M. to 3 P.M. today.
141
142 The different syntaxes are available in the official Splunk documentation:
143
144 [[https:~~/~~/docs.splunk.com/Documentation/Splunk/7.1.2/Search/Specifytimemodifiersinyoursearch>>url:https://docs.splunk.com/Documentation/Splunk/7.1.2/Search/Specifytimemodifiersinyoursearch]]
145
146
147 |(% colspan="2" %)Entered values|(% colspan="2" %)Valeurs taken into account
148 |earliest|latest|earliest|latest
149 |10/19/2017:0:0:0|10/27/2017:0:0:0|10/19/2017:0:0:0|10/27/2017:0:0:0
150 |10/19/2017:0:0:0|Ø|10/19/2017:0:0:0|now
151 |Ø|Ø|-1h|now
152
153 //__Table: dates taken into account for Splunk searches__//
154
155 == Maximum number of results ==
156
157 By default, and for speed matter, the maximum number of results returned by a Splunk search is 10,000.You can change this number by mentioning the operation “//head <integer>”// in your search string.
158
159 (% class="box" %)
160 (((
161 __Example__: entering the search string “search index=_internal | head 10” will return the first 10 results of the Splunk search.
162 )))
163
164
165