[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:02.00,0:00:03.32,Default,,0000,0000,0000,,hello
Dialogue: 0,0:00:03.32,0:00:06.84,Default,,0000,0000,0000,,everyone we are getting started here on
Dialogue: 0,0:00:06.84,0:00:09.88,Default,,0000,0000,0000,,our August lunch and learn session
Dialogue: 0,0:00:09.88,0:00:12.64,Default,,0000,0000,0000,,presented by Ken group's Atlas customer
Dialogue: 0,0:00:12.64,0:00:16.40,Default,,0000,0000,0000,,experience team my name is Alice Deane I
Dialogue: 0,0:00:16.40,0:00:19.16,Default,,0000,0000,0000,,am the engineering manager for the atlas
Dialogue: 0,0:00:19.16,0:00:21.96,Default,,0000,0000,0000,,customer experience team and I'm excited
Dialogue: 0,0:00:21.96,0:00:24.80,Default,,0000,0000,0000,,to be presenting this month's session on
Dialogue: 0,0:00:24.80,0:00:28.00,Default,,0000,0000,0000,,intermediate level Splunk searching so
Dialogue: 0,0:00:28.00,0:00:30.20,Default,,0000,0000,0000,,thank you all for attending I hope you
Dialogue: 0,0:00:30.20,0:00:33.00,Default,,0000,0000,0000,,get some good ideas out of this uh and
Dialogue: 0,0:00:33.00,0:00:35.12,Default,,0000,0000,0000,,certainly encourage engagement through
Dialogue: 0,0:00:35.12,0:00:37.04,Default,,0000,0000,0000,,the chat uh and I'll have some
Dialogue: 0,0:00:37.04,0:00:39.80,Default,,0000,0000,0000,,information at the end on following up
Dialogue: 0,0:00:39.80,0:00:42.24,Default,,0000,0000,0000,,uh and speaking with my team directly on
Dialogue: 0,0:00:42.24,0:00:45.88,Default,,0000,0000,0000,,any issues uh or interests that you have
Dialogue: 0,0:00:45.88,0:00:48.00,Default,,0000,0000,0000,,uh around these types of Concepts that
Dialogue: 0,0:00:48.00,0:00:51.52,Default,,0000,0000,0000,,we're going to cover today so uh jumping
Dialogue: 0,0:00:51.52,0:00:55.20,Default,,0000,0000,0000,,into an intermediate level uh session I
Dialogue: 0,0:00:55.20,0:00:57.96,Default,,0000,0000,0000,,I do want to say that we have previously
Dialogue: 0,0:00:57.96,0:01:02.12,Default,,0000,0000,0000,,done a basic level uh searching uh
Dialogue: 0,0:01:02.12,0:01:05.28,Default,,0000,0000,0000,,session so that we are really
Dialogue: 0,0:01:05.28,0:01:07.36,Default,,0000,0000,0000,,progressing from that picking up right
Dialogue: 0,0:01:07.36,0:01:09.40,Default,,0000,0000,0000,,where we left off uh we've done that
Dialogue: 0,0:01:09.40,0:01:10.64,Default,,0000,0000,0000,,session with quite a few of our
Dialogue: 0,0:01:10.64,0:01:12.92,Default,,0000,0000,0000,,customers individually uh and highly
Dialogue: 0,0:01:12.92,0:01:14.64,Default,,0000,0000,0000,,recommend if you're interested in doing
Dialogue: 0,0:01:14.64,0:01:18.20,Default,,0000,0000,0000,,that or this session with a larger team
Dialogue: 0,0:01:18.20,0:01:19.92,Default,,0000,0000,0000,,uh we're happy to to discuss and
Dialogue: 0,0:01:19.92,0:01:22.84,Default,,0000,0000,0000,,coordinate that uh so getting started
Dialogue: 0,0:01:22.84,0:01:25.60,Default,,0000,0000,0000,,we're going to take a look at the final
Dialogue: 0,0:01:25.60,0:01:29.00,Default,,0000,0000,0000,,search uh from our basic search session
Dialogue: 0,0:01:29.00,0:01:31.16,Default,,0000,0000,0000,,uh and we're going to walk through that
Dialogue: 0,0:01:31.16,0:01:34.16,Default,,0000,0000,0000,,understand some of the concepts uh and
Dialogue: 0,0:01:34.16,0:01:36.48,Default,,0000,0000,0000,,then we're going to take a step back
Dialogue: 0,0:01:36.48,0:01:39.48,Default,,0000,0000,0000,,look a little more generally at SPL
Dialogue: 0,0:01:39.48,0:01:41.76,Default,,0000,0000,0000,,operations and understanding how
Dialogue: 0,0:01:41.76,0:01:46.20,Default,,0000,0000,0000,,different commands apply to data uh and
Dialogue: 0,0:01:46.20,0:01:49.32,Default,,0000,0000,0000,,really that next level of understanding
Dialogue: 0,0:01:49.32,0:01:51.76,Default,,0000,0000,0000,,for how you can write more complex
Dialogue: 0,0:01:51.76,0:01:54.12,Default,,0000,0000,0000,,searches and understand really uh when
Dialogue: 0,0:01:54.12,0:01:57.12,Default,,0000,0000,0000,,to use certain types of commands uh and
Dialogue: 0,0:01:57.12,0:01:59.56,Default,,0000,0000,0000,,of course uh in the session we're going
Dialogue: 0,0:01:59.56,0:02:04.40,Default,,0000,0000,0000,,to to have a uh series of demos uh using
Dialogue: 0,0:02:04.40,0:02:07.36,Default,,0000,0000,0000,,a few specific commands highlighting the
Dialogue: 0,0:02:07.36,0:02:10.44,Default,,0000,0000,0000,,different SPL command types uh that we
Dialogue: 0,0:02:10.44,0:02:12.84,Default,,0000,0000,0000,,discuss in the second portion uh and get
Dialogue: 0,0:02:12.84,0:02:15.88,Default,,0000,0000,0000,,to see that on the tutorial data uh that
Dialogue: 0,0:02:15.88,0:02:18.16,Default,,0000,0000,0000,,you can also use uh in your environment
Dialogue: 0,0:02:18.16,0:02:20.84,Default,,0000,0000,0000,,in a test environment uh very
Dialogue: 0,0:02:20.84,0:02:24.20,Default,,0000,0000,0000,,simply so I will always encourage uh
Dialogue: 0,0:02:24.20,0:02:27.72,Default,,0000,0000,0000,,especially with search content that you
Dialogue: 0,0:02:27.72,0:02:30.32,Default,,0000,0000,0000,,look into the additional resource that I
Dialogue: 0,0:02:30.32,0:02:34.12,Default,,0000,0000,0000,,have listed here the uh search reference
Dialogue: 0,0:02:34.12,0:02:36.44,Default,,0000,0000,0000,,documentation is one of my favorite
Dialogue: 0,0:02:36.44,0:02:38.76,Default,,0000,0000,0000,,bookmarks that I use frequently in my
Dialogue: 0,0:02:38.76,0:02:41.00,Default,,0000,0000,0000,,own environments and working in customer
Dialogue: 0,0:02:41.00,0:02:43.56,Default,,0000,0000,0000,,environments uh it is really the the
Dialogue: 0,0:02:43.56,0:02:46.00,Default,,0000,0000,0000,,best quick resource to get information
Dialogue: 0,0:02:46.00,0:02:49.56,Default,,0000,0000,0000,,on syntax and examples of any Search
Dialogue: 0,0:02:49.56,0:02:51.76,Default,,0000,0000,0000,,Command uh and is always a great
Dialogue: 0,0:02:51.76,0:02:55.00,Default,,0000,0000,0000,,resource to have the search manual is a
Dialogue: 0,0:02:55.00,0:02:57.08,Default,,0000,0000,0000,,little bit more conceptual but as you're
Dialogue: 0,0:02:57.08,0:02:59.12,Default,,0000,0000,0000,,learning more about different types of
Dialogue: 0,0:02:59.12,0:03:00.36,Default,,0000,0000,0000,,search operations
Dialogue: 0,0:03:00.36,0:03:02.44,Default,,0000,0000,0000,,it's very helpful to be able to review
Dialogue: 0,0:03:02.44,0:03:03.36,Default,,0000,0000,0000,,this
Dialogue: 0,0:03:03.36,0:03:05.56,Default,,0000,0000,0000,,documentation and have reference
Dialogue: 0,0:03:05.56,0:03:08.68,Default,,0000,0000,0000,,material that you can come back to uh as
Dialogue: 0,0:03:08.68,0:03:11.08,Default,,0000,0000,0000,,you are studying and trying to get
Dialogue: 0,0:03:11.08,0:03:13.48,Default,,0000,0000,0000,,better and writing more complex uh
Dialogue: 0,0:03:13.48,0:03:16.88,Default,,0000,0000,0000,,search content I have also linked here
Dialogue: 0,0:03:16.88,0:03:18.96,Default,,0000,0000,0000,,the documentation on how to use the
Dialogue: 0,0:03:18.96,0:03:21.80,Default,,0000,0000,0000,,Splunk tutorial data uh so if you've not
Dialogue: 0,0:03:21.80,0:03:23.36,Default,,0000,0000,0000,,done that before it's a very simple
Dialogue: 0,0:03:23.36,0:03:25.92,Default,,0000,0000,0000,,process uh and there are consistently
Dialogue: 0,0:03:25.92,0:03:28.28,Default,,0000,0000,0000,,updated download files that spun
Dialogue: 0,0:03:28.28,0:03:30.68,Default,,0000,0000,0000,,provides uh that you're able to directly
Dialogue: 0,0:03:30.68,0:03:33.44,Default,,0000,0000,0000,,upload into any spunk environment so
Dialogue: 0,0:03:33.44,0:03:35.56,Default,,0000,0000,0000,,that's what I'm going to be using today
Dialogue: 0,0:03:35.56,0:03:39.00,Default,,0000,0000,0000,,uh and given that you are searching over
Dialogue: 0,0:03:39.00,0:03:41.40,Default,,0000,0000,0000,,uh appropriate time windows for when you
Dialogue: 0,0:03:41.40,0:03:43.92,Default,,0000,0000,0000,,download the tutorial data set uh these
Dialogue: 0,0:03:43.92,0:03:46.52,Default,,0000,0000,0000,,searches will work uh on the tutorial
Dialogue: 0,0:03:46.52,0:03:48.76,Default,,0000,0000,0000,,data as well so highly encourage after
Dialogue: 0,0:03:48.76,0:03:50.88,Default,,0000,0000,0000,,the fact if you want to go through uh
Dialogue: 0,0:03:50.88,0:03:53.76,Default,,0000,0000,0000,,and test out some of the content um
Dialogue: 0,0:03:53.76,0:03:56.92,Default,,0000,0000,0000,,you'll be able to access a recording as
Dialogue: 0,0:03:56.92,0:03:59.36,Default,,0000,0000,0000,,well as if you'd like the slides that
Dialogue: 0,0:03:59.36,0:04:00.96,Default,,0000,0000,0000,,I'm Pres presenting off of today which I
Dialogue: 0,0:04:00.96,0:04:02.28,Default,,0000,0000,0000,,highly encourage because there are a lot
Dialogue: 0,0:04:02.28,0:04:04.80,Default,,0000,0000,0000,,of useful links in here uh reach out to
Dialogue: 0,0:04:04.80,0:04:06.76,Default,,0000,0000,0000,,my team again right at the end of the
Dialogue: 0,0:04:06.76,0:04:08.60,Default,,0000,0000,0000,,slides we'll have that
Dialogue: 0,0:04:08.60,0:04:13.08,Default,,0000,0000,0000,,info so looking at our overview of basic
Dialogue: 0,0:04:13.08,0:04:15.80,Default,,0000,0000,0000,,search uh I just want to cover
Dialogue: 0,0:04:15.80,0:04:18.12,Default,,0000,0000,0000,,conceptually uh the two categories that
Dialogue: 0,0:04:18.12,0:04:21.64,Default,,0000,0000,0000,,we discuss in that session and so those
Dialogue: 0,0:04:21.64,0:04:24.20,Default,,0000,0000,0000,,two are the statistical and charting
Dialogue: 0,0:04:24.20,0:04:28.48,Default,,0000,0000,0000,,functions uh which consist of in those
Dialogue: 0,0:04:28.48,0:04:31.48,Default,,0000,0000,0000,,demos aggregate and time functions so
Dialogue: 0,0:04:31.48,0:04:33.92,Default,,0000,0000,0000,,aggregate functions are going to be your
Dialogue: 0,0:04:33.92,0:04:37.40,Default,,0000,0000,0000,,commonly used statistical functions uh
Dialogue: 0,0:04:37.40,0:04:40.40,Default,,0000,0000,0000,,meant for summarization uh and then time
Dialogue: 0,0:04:40.40,0:04:43.20,Default,,0000,0000,0000,,functions actually using uh the
Dialogue: 0,0:04:43.20,0:04:46.64,Default,,0000,0000,0000,,timestamp field underscore time or any
Dialogue: 0,0:04:46.64,0:04:48.60,Default,,0000,0000,0000,,other time that you've extracted from
Dialogue: 0,0:04:48.60,0:04:51.76,Default,,0000,0000,0000,,data uh and looking at earliest latest
Dialogue: 0,0:04:51.76,0:04:55.00,Default,,0000,0000,0000,,uh relative time values uh in a
Dialogue: 0,0:04:55.00,0:04:58.24,Default,,0000,0000,0000,,summative fashion and then evaluation
Dialogue: 0,0:04:58.24,0:05:02.32,Default,,0000,0000,0000,,functions are the separate uh type where
Dialogue: 0,0:05:02.32,0:05:04.40,Default,,0000,0000,0000,,we discuss comparison and conditional
Dialogue: 0,0:05:04.40,0:05:07.60,Default,,0000,0000,0000,,statements so using your if and your
Dialogue: 0,0:05:07.60,0:05:10.60,Default,,0000,0000,0000,,case commands uh in
Dialogue: 0,0:05:10.60,0:05:14.12,Default,,0000,0000,0000,,evals uh also datetime functions that
Dialogue: 0,0:05:14.12,0:05:17.16,Default,,0000,0000,0000,,apply operations to events uniquely uh
Dialogue: 0,0:05:17.16,0:05:19.76,Default,,0000,0000,0000,,so not necessarily summarization but
Dialogue: 0,0:05:19.76,0:05:22.28,Default,,0000,0000,0000,,interacting with the time values
Dialogue: 0,0:05:22.28,0:05:24.32,Default,,0000,0000,0000,,themselves maybe changing the time
Dialogue: 0,0:05:24.32,0:05:27.00,Default,,0000,0000,0000,,format uh and then multivalue evalve
Dialogue: 0,0:05:27.00,0:05:29.36,Default,,0000,0000,0000,,functions we touch on that very lightly
Dialogue: 0,0:05:29.36,0:05:31.72,Default,,0000,0000,0000,,uh and it is more conceptual in basic
Dialogue: 0,0:05:31.72,0:05:34.00,Default,,0000,0000,0000,,search So today we're going to dive in
Dialogue: 0,0:05:34.00,0:05:36.12,Default,,0000,0000,0000,,as part of our demo and look at
Dialogue: 0,0:05:36.12,0:05:39.16,Default,,0000,0000,0000,,multivalue eval functions uh later in
Dialogue: 0,0:05:39.16,0:05:41.32,Default,,0000,0000,0000,,the
Dialogue: 0,0:05:41.48,0:05:44.88,Default,,0000,0000,0000,,presentation so on this slide here I
Dialogue: 0,0:05:44.88,0:05:48.80,Default,,0000,0000,0000,,have highlighted uh in Gray the search
Dialogue: 0,0:05:48.80,0:05:52.12,Default,,0000,0000,0000,,that we end basic search with uh and so
Dialogue: 0,0:05:52.12,0:05:55.00,Default,,0000,0000,0000,,that is broken up into three segments
Dialogue: 0,0:05:55.00,0:05:57.48,Default,,0000,0000,0000,,where we have uh the first line being a
Dialogue: 0,0:05:57.48,0:06:00.24,Default,,0000,0000,0000,,filter to a data set uh this is very
Dialogue: 0,0:06:00.24,0:06:03.12,Default,,0000,0000,0000,,simply how you are sourcing most of your
Dialogue: 0,0:06:03.12,0:06:06.32,Default,,0000,0000,0000,,data in most of your searches in Splunk
Dialogue: 0,0:06:06.32,0:06:08.00,Default,,0000,0000,0000,,uh and we always want to be a specific
Dialogue: 0,0:06:08.00,0:06:11.00,Default,,0000,0000,0000,,as possible you'll most often see the
Dialogue: 0,0:06:11.00,0:06:13.04,Default,,0000,0000,0000,,The Logical way to do that is by
Dialogue: 0,0:06:13.04,0:06:15.68,Default,,0000,0000,0000,,identifying an index and a source type
Dialogue: 0,0:06:15.68,0:06:18.12,Default,,0000,0000,0000,,possibly some specific values of given
Dialogue: 0,0:06:18.12,0:06:20.20,Default,,0000,0000,0000,,fields in that data before you start
Dialogue: 0,0:06:20.20,0:06:22.72,Default,,0000,0000,0000,,applying other operations in our case we
Dialogue: 0,0:06:22.72,0:06:25.20,Default,,0000,0000,0000,,want to work with a whole data set uh
Dialogue: 0,0:06:25.20,0:06:28.88,Default,,0000,0000,0000,,and then we mve into applying our eval
Dialogue: 0,0:06:28.88,0:06:30.12,Default,,0000,0000,0000,,statements
Dialogue: 0,0:06:30.12,0:06:33.08,Default,,0000,0000,0000,,so in the evals the purpose of these is
Dialogue: 0,0:06:33.08,0:06:36.56,Default,,0000,0000,0000,,to create some new fields to work with
Dialogue: 0,0:06:36.56,0:06:40.08,Default,,0000,0000,0000,,uh and so we have two operations here uh
Dialogue: 0,0:06:40.08,0:06:42.44,Default,,0000,0000,0000,,and you can see that on the first line
Dialogue: 0,0:06:42.44,0:06:46.12,Default,,0000,0000,0000,,we're starting with an error check field
Dialogue: 0,0:06:46.12,0:06:49.16,Default,,0000,0000,0000,,uh these are web access logs so we're
Dialogue: 0,0:06:49.16,0:06:52.72,Default,,0000,0000,0000,,looking at the HTTP status codes as the
Dialogue: 0,0:06:52.72,0:06:56.04,Default,,0000,0000,0000,,status field and we have a logical
Dialogue: 0,0:06:56.04,0:06:57.60,Default,,0000,0000,0000,,condition here we greater than or equal
Dialogue: 0,0:06:57.60,0:07:00.68,Default,,0000,0000,0000,,to 400 we want to return errors and so
Dialogue: 0,0:07:00.68,0:07:04.12,Default,,0000,0000,0000,,very simple example uh making it as easy
Dialogue: 0,0:07:04.12,0:07:05.88,Default,,0000,0000,0000,,as possible if you want to get specifics
Dialogue: 0,0:07:05.88,0:07:08.72,Default,,0000,0000,0000,,on your 200s and your 300s it's the
Dialogue: 0,0:07:08.72,0:07:11.64,Default,,0000,0000,0000,,exact same type of logic to go and apply
Dialogue: 0,0:07:11.64,0:07:14.12,Default,,0000,0000,0000,,uh likely a case statement to get some
Dialogue: 0,0:07:14.12,0:07:17.20,Default,,0000,0000,0000,,additional conditions uh and more unique
Dialogue: 0,0:07:17.20,0:07:20.52,Default,,0000,0000,0000,,output in an error check or some sort of
Dialogue: 0,0:07:20.52,0:07:23.80,Default,,0000,0000,0000,,field uh indicating uh what you want to
Dialogue: 0,0:07:23.80,0:07:25.92,Default,,0000,0000,0000,,see out of your status code so this case
Dialogue: 0,0:07:25.92,0:07:30.08,Default,,0000,0000,0000,,simple errors or the value of non here
Dialogue: 0,0:07:30.08,0:07:32.12,Default,,0000,0000,0000,,if we have say at
Dialogue: 0,0:07:32.12,0:07:35.40,Default,,0000,0000,0000,,200 we're also using a Time function to
Dialogue: 0,0:07:35.40,0:07:39.16,Default,,0000,0000,0000,,create a second field called day uh you
Dialogue: 0,0:07:39.16,0:07:41.76,Default,,0000,0000,0000,,may be familiar with some of the uh
Dialogue: 0,0:07:41.76,0:07:46.36,Default,,0000,0000,0000,,fields that you get out of uh by default
Dialogue: 0,0:07:46.36,0:07:49.76,Default,,0000,0000,0000,,for most any events in Splunk uh and
Dialogue: 0,0:07:49.76,0:07:51.76,Default,,0000,0000,0000,,that they're related to breakdowns of
Dialogue: 0,0:07:51.76,0:07:56.00,Default,,0000,0000,0000,,the time stamps uh you have day month uh
Dialogue: 0,0:07:56.00,0:07:58.24,Default,,0000,0000,0000,,and many others in this case I want to
Dialogue: 0,0:07:58.24,0:08:00.56,Default,,0000,0000,0000,,get a specific format for day so we use
Dialogue: 0,0:08:00.56,0:08:03.48,Default,,0000,0000,0000,,a strif Time function uh and we have a
Dialogue: 0,0:08:03.48,0:08:07.04,Default,,0000,0000,0000,,time format variable here on the actual
Dialogue: 0,0:08:07.04,0:08:10.28,Default,,0000,0000,0000,,extracted time stamp first of BL so
Dialogue: 0,0:08:10.28,0:08:12.04,Default,,0000,0000,0000,,coming out of the second line we've
Dialogue: 0,0:08:12.04,0:08:14.32,Default,,0000,0000,0000,,accessed our data we have created two
Dialogue: 0,0:08:14.32,0:08:17.48,Default,,0000,0000,0000,,new fields to use and then we are
Dialogue: 0,0:08:17.48,0:08:20.96,Default,,0000,0000,0000,,actually performing uh charting with a
Dialogue: 0,0:08:20.96,0:08:23.68,Default,,0000,0000,0000,,statistical function and so that is
Dialogue: 0,0:08:23.68,0:08:26.24,Default,,0000,0000,0000,,using time chart and we can see here
Dialogue: 0,0:08:26.24,0:08:29.16,Default,,0000,0000,0000,,that we are counting our events that
Dialogue: 0,0:08:29.16,0:08:33.48,Default,,0000,0000,0000,,actually have the error value uh for our
Dialogue: 0,0:08:33.48,0:08:36.00,Default,,0000,0000,0000,,created error check field and so I'm
Dialogue: 0,0:08:36.00,0:08:39.28,Default,,0000,0000,0000,,going to Pivot over to uh Splunk here
Dialogue: 0,0:08:39.28,0:08:40.88,Default,,0000,0000,0000,,and we're going to look at this search
Dialogue: 0,0:08:40.88,0:08:43.44,Default,,0000,0000,0000,,and I have commented out uh most of the
Dialogue: 0,0:08:43.44,0:08:46.28,Default,,0000,0000,0000,,logic we'll step back through it uh we
Dialogue: 0,0:08:46.28,0:08:49.20,Default,,0000,0000,0000,,are looking at our web access log events
Dialogue: 0,0:08:49.20,0:08:52.80,Default,,0000,0000,0000,,here uh and we want to then apply our
Dialogue: 0,0:08:52.80,0:08:58.24,Default,,0000,0000,0000,,eval and so by applying the eval we can
Dialogue: 0,0:08:58.24,0:09:01.28,Default,,0000,0000,0000,,get our error check field that provides
Dialogue: 0,0:09:01.28,0:09:03.28,Default,,0000,0000,0000,,error or non-error we're seeing that we
Dialogue: 0,0:09:03.28,0:09:05.16,Default,,0000,0000,0000,,have mostly non-error
Dialogue: 0,0:09:05.16,0:09:09.68,Default,,0000,0000,0000,,events uh and then we have the day field
Dialogue: 0,0:09:09.68,0:09:11.76,Default,,0000,0000,0000,,and so day is actually providing the
Dialogue: 0,0:09:11.76,0:09:14.44,Default,,0000,0000,0000,,full name of day for the time stamp for
Dialogue: 0,0:09:14.44,0:09:17.80,Default,,0000,0000,0000,,all these events so with our time chart
Dialogue: 0,0:09:17.80,0:09:22.20,Default,,0000,0000,0000,,this is the summarization uh with a
Dialogue: 0,0:09:22.20,0:09:24.16,Default,,0000,0000,0000,,condition actually that we're spanning
Dialogue: 0,0:09:24.16,0:09:27.72,Default,,0000,0000,0000,,by default over a single day so this may
Dialogue: 0,0:09:27.72,0:09:31.84,Default,,0000,0000,0000,,not be a very logical use of a split by
Dialogue: 0,0:09:31.84,0:09:34.36,Default,,0000,0000,0000,,day when we are already using a time
Dialogue: 0,0:09:34.36,0:09:37.08,Default,,0000,0000,0000,,chart command that is dividing our
Dialogue: 0,0:09:37.08,0:09:41.04,Default,,0000,0000,0000,,results by the time bin uh effectively a
Dialogue: 0,0:09:41.04,0:09:46.08,Default,,0000,0000,0000,,span of one day but what we can do uh is
Dialogue: 0,0:09:46.08,0:09:50.44,Default,,0000,0000,0000,,change our split by field to host and
Dialogue: 0,0:09:50.44,0:09:52.60,Default,,0000,0000,0000,,get a little bit more of a reasonable
Dialogue: 0,0:09:52.60,0:09:54.72,Default,,0000,0000,0000,,presentation we were able to see with
Dialogue: 0,0:09:54.72,0:09:57.72,Default,,0000,0000,0000,,the counts in the individual days not
Dialogue: 0,0:09:57.72,0:09:59.60,Default,,0000,0000,0000,,only split through the time chart but by
Dialogue: 0,0:09:59.60,0:10:02.40,Default,,0000,0000,0000,,the day field that we only had values
Dialogue: 0,0:10:02.40,0:10:04.96,Default,,0000,0000,0000,,where our Matrix matched up for the
Dialogue: 0,0:10:04.96,0:10:09.68,Default,,0000,0000,0000,,actual day so here we have our uh hosts
Dialogue: 0,0:10:09.68,0:10:12.64,Default,,0000,0000,0000,,one two and three and then across days
Dialogue: 0,0:10:12.64,0:10:15.64,Default,,0000,0000,0000,,counts of the error events that we
Dialogue: 0,0:10:15.64,0:10:20.16,Default,,0000,0000,0000,,observe so that is uh the search that we
Dialogue: 0,0:10:20.16,0:10:22.44,Default,,0000,0000,0000,,end on in basic search the concepts
Dialogue: 0,0:10:22.44,0:10:25.04,Default,,0000,0000,0000,,there being accessing our data uh
Dialogue: 0,0:10:25.04,0:10:27.28,Default,,0000,0000,0000,,searching in a descriptive manner using
Dialogue: 0,0:10:27.28,0:10:29.32,Default,,0000,0000,0000,,our metadata Fields the index and the
Dialogue: 0,0:10:29.32,0:10:32.20,Default,,0000,0000,0000,,Source type uh the evaluation functions
Dialogue: 0,0:10:32.20,0:10:33.92,Default,,0000,0000,0000,,where we're creating new Fields
Dialogue: 0,0:10:33.92,0:10:37.64,Default,,0000,0000,0000,,manipulating data uh and then we have a
Dialogue: 0,0:10:37.64,0:10:40.20,Default,,0000,0000,0000,,time chart function uh that is providing
Dialogue: 0,0:10:40.20,0:10:42.88,Default,,0000,0000,0000,,some uh summarized statistics here based
Dialogue: 0,0:10:42.88,0:10:44.48,Default,,0000,0000,0000,,on the time
Dialogue: 0,0:10:44.48,0:10:48.68,Default,,0000,0000,0000,,range so we will pivot back and we're
Dialogue: 0,0:10:48.68,0:10:51.40,Default,,0000,0000,0000,,going to take a step back out of the SPL
Dialogue: 0,0:10:51.40,0:10:54.20,Default,,0000,0000,0000,,for a second just to talk about these
Dialogue: 0,0:10:54.20,0:10:56.52,Default,,0000,0000,0000,,different kinds of search operations
Dialogue: 0,0:10:56.52,0:10:59.36,Default,,0000,0000,0000,,that we just performed so you'll hear
Dialogue: 0,0:10:59.36,0:11:03.08,Default,,0000,0000,0000,,these terms uh if you are really kind of
Dialogue: 0,0:11:03.08,0:11:06.04,Default,,0000,0000,0000,,diving deeper into actual operations of
Dialogue: 0,0:11:06.04,0:11:09.92,Default,,0000,0000,0000,,Splunk searching uh and you can get very
Dialogue: 0,0:11:09.92,0:11:12.56,Default,,0000,0000,0000,,detailed regarding the optimization of
Dialogue: 0,0:11:12.56,0:11:16.28,Default,,0000,0000,0000,,searches uh around uh these types of
Dialogue: 0,0:11:16.28,0:11:17.68,Default,,0000,0000,0000,,commands and the order in which you
Dialogue: 0,0:11:17.68,0:11:21.40,Default,,0000,0000,0000,,choose to execute SPL today I'm going to
Dialogue: 0,0:11:21.40,0:11:24.24,Default,,0000,0000,0000,,focus on how these operations actually
Dialogue: 0,0:11:24.24,0:11:27.24,Default,,0000,0000,0000,,apply to the data and helping you to
Dialogue: 0,0:11:27.24,0:11:29.32,Default,,0000,0000,0000,,make better decisions about what
Dialogue: 0,0:11:29.32,0:11:32.32,Default,,0000,0000,0000,,commands are best for the scenario that
Dialogue: 0,0:11:32.32,0:11:34.24,Default,,0000,0000,0000,,you have or the output that you want to
Dialogue: 0,0:11:34.24,0:11:37.64,Default,,0000,0000,0000,,see uh and in future sessions we will
Dialogue: 0,0:11:37.64,0:11:39.36,Default,,0000,0000,0000,,discuss the actual optimization of
Dialogue: 0,0:11:39.36,0:11:42.08,Default,,0000,0000,0000,,searches uh through this optimal order
Dialogue: 0,0:11:42.08,0:11:46.44,Default,,0000,0000,0000,,of functions uh and some other means uh
Dialogue: 0,0:11:46.44,0:11:48.20,Default,,0000,0000,0000,,but just a caveat there that we're going
Dialogue: 0,0:11:48.20,0:11:50.44,Default,,0000,0000,0000,,to talk uh pretty specifically today
Dialogue: 0,0:11:50.44,0:11:52.84,Default,,0000,0000,0000,,just about these uh individually how
Dialogue: 0,0:11:52.84,0:11:54.72,Default,,0000,0000,0000,,they work with data uh and then how you
Dialogue: 0,0:11:54.72,0:11:55.84,Default,,0000,0000,0000,,see them in
Dialogue: 0,0:11:55.84,0:11:59.84,Default,,0000,0000,0000,,combination so our types of SPL command
Dialogue: 0,0:11:59.84,0:12:03.16,Default,,0000,0000,0000,,the top three in bold we'll focus on in
Dialogue: 0,0:12:03.16,0:12:06.08,Default,,0000,0000,0000,,our examples the first of which is
Dialogue: 0,0:12:06.08,0:12:07.28,Default,,0000,0000,0000,,streaming
Dialogue: 0,0:12:07.28,0:12:10.76,Default,,0000,0000,0000,,operations uh which are executed on
Dialogue: 0,0:12:10.76,0:12:13.08,Default,,0000,0000,0000,,individual events as they return by a
Dialogue: 0,0:12:13.08,0:12:15.40,Default,,0000,0000,0000,,search uh so you can think of this like
Dialogue: 0,0:12:15.40,0:12:16.12,Default,,0000,0000,0000,,your
Dialogue: 0,0:12:16.12,0:12:18.88,Default,,0000,0000,0000,,eval um that is going to be doing
Dialogue: 0,0:12:18.88,0:12:21.44,Default,,0000,0000,0000,,something to every single event uh
Dialogue: 0,0:12:21.44,0:12:24.28,Default,,0000,0000,0000,,modifying Fields when they're available
Dialogue: 0,0:12:24.28,0:12:28.40,Default,,0000,0000,0000,,uh we do have generating functions uh so
Dialogue: 0,0:12:28.40,0:12:30.80,Default,,0000,0000,0000,,generating function are going to be used
Dialogue: 0,0:12:30.80,0:12:33.84,Default,,0000,0000,0000,,situationally where you're sourcing data
Dialogue: 0,0:12:33.84,0:12:38.08,Default,,0000,0000,0000,,from uh non-indexed data sets and so you
Dialogue: 0,0:12:38.08,0:12:40.84,Default,,0000,0000,0000,,would see that from uh either input
Dialogue: 0,0:12:40.84,0:12:43.76,Default,,0000,0000,0000,,lookup commands uh or maybe tstats
Dialogue: 0,0:12:43.76,0:12:46.12,Default,,0000,0000,0000,,pulling information from the tsid X
Dialogue: 0,0:12:46.12,0:12:48.92,Default,,0000,0000,0000,,Files uh and so generating the
Dialogue: 0,0:12:48.92,0:12:51.08,Default,,0000,0000,0000,,statistical output based on the data
Dialogue: 0,0:12:51.08,0:12:55.04,Default,,0000,0000,0000,,available there transforming commands uh
Dialogue: 0,0:12:55.04,0:12:58.56,Default,,0000,0000,0000,,you will see uh as often as streaming
Dialogue: 0,0:12:58.56,0:13:00.60,Default,,0000,0000,0000,,commands generally speaking and more
Dialogue: 0,0:13:00.60,0:13:02.80,Default,,0000,0000,0000,,often than generating commands where
Dialogue: 0,0:13:02.80,0:13:05.40,Default,,0000,0000,0000,,transforming is intended to order
Dialogue: 0,0:13:05.40,0:13:08.52,Default,,0000,0000,0000,,results into a data table and I often
Dialogue: 0,0:13:08.52,0:13:11.32,Default,,0000,0000,0000,,think of this much like how we discuss
Dialogue: 0,0:13:11.32,0:13:13.64,Default,,0000,0000,0000,,the statistical functions in basic
Dialogue: 0,0:13:13.64,0:13:17.16,Default,,0000,0000,0000,,search as summarization functions where
Dialogue: 0,0:13:17.16,0:13:19.52,Default,,0000,0000,0000,,you're looking to condense your overall
Dialogue: 0,0:13:19.52,0:13:22.68,Default,,0000,0000,0000,,data set uh into really manageable
Dialogue: 0,0:13:22.68,0:13:24.88,Default,,0000,0000,0000,,consumable results uh so these
Dialogue: 0,0:13:24.88,0:13:28.32,Default,,0000,0000,0000,,operations that apply that summarization
Dialogue: 0,0:13:28.32,0:13:31.72,Default,,0000,0000,0000,,are transform perform we do have two
Dialogue: 0,0:13:31.72,0:13:35.60,Default,,0000,0000,0000,,additional types of SPL commands uh the
Dialogue: 0,0:13:35.60,0:13:39.48,Default,,0000,0000,0000,,first is orchestrating uh you can read
Dialogue: 0,0:13:39.48,0:13:41.68,Default,,0000,0000,0000,,about these I will not discuss in great
Dialogue: 0,0:13:41.68,0:13:45.20,Default,,0000,0000,0000,,detail uh they are used to manipulate
Dialogue: 0,0:13:45.20,0:13:48.64,Default,,0000,0000,0000,,how searches are actually U processed or
Dialogue: 0,0:13:48.64,0:13:50.80,Default,,0000,0000,0000,,or how commands are processed uh and
Dialogue: 0,0:13:50.80,0:13:54.08,Default,,0000,0000,0000,,they don't directly affect the results
Dialogue: 0,0:13:54.08,0:13:56.08,Default,,0000,0000,0000,,in a search how we think about say
Dialogue: 0,0:13:56.08,0:13:59.84,Default,,0000,0000,0000,,applying a stats or an eval uh to a data
Dialogue: 0,0:13:59.84,0:14:02.32,Default,,0000,0000,0000,,set uh so if you're interested
Dialogue: 0,0:14:02.32,0:14:04.40,Default,,0000,0000,0000,,definitely check it out uh link
Dialogue: 0,0:14:04.40,0:14:07.72,Default,,0000,0000,0000,,documentation has details there um data
Dialogue: 0,0:14:07.72,0:14:11.12,Default,,0000,0000,0000,,set processing is seen much more often
Dialogue: 0,0:14:11.12,0:14:15.00,Default,,0000,0000,0000,,uh and you do have uh some conditional
Dialogue: 0,0:14:15.00,0:14:18.68,Default,,0000,0000,0000,,uh scenarios where commands can act as
Dialogue: 0,0:14:18.68,0:14:21.76,Default,,0000,0000,0000,,data set processing so the uh
Dialogue: 0,0:14:21.76,0:14:23.96,Default,,0000,0000,0000,,distinction for data set processing is
Dialogue: 0,0:14:23.96,0:14:26.36,Default,,0000,0000,0000,,going to be that you are operating in
Dialogue: 0,0:14:26.36,0:14:29.80,Default,,0000,0000,0000,,bulk on a single completed data set at
Dialogue: 0,0:14:29.80,0:14:32.24,Default,,0000,0000,0000,,one time so we'll we'll look at an
Dialogue: 0,0:14:32.24,0:14:33.92,Default,,0000,0000,0000,,example of
Dialogue: 0,0:14:33.92,0:14:36.60,Default,,0000,0000,0000,,that I want to Pivot back to our main
Dialogue: 0,0:14:36.60,0:14:38.36,Default,,0000,0000,0000,,three that we're going to be focusing on
Dialogue: 0,0:14:38.36,0:14:39.84,Default,,0000,0000,0000,,and I have mentioned some of these
Dialogue: 0,0:14:39.84,0:14:43.80,Default,,0000,0000,0000,,examples already uh the eval functions
Dialogue: 0,0:14:43.80,0:14:45.88,Default,,0000,0000,0000,,that we've been talking about so far are
Dialogue: 0,0:14:45.88,0:14:47.92,Default,,0000,0000,0000,,perfect examples of our streaming
Dialogue: 0,0:14:47.92,0:14:51.44,Default,,0000,0000,0000,,commands uh so where we are creating new
Dialogue: 0,0:14:51.44,0:14:55.60,Default,,0000,0000,0000,,fields for each entry or log event uh
Dialogue: 0,0:14:55.60,0:14:59.40,Default,,0000,0000,0000,,where we are modifying values for all of
Dialogue: 0,0:14:59.40,0:15:01.92,Default,,0000,0000,0000,,the results that are available uh that
Dialogue: 0,0:15:01.92,0:15:05.28,Default,,0000,0000,0000,,is where we are streaming um with the
Dialogue: 0,0:15:05.28,0:15:08.56,Default,,0000,0000,0000,,search functions input lookup is
Dialogue: 0,0:15:08.56,0:15:09.96,Default,,0000,0000,0000,,possibly one of the most common
Dialogue: 0,0:15:09.96,0:15:12.40,Default,,0000,0000,0000,,generating commands that I see uh
Dialogue: 0,0:15:12.40,0:15:15.20,Default,,0000,0000,0000,,because someone is intending to uh
Dialogue: 0,0:15:15.20,0:15:18.72,Default,,0000,0000,0000,,Source a data set stored in a CSV file
Dialogue: 0,0:15:18.72,0:15:21.48,Default,,0000,0000,0000,,or a KV store collection uh and you're
Dialogue: 0,0:15:21.48,0:15:23.72,Default,,0000,0000,0000,,able to bring that back as a report and
Dialogue: 0,0:15:23.72,0:15:26.96,Default,,0000,0000,0000,,use that logic uh in your
Dialogue: 0,0:15:26.96,0:15:29.64,Default,,0000,0000,0000,,queries so that is
Dialogue: 0,0:15:29.64,0:15:33.40,Default,,0000,0000,0000,,uh not requiring the index data uh or
Dialogue: 0,0:15:33.40,0:15:35.56,Default,,0000,0000,0000,,any index data to actually return the
Dialogue: 0,0:15:35.56,0:15:38.12,Default,,0000,0000,0000,,results that you want to
Dialogue: 0,0:15:38.12,0:15:41.32,Default,,0000,0000,0000,,see and we've talked about stats very
Dialogue: 0,0:15:41.32,0:15:43.60,Default,,0000,0000,0000,,generally speaking uh with a lot of
Dialogue: 0,0:15:43.60,0:15:46.44,Default,,0000,0000,0000,,unique functions you can apply there uh
Dialogue: 0,0:15:46.44,0:15:49.56,Default,,0000,0000,0000,,where this is going to provide a tabular
Dialogue: 0,0:15:49.56,0:15:53.56,Default,,0000,0000,0000,,output uh and is serving that purpose of
Dialogue: 0,0:15:53.56,0:15:54.80,Default,,0000,0000,0000,,summarization so we're really
Dialogue: 0,0:15:54.80,0:15:57.56,Default,,0000,0000,0000,,reformatting the data uh into that
Dialogue: 0,0:15:57.56,0:16:00.92,Default,,0000,0000,0000,,tabular report
Dialogue: 0,0:16:02.00,0:16:06.52,Default,,0000,0000,0000,,so we see in this example search here uh
Dialogue: 0,0:16:06.52,0:16:09.00,Default,,0000,0000,0000,,that we are often combining these
Dialogue: 0,0:16:09.00,0:16:12.36,Default,,0000,0000,0000,,different types of search operations so
Dialogue: 0,0:16:12.36,0:16:15.24,Default,,0000,0000,0000,,in this example that we have uh I have
Dialogue: 0,0:16:15.24,0:16:19.32,Default,,0000,0000,0000,,data that already exists in a CSV file
Dialogue: 0,0:16:19.32,0:16:22.84,Default,,0000,0000,0000,,we are applying a streaming command here
Dialogue: 0,0:16:22.84,0:16:26.00,Default,,0000,0000,0000,,uh where evaluating each line to see if
Dialogue: 0,0:16:26.00,0:16:28.40,Default,,0000,0000,0000,,we match a condition and then returning
Dialogue: 0,0:16:28.40,0:16:29.64,Default,,0000,0000,0000,,the results
Dialogue: 0,0:16:29.64,0:16:32.24,Default,,0000,0000,0000,,based on that evaluation and then we're
Dialogue: 0,0:16:32.24,0:16:34.20,Default,,0000,0000,0000,,applying a transforming command at the
Dialogue: 0,0:16:34.20,0:16:36.64,Default,,0000,0000,0000,,end which is that stats summarization
Dialogue: 0,0:16:36.64,0:16:40.48,Default,,0000,0000,0000,,getting the maximum values uh for the uh
Dialogue: 0,0:16:40.48,0:16:44.32,Default,,0000,0000,0000,,count of errors and the host that is
Dialogue: 0,0:16:44.32,0:16:47.60,Default,,0000,0000,0000,,associated with that so let's PIV over
Dialogue: 0,0:16:47.60,0:16:52.08,Default,,0000,0000,0000,,to Splunk and we'll take a look at that
Dialogue: 0,0:16:54.16,0:16:56.32,Default,,0000,0000,0000,,example so I'm just going to grab my
Dialogue: 0,0:16:56.32,0:16:59.44,Default,,0000,0000,0000,,search here and I pre- commented out
Dialogue: 0,0:16:59.44,0:17:03.52,Default,,0000,0000,0000,,uh the specific uh lines following input
Dialogue: 0,0:17:03.52,0:17:06.08,Default,,0000,0000,0000,,lookup just to see that this generating
Dialogue: 0,0:17:06.08,0:17:07.80,Default,,0000,0000,0000,,command here is not looking for any
Dialogue: 0,0:17:07.80,0:17:10.16,Default,,0000,0000,0000,,specific index data uh we're pulling
Dialogue: 0,0:17:10.16,0:17:13.24,Default,,0000,0000,0000,,directly the results that I have in a
Dialogue: 0,0:17:13.24,0:17:17.72,Default,,0000,0000,0000,,CSV file uh here into this output and so
Dialogue: 0,0:17:17.72,0:17:20.52,Default,,0000,0000,0000,,we have a count of Errors observed
Dialogue: 0,0:17:20.52,0:17:25.44,Default,,0000,0000,0000,,across multiple hosts our where command
Dialogue: 0,0:17:25.44,0:17:28.52,Default,,0000,0000,0000,,uh you might think is reformatting data
Dialogue: 0,0:17:28.52,0:17:31.00,Default,,0000,0000,0000,,in this sense it it is transforming the
Dialogue: 0,0:17:31.00,0:17:34.16,Default,,0000,0000,0000,,results but the evaluation of a wear
Dialogue: 0,0:17:34.16,0:17:37.32,Default,,0000,0000,0000,,function does apply effectively to every
Dialogue: 0,0:17:37.32,0:17:41.76,Default,,0000,0000,0000,,event that is returned uh so it is u a
Dialogue: 0,0:17:41.76,0:17:43.96,Default,,0000,0000,0000,,streaming command that is going to
Dialogue: 0,0:17:43.96,0:17:46.56,Default,,0000,0000,0000,,filter down our result set based on our
Dialogue: 0,0:17:46.56,0:17:49.12,Default,,0000,0000,0000,,condition that the error count is less
Dialogue: 0,0:17:49.12,0:17:50.92,Default,,0000,0000,0000,,than
Dialogue: 0,0:17:50.92,0:17:54.76,Default,,0000,0000,0000,,200 so the following line is our
Dialogue: 0,0:17:54.76,0:17:57.32,Default,,0000,0000,0000,,transforming command where we have two
Dialogue: 0,0:17:57.32,0:18:02.24,Default,,0000,0000,0000,,results left uh 187 for host 3 we want
Dialogue: 0,0:18:02.24,0:18:06.04,Default,,0000,0000,0000,,to see our maximum values here of 187 on
Dialogue: 0,0:18:06.04,0:18:09.96,Default,,0000,0000,0000,,host 3 so our scenario here has really
Dialogue: 0,0:18:09.96,0:18:13.40,Default,,0000,0000,0000,,uh covered where you may have uh hosts
Dialogue: 0,0:18:13.40,0:18:15.96,Default,,0000,0000,0000,,that are trending toward a negative
Dialogue: 0,0:18:15.96,0:18:19.28,Default,,0000,0000,0000,,State you're aware that uh the second
Dialogue: 0,0:18:19.28,0:18:22.04,Default,,0000,0000,0000,,host had already exceeded its uh
Dialogue: 0,0:18:22.04,0:18:25.36,Default,,0000,0000,0000,,threshold value for errors but host 3
Dialogue: 0,0:18:25.36,0:18:27.44,Default,,0000,0000,0000,,also appears to be trending toward this
Dialogue: 0,0:18:27.44,0:18:30.16,Default,,0000,0000,0000,,threshold uh so being able to combine
Dialogue: 0,0:18:30.16,0:18:33.00,Default,,0000,0000,0000,,these types of commands uh understand
Dialogue: 0,0:18:33.00,0:18:35.24,Default,,0000,0000,0000,,the logical condition that you're
Dialogue: 0,0:18:35.24,0:18:37.68,Default,,0000,0000,0000,,searching for uh and then also providing
Dialogue: 0,0:18:37.68,0:18:40.84,Default,,0000,0000,0000,,that consumable output uh so combining
Dialogue: 0,0:18:40.84,0:18:44.48,Default,,0000,0000,0000,,all three of our types of commands
Dialogue: 0,0:18:45.32,0:18:49.44,Default,,0000,0000,0000,,here so uh I'm going to jump to an SPL
Dialogue: 0,0:18:49.44,0:18:53.16,Default,,0000,0000,0000,,demo and as I go through these different
Dialogue: 0,0:18:53.16,0:18:55.84,Default,,0000,0000,0000,,commands uh I'm going to be referencing
Dialogue: 0,0:18:55.84,0:18:58.36,Default,,0000,0000,0000,,back to the different command types that
Dialogue: 0,0:18:58.36,0:19:00.08,Default,,0000,0000,0000,,we're working with I'm going to
Dialogue: 0,0:19:00.08,0:19:02.36,Default,,0000,0000,0000,,introduce in a lot of these searches uh
Dialogue: 0,0:19:02.36,0:19:04.68,Default,,0000,0000,0000,,a lot of small commands uh that I won't
Dialogue: 0,0:19:04.68,0:19:07.00,Default,,0000,0000,0000,,talk about in great detail and that
Dialogue: 0,0:19:07.00,0:19:09.36,Default,,0000,0000,0000,,really is the purpose of using your
Dialogue: 0,0:19:09.36,0:19:11.64,Default,,0000,0000,0000,,search manual uh using your search
Dialogue: 0,0:19:11.64,0:19:14.76,Default,,0000,0000,0000,,reference documentation uh so I will
Dialogue: 0,0:19:14.76,0:19:17.40,Default,,0000,0000,0000,,glance over the use case uh talk about
Dialogue: 0,0:19:17.40,0:19:19.56,Default,,0000,0000,0000,,how it's meant to be applied and then
Dialogue: 0,0:19:19.56,0:19:22.20,Default,,0000,0000,0000,,using in your own scenarios uh where you
Dialogue: 0,0:19:22.20,0:19:24.40,Default,,0000,0000,0000,,have problem you need to solve uh
Dialogue: 0,0:19:24.40,0:19:26.88,Default,,0000,0000,0000,,referencing the docs to find out where
Dialogue: 0,0:19:26.88,0:19:29.96,Default,,0000,0000,0000,,you can apply uh similar functions to
Dialogue: 0,0:19:29.96,0:19:32.56,Default,,0000,0000,0000,,what we observe in the the demonstration
Dialogue: 0,0:19:32.56,0:19:36.76,Default,,0000,0000,0000,,here so the First Command I'm going to
Dialogue: 0,0:19:36.76,0:19:40.88,Default,,0000,0000,0000,,focus on is the Rex command so Rex is a
Dialogue: 0,0:19:40.88,0:19:43.48,Default,,0000,0000,0000,,streaming command that you often see
Dialogue: 0,0:19:43.48,0:19:46.56,Default,,0000,0000,0000,,applied to data sets that do not fully
Dialogue: 0,0:19:46.56,0:19:49.72,Default,,0000,0000,0000,,have data extracted in the format that
Dialogue: 0,0:19:49.72,0:19:53.16,Default,,0000,0000,0000,,you want to be using um in your
Dialogue: 0,0:19:53.16,0:19:56.76,Default,,0000,0000,0000,,reporting or in your logic uh and so
Dialogue: 0,0:19:56.76,0:20:00.12,Default,,0000,0000,0000,,this could very well be handled actually
Dialogue: 0,0:20:00.12,0:20:03.44,Default,,0000,0000,0000,,in the uh configuration of props and
Dialogue: 0,0:20:03.44,0:20:06.08,Default,,0000,0000,0000,,transforms and extracting fields at the
Dialogue: 0,0:20:06.08,0:20:08.48,Default,,0000,0000,0000,,right times and indexing data but as
Dialogue: 0,0:20:08.48,0:20:10.28,Default,,0000,0000,0000,,your bringing new data sources you need
Dialogue: 0,0:20:10.28,0:20:12.48,Default,,0000,0000,0000,,to understand what's available for use
Dialogue: 0,0:20:12.48,0:20:14.36,Default,,0000,0000,0000,,in spunk a lot of times you'll find
Dialogue: 0,0:20:14.36,0:20:16.84,Default,,0000,0000,0000,,yourself needing to extract new fields
Dialogue: 0,0:20:16.84,0:20:19.20,Default,,0000,0000,0000,,in line in your searches uh and be able
Dialogue: 0,0:20:19.20,0:20:22.08,Default,,0000,0000,0000,,to use those in your search Logic Rex
Dialogue: 0,0:20:22.08,0:20:28.04,Default,,0000,0000,0000,,also has uh a said mode that I also see
Dialogue: 0,0:20:28.04,0:20:31.60,Default,,0000,0000,0000,,testing done for masking of data in line
Dialogue: 0,0:20:31.60,0:20:34.08,Default,,0000,0000,0000,,prior to actually putting that into
Dialogue: 0,0:20:34.08,0:20:35.12,Default,,0000,0000,0000,,indexing
Dialogue: 0,0:20:35.12,0:20:38.00,Default,,0000,0000,0000,,configurations um so Rex you would
Dialogue: 0,0:20:38.00,0:20:41.20,Default,,0000,0000,0000,,generally see used um when you don't
Dialogue: 0,0:20:41.20,0:20:43.04,Default,,0000,0000,0000,,have those fields available you need to
Dialogue: 0,0:20:43.04,0:20:45.64,Default,,0000,0000,0000,,use them at that time uh and then we're
Dialogue: 0,0:20:45.64,0:20:47.12,Default,,0000,0000,0000,,going to take a look at an example of
Dialogue: 0,0:20:47.12,0:20:49.64,Default,,0000,0000,0000,,masking data as well uh to test your
Dialogue: 0,0:20:49.64,0:20:53.48,Default,,0000,0000,0000,,Syntax for a said style replace uh in
Dialogue: 0,0:20:53.48,0:21:00.60,Default,,0000,0000,0000,,config files so we will jump back over
Dialogue: 0,0:21:04.68,0:21:06.88,Default,,0000,0000,0000,,so I'm going to start with a search on
Dialogue: 0,0:21:06.88,0:21:10.12,Default,,0000,0000,0000,,an index Source type uh my tutorial data
Dialogue: 0,0:21:10.12,0:21:13.16,Default,,0000,0000,0000,,and then this is actual uh Linux secure
Dialogue: 0,0:21:13.16,0:21:16.16,Default,,0000,0000,0000,,logging uh so these are going to be OS
Dialogue: 0,0:21:16.16,0:21:19.04,Default,,0000,0000,0000,,security logs and we're looking at all
Dialogue: 0,0:21:19.04,0:21:21.04,Default,,0000,0000,0000,,of our web hosts uh that we've been
Dialogue: 0,0:21:21.04,0:21:22.44,Default,,0000,0000,0000,,focusing on
Dialogue: 0,0:21:22.44,0:21:25.00,Default,,0000,0000,0000,,previously in our events you can see
Dialogue: 0,0:21:25.00,0:21:29.04,Default,,0000,0000,0000,,that we have uh first here uh an EV that
Dialogue: 0,0:21:29.04,0:21:31.72,Default,,0000,0000,0000,,has fail password for invalid user in
Dialogue: 0,0:21:31.72,0:21:34.32,Default,,0000,0000,0000,,that we're provided a source IP a source
Dialogue: 0,0:21:34.32,0:21:36.56,Default,,0000,0000,0000,,port and we go to see the fields that
Dialogue: 0,0:21:36.56,0:21:38.92,Default,,0000,0000,0000,,are extracted and that's that's not
Dialogue: 0,0:21:38.92,0:21:41.92,Default,,0000,0000,0000,,being done for us automatically so just
Dialogue: 0,0:21:41.92,0:21:43.88,Default,,0000,0000,0000,,to start testing our logic to see if we
Dialogue: 0,0:21:43.88,0:21:46.80,Default,,0000,0000,0000,,can get uh the results we want to see
Dialogue: 0,0:21:46.80,0:21:49.76,Default,,0000,0000,0000,,we're going to use the Rex command and
Dialogue: 0,0:21:49.76,0:21:53.24,Default,,0000,0000,0000,,in doing so we are applying this
Dialogue: 0,0:21:53.24,0:21:55.44,Default,,0000,0000,0000,,operation across every event again a
Dialogue: 0,0:21:55.44,0:21:59.60,Default,,0000,0000,0000,,streaming command we are looking at the
Dialogue: 0,0:21:59.60,0:22:01.28,Default,,0000,0000,0000,,raw field so we're actually looking at
Dialogue: 0,0:22:01.28,0:22:04.68,Default,,0000,0000,0000,,the raw text of each of these log events
Dialogue: 0,0:22:04.68,0:22:07.48,Default,,0000,0000,0000,,and then the rec syntax is simply to
Dialogue: 0,0:22:07.48,0:22:11.96,Default,,0000,0000,0000,,provide in double quotes uh a Rex uh
Dialogue: 0,0:22:11.96,0:22:14.84,Default,,0000,0000,0000,,match and we're using named groups for
Dialogue: 0,0:22:14.84,0:22:17.44,Default,,0000,0000,0000,,field extractions so for every single
Dialogue: 0,0:22:17.44,0:22:19.44,Default,,0000,0000,0000,,event that we see failed password for
Dialogue: 0,0:22:19.44,0:22:22.92,Default,,0000,0000,0000,,invalid user we are actually extracting
Dialogue: 0,0:22:22.92,0:22:26.40,Default,,0000,0000,0000,,a user field The Source IP field and the
Dialogue: 0,0:22:26.40,0:22:28.80,Default,,0000,0000,0000,,source Port field for the sake of
Dialogue: 0,0:22:28.80,0:22:30.88,Default,,0000,0000,0000,,Simplicity I tried to keep the RX simple
Dialogue: 0,0:22:30.88,0:22:33.76,Default,,0000,0000,0000,,you can make this as complex as you need
Dialogue: 0,0:22:33.76,0:22:37.68,Default,,0000,0000,0000,,to for your needs for your data uh and
Dialogue: 0,0:22:37.68,0:22:40.96,Default,,0000,0000,0000,,so in our extracted Fields uh I've
Dialogue: 0,0:22:40.96,0:22:42.84,Default,,0000,0000,0000,,actually pre-selected these so we can
Dialogue: 0,0:22:42.84,0:22:46.24,Default,,0000,0000,0000,,see our user is now available and this
Dialogue: 0,0:22:46.24,0:22:50.04,Default,,0000,0000,0000,,applies to the events where the Rex was
Dialogue: 0,0:22:50.04,0:22:53.16,Default,,0000,0000,0000,,actually valid and matching on the uh
Dialogue: 0,0:22:53.16,0:22:57.44,Default,,0000,0000,0000,,failed password for invalid user Etc
Dialogue: 0,0:22:57.44,0:23:00.12,Default,,0000,0000,0000,,string so now that we have our Fields
Dialogue: 0,0:23:00.12,0:23:03.80,Default,,0000,0000,0000,,extracted we can actually use these and
Dialogue: 0,0:23:03.80,0:23:04.80,Default,,0000,0000,0000,,we want
Dialogue: 0,0:23:04.80,0:23:09.40,Default,,0000,0000,0000,,to do a stats count as failed login so
Dialogue: 0,0:23:09.40,0:23:13.40,Default,,0000,0000,0000,,anytime you see uh a an operation as and
Dialogue: 0,0:23:13.40,0:23:16.64,Default,,0000,0000,0000,,then a unique name just a rename uh
Dialogue: 0,0:23:16.64,0:23:19.08,Default,,0000,0000,0000,,through the transformation function
Dialogue: 0,0:23:19.08,0:23:21.48,Default,,0000,0000,0000,,easier way to uh actually keep
Dialogue: 0,0:23:21.48,0:23:23.48,Default,,0000,0000,0000,,consistency uh with referencing your
Dialogue: 0,0:23:23.48,0:23:26.76,Default,,0000,0000,0000,,Fields as well as not have to rename
Dialogue: 0,0:23:26.76,0:23:29.92,Default,,0000,0000,0000,,later on uh with some additional in this
Dialogue: 0,0:23:29.92,0:23:31.68,Default,,0000,0000,0000,,case you'd have to reference the name
Dialogue: 0,0:23:31.68,0:23:34.52,Default,,0000,0000,0000,,distinct count uh so just a way to keep
Dialogue: 0,0:23:34.52,0:23:38.32,Default,,0000,0000,0000,,things clean and easy to use in further
Dialogue: 0,0:23:38.32,0:23:42.16,Default,,0000,0000,0000,,uh lines of SPL so we are counting our
Dialogue: 0,0:23:42.16,0:23:43.92,Default,,0000,0000,0000,,failed logins we're looking at the
Dialogue: 0,0:23:43.92,0:23:47.84,Default,,0000,0000,0000,,distinct count of the source IP values
Dialogue: 0,0:23:47.84,0:23:50.00,Default,,0000,0000,0000,,that we have and then we're splitting
Dialogue: 0,0:23:50.00,0:23:52.96,Default,,0000,0000,0000,,that by the host and the user so you can
Dialogue: 0,0:23:52.96,0:23:55.72,Default,,0000,0000,0000,,see here uh this tutorial data is
Dialogue: 0,0:23:55.72,0:23:57.88,Default,,0000,0000,0000,,actually pretty flat across most of the
Dialogue: 0,0:23:57.88,0:24:00.12,Default,,0000,0000,0000,,sources so we're not going to have uh
Dialogue: 0,0:24:00.12,0:24:04.68,Default,,0000,0000,0000,,any outliers or spikes in our stats here
Dialogue: 0,0:24:04.68,0:24:07.96,Default,,0000,0000,0000,,but you can see the resulting
Dialogue: 0,0:24:08.96,0:24:11.44,Default,,0000,0000,0000,,presentation in line four we do have a
Dialogue: 0,0:24:11.44,0:24:14.84,Default,,0000,0000,0000,,sort command and this is an example of a
Dialogue: 0,0:24:14.84,0:24:17.52,Default,,0000,0000,0000,,data set processing command where we are
Dialogue: 0,0:24:17.52,0:24:20.40,Default,,0000,0000,0000,,actually evaluating a full completed
Dialogue: 0,0:24:20.40,0:24:23.64,Default,,0000,0000,0000,,data set and reordering it uh given the
Dialogue: 0,0:24:23.64,0:24:26.00,Default,,0000,0000,0000,,logic here we want to descend on these
Dialogue: 0,0:24:26.00,0:24:29.00,Default,,0000,0000,0000,,numeric values uh so keep mind as you're
Dialogue: 0,0:24:29.00,0:24:31.20,Default,,0000,0000,0000,,operating on different fields it's going
Dialogue: 0,0:24:31.20,0:24:33.80,Default,,0000,0000,0000,,to be the same sort of either basic
Dialogue: 0,0:24:33.80,0:24:37.16,Default,,0000,0000,0000,,numeric or the lexicographical ordering
Dialogue: 0,0:24:37.16,0:24:40.36,Default,,0000,0000,0000,,that you typically see in
Dialogue: 0,0:24:40.84,0:24:45.72,Default,,0000,0000,0000,,Splunk so we do have a second example uh
Dialogue: 0,0:24:45.72,0:24:49.20,Default,,0000,0000,0000,,with the said style
Dialogue: 0,0:24:54.24,0:24:58.64,Default,,0000,0000,0000,,replace so you can see in my events here
Dialogue: 0,0:24:58.64,0:25:01.64,Default,,0000,0000,0000,,uh we are searching the tutorial and
Dialogue: 0,0:25:01.64,0:25:05.04,Default,,0000,0000,0000,,vendor sales index and Source type and
Dialogue: 0,0:25:05.04,0:25:06.72,Default,,0000,0000,0000,,I've gone ahead and applied one
Dialogue: 0,0:25:06.72,0:25:09.40,Default,,0000,0000,0000,,operation and this is going to be a
Dialogue: 0,0:25:09.40,0:25:11.88,Default,,0000,0000,0000,,helpful operation to understand really
Dialogue: 0,0:25:11.88,0:25:14.68,Default,,0000,0000,0000,,what we are replacing and how to get
Dialogue: 0,0:25:14.68,0:25:18.16,Default,,0000,0000,0000,,consistent operation on these fields uh
Dialogue: 0,0:25:18.16,0:25:20.28,Default,,0000,0000,0000,,so in this case we are actually creating
Dialogue: 0,0:25:20.28,0:25:23.56,Default,,0000,0000,0000,,an ID length field where we are going to
Dialogue: 0,0:25:23.56,0:25:26.96,Default,,0000,0000,0000,,choose to mask the value of account ID
Dialogue: 0,0:25:26.96,0:25:29.12,Default,,0000,0000,0000,,in our Rex command we want to know that
Dialogue: 0,0:25:29.12,0:25:31.68,Default,,0000,0000,0000,,that's a consistent number of characters
Dialogue: 0,0:25:31.68,0:25:33.80,Default,,0000,0000,0000,,uh through all of our data it's very
Dialogue: 0,0:25:33.80,0:25:37.08,Default,,0000,0000,0000,,simple to spot check uh but just to be
Dialogue: 0,0:25:37.08,0:25:39.44,Default,,0000,0000,0000,,certain we want to apply this to all of
Dialogue: 0,0:25:39.44,0:25:42.76,Default,,0000,0000,0000,,our data in this case streaming command
Dialogue: 0,0:25:42.76,0:25:45.52,Default,,0000,0000,0000,,uh through this eval uh we
Dialogue: 0,0:25:45.52,0:25:49.28,Default,,0000,0000,0000,,are uh changing the type of the data
Dialogue: 0,0:25:49.28,0:25:51.92,Default,,0000,0000,0000,,because account ID is actually numeric
Dialogue: 0,0:25:51.92,0:25:53.72,Default,,0000,0000,0000,,we're making that a string value so that
Dialogue: 0,0:25:53.72,0:25:56.72,Default,,0000,0000,0000,,we can look at the length these are
Dialogue: 0,0:25:56.72,0:25:58.84,Default,,0000,0000,0000,,common functions in any programming
Dialogue: 0,0:25:58.84,0:26:01.56,Default,,0000,0000,0000,,languages uh and so the syntax here in
Dialogue: 0,0:26:01.56,0:26:04.04,Default,,0000,0000,0000,,SPL is quite simple uh just to be able
Dialogue: 0,0:26:04.04,0:26:06.52,Default,,0000,0000,0000,,to get that contextual feeli we
Dialogue: 0,0:26:06.52,0:26:09.40,Default,,0000,0000,0000,,understand we have 16 characters for
Dialogue: 0,0:26:09.40,0:26:12.48,Default,,0000,0000,0000,,100% of our events in the account
Dialogue: 0,0:26:12.48,0:26:17.00,Default,,0000,0000,0000,,IDs so actually applying our Rex command
Dialogue: 0,0:26:17.00,0:26:20.76,Default,,0000,0000,0000,,we are going to now specify a unique
Dialogue: 0,0:26:20.76,0:26:23.92,Default,,0000,0000,0000,,field not just uncore raw uh we are
Dialogue: 0,0:26:23.92,0:26:27.16,Default,,0000,0000,0000,,applying the said mode and this is a
Dialogue: 0,0:26:27.16,0:26:30.80,Default,,0000,0000,0000,,said syntax uh replacement uh looking
Dialogue: 0,0:26:30.80,0:26:33.56,Default,,0000,0000,0000,,for the uh it's a capture group for the
Dialogue: 0,0:26:33.56,0:26:35.88,Default,,0000,0000,0000,,first 12 digits uh and then we're
Dialogue: 0,0:26:35.88,0:26:39.24,Default,,0000,0000,0000,,replacing that with a series of 12 X's
Dialogue: 0,0:26:39.24,0:26:42.04,Default,,0000,0000,0000,,so you can see in our first event the
Dialogue: 0,0:26:42.04,0:26:45.32,Default,,0000,0000,0000,,account ID is now masked we only have uh
Dialogue: 0,0:26:45.32,0:26:48.52,Default,,0000,0000,0000,,the remaining four digits to be able to
Dialogue: 0,0:26:48.52,0:26:52.32,Default,,0000,0000,0000,,identify that and so if our data was
Dialogue: 0,0:26:52.32,0:26:55.36,Default,,0000,0000,0000,,indexed and is appropriately done so uh
Dialogue: 0,0:26:55.36,0:26:58.04,Default,,0000,0000,0000,,in Splunk with the full account IDs but
Dialogue: 0,0:26:58.04,0:27:00.36,Default,,0000,0000,0000,,for for the sake of reporting we want to
Dialogue: 0,0:27:00.36,0:27:04.84,Default,,0000,0000,0000,,be able to mask that um for the audience
Dialogue: 0,0:27:04.84,0:27:07.80,Default,,0000,0000,0000,,then we're able to use the the said
Dialogue: 0,0:27:07.80,0:27:11.92,Default,,0000,0000,0000,,replace and then to finalize a report
Dialogue: 0,0:27:11.92,0:27:13.88,Default,,0000,0000,0000,,this is just an example of the top
Dialogue: 0,0:27:13.88,0:27:16.40,Default,,0000,0000,0000,,command which does a few operations
Dialogue: 0,0:27:16.40,0:27:18.12,Default,,0000,0000,0000,,together uh and makes for a good
Dialogue: 0,0:27:18.12,0:27:20.72,Default,,0000,0000,0000,,shorthand report uh taking all the
Dialogue: 0,0:27:20.72,0:27:24.08,Default,,0000,0000,0000,,unique values of the provided field uh
Dialogue: 0,0:27:24.08,0:27:26.48,Default,,0000,0000,0000,,giving you a count of those values and
Dialogue: 0,0:27:26.48,0:27:29.00,Default,,0000,0000,0000,,then showing the percentage
Dialogue: 0,0:27:29.00,0:27:31.68,Default,,0000,0000,0000,,of the makeup for the total data set
Dialogue: 0,0:27:31.68,0:27:34.52,Default,,0000,0000,0000,,that that unique value accounts for so
Dialogue: 0,0:27:34.52,0:27:37.40,Default,,0000,0000,0000,,again pretty flat in this tutorial data
Dialogue: 0,0:27:37.40,0:27:40.20,Default,,0000,0000,0000,,in seeing a very consistent
Dialogue: 0,0:27:40.20,0:27:45.16,Default,,0000,0000,0000,,.3% uh across these different account
Dialogue: 0,0:27:46.68,0:27:51.08,Default,,0000,0000,0000,,IDs so we have looked at a few examples
Dialogue: 0,0:27:51.08,0:27:54.64,Default,,0000,0000,0000,,with the Rex command uh and that is
Dialogue: 0,0:27:54.64,0:27:57.04,Default,,0000,0000,0000,,again streaming we're going to look at
Dialogue: 0,0:27:57.04,0:27:59.12,Default,,0000,0000,0000,,another streaming command
Dialogue: 0,0:27:59.12,0:28:02.40,Default,,0000,0000,0000,,uh which is going to be a set of
Dialogue: 0,0:28:02.40,0:28:07.20,Default,,0000,0000,0000,,multivalue eval functions and so again
Dialogue: 0,0:28:07.20,0:28:09.56,Default,,0000,0000,0000,,if you're to have a bookmark for search
Dialogue: 0,0:28:09.56,0:28:12.32,Default,,0000,0000,0000,,documentation multivalue eval functions
Dialogue: 0,0:28:12.32,0:28:14.56,Default,,0000,0000,0000,,are a great one to have uh because when
Dialogue: 0,0:28:14.56,0:28:17.24,Default,,0000,0000,0000,,you encounter these uh it really takes
Dialogue: 0,0:28:17.24,0:28:19.96,Default,,0000,0000,0000,,some time to figure out how to actually
Dialogue: 0,0:28:19.96,0:28:25.96,Default,,0000,0000,0000,,operate on data um and so the U
Dialogue: 0,0:28:25.96,0:28:29.56,Default,,0000,0000,0000,,multivalue functions are um really just
Dialogue: 0,0:28:29.56,0:28:31.80,Default,,0000,0000,0000,,a collection that depending on your use
Dialogue: 0,0:28:31.80,0:28:34.68,Default,,0000,0000,0000,,case uh you're able to determine the the
Dialogue: 0,0:28:34.68,0:28:39.08,Default,,0000,0000,0000,,best to apply um you see it often used
Dialogue: 0,0:28:39.08,0:28:42.84,Default,,0000,0000,0000,,with uh Json and XML so data formats
Dialogue: 0,0:28:42.84,0:28:44.88,Default,,0000,0000,0000,,that are actually naturally going to
Dialogue: 0,0:28:44.88,0:28:47.36,Default,,0000,0000,0000,,provide uh a multivalue field where you
Dialogue: 0,0:28:47.36,0:28:50.48,Default,,0000,0000,0000,,have repeated tags or Keys uh across
Dialogue: 0,0:28:50.48,0:28:54.32,Default,,0000,0000,0000,,unique uh events as they're extracted uh
Dialogue: 0,0:28:54.32,0:28:56.36,Default,,0000,0000,0000,,and you often see a lot of times in
Dialogue: 0,0:28:56.36,0:28:58.48,Default,,0000,0000,0000,,Windows event logs you actually have
Dialogue: 0,0:28:58.48,0:29:01.36,Default,,0000,0000,0000,,repeated key values uh where your values
Dialogue: 0,0:29:01.36,0:29:02.96,Default,,0000,0000,0000,,are different and the position in the
Dialogue: 0,0:29:02.96,0:29:05.20,Default,,0000,0000,0000,,event is actually specific to a
Dialogue: 0,0:29:05.20,0:29:08.84,Default,,0000,0000,0000,,condition uh so you may have um a need
Dialogue: 0,0:29:08.84,0:29:11.44,Default,,0000,0000,0000,,for extraction or interaction with one
Dialogue: 0,0:29:11.44,0:29:14.40,Default,,0000,0000,0000,,of those unique values uh to actually
Dialogue: 0,0:29:14.40,0:29:18.60,Default,,0000,0000,0000,,get a reasonable outcome from your
Dialogue: 0,0:29:18.60,0:29:22.80,Default,,0000,0000,0000,,data and so um we're going to use
Dialogue: 0,0:29:22.80,0:29:25.96,Default,,0000,0000,0000,,multivalue eval functions uh when we
Dialogue: 0,0:29:25.96,0:29:28.68,Default,,0000,0000,0000,,have a uh change we want to the
Dialogue: 0,0:29:28.68,0:29:31.88,Default,,0000,0000,0000,,presentation of data uh and we're able
Dialogue: 0,0:29:31.88,0:29:34.88,Default,,0000,0000,0000,,to do so with multivalue Fields this I
Dialogue: 0,0:29:34.88,0:29:36.72,Default,,0000,0000,0000,,would say often occurs when you have
Dialogue: 0,0:29:36.72,0:29:39.96,Default,,0000,0000,0000,,multivalue data uh and then you want to
Dialogue: 0,0:29:39.96,0:29:43.08,Default,,0000,0000,0000,,be able to change the the format of the
Dialogue: 0,0:29:43.08,0:29:45.64,Default,,0000,0000,0000,,multivalue fields there uh and then
Dialogue: 0,0:29:45.64,0:29:46.96,Default,,0000,0000,0000,,we're also going to look at a quick
Dialogue: 0,0:29:46.96,0:29:51.28,Default,,0000,0000,0000,,example of uh actually using multivalue
Dialogue: 0,0:29:51.28,0:29:54.88,Default,,0000,0000,0000,,evaluation uh as a logical
Dialogue: 0,0:29:54.88,0:30:00.04,Default,,0000,0000,0000,,condition so uh the first
Dialogue: 0,0:30:03.32,0:30:05.68,Default,,0000,0000,0000,,example we're going to start with a
Dialogue: 0,0:30:05.68,0:30:08.72,Default,,0000,0000,0000,,simple table looking at our web access
Dialogue: 0,0:30:08.72,0:30:11.24,Default,,0000,0000,0000,,logs uh and so we're just going to pull
Dialogue: 0,0:30:11.24,0:30:14.88,Default,,0000,0000,0000,,in our status and refer domain fields
Dialogue: 0,0:30:14.88,0:30:18.44,Default,,0000,0000,0000,,and so you can see uh we've got a uh
Dialogue: 0,0:30:18.44,0:30:23.00,Default,,0000,0000,0000,,HTTP status code uh and we've got uh the
Dialogue: 0,0:30:23.00,0:30:26.12,Default,,0000,0000,0000,,format of a protocol subdomain uh domain
Dialogue: 0,0:30:26.12,0:30:29.52,Default,,0000,0000,0000,,tldd and our scenario here is that for a
Dialogue: 0,0:30:29.52,0:30:31.56,Default,,0000,0000,0000,,Simplicity of reporting uh we just want
Dialogue: 0,0:30:31.56,0:30:33.76,Default,,0000,0000,0000,,to work with this referred domain field
Dialogue: 0,0:30:33.76,0:30:38.32,Default,,0000,0000,0000,,and be able to simplify that so in
Dialogue: 0,0:30:38.32,0:30:41.80,Default,,0000,0000,0000,,actually splitting out the field in this
Dialogue: 0,0:30:41.80,0:30:44.88,Default,,0000,0000,0000,,case uh split refer domain and then
Dialogue: 0,0:30:44.88,0:30:47.72,Default,,0000,0000,0000,,choosing the period character as our
Dialogue: 0,0:30:47.72,0:30:50.40,Default,,0000,0000,0000,,point to split the data we're creating a
Dialogue: 0,0:30:50.40,0:30:52.92,Default,,0000,0000,0000,,multivalue uh from what was previously
Dialogue: 0,0:30:52.92,0:30:57.20,Default,,0000,0000,0000,,just a a single value field uh and using
Dialogue: 0,0:30:57.20,0:31:01.60,Default,,0000,0000,0000,,this we can actually create a new field
Dialogue: 0,0:31:01.60,0:31:06.08,Default,,0000,0000,0000,,by using the index of a multivalue field
Dialogue: 0,0:31:06.08,0:31:08.04,Default,,0000,0000,0000,,and in this case uh we're looking at
Dialogue: 0,0:31:08.04,0:31:09.76,Default,,0000,0000,0000,,index
Dialogue: 0,0:31:09.76,0:31:13.28,Default,,0000,0000,0000,,012 the multivalue index function allows
Dialogue: 0,0:31:13.28,0:31:15.80,Default,,0000,0000,0000,,us to Target a specific field and then
Dialogue: 0,0:31:15.80,0:31:18.56,Default,,0000,0000,0000,,choose a starting and ending index to
Dialogue: 0,0:31:18.56,0:31:21.32,Default,,0000,0000,0000,,extract given values there are a number
Dialogue: 0,0:31:21.32,0:31:23.32,Default,,0000,0000,0000,,of ways to do this in our case here
Dialogue: 0,0:31:23.32,0:31:25.04,Default,,0000,0000,0000,,where we have three entries it's quite
Dialogue: 0,0:31:25.04,0:31:26.64,Default,,0000,0000,0000,,simple just to give that start and end
Dialogue: 0,0:31:26.64,0:31:28.64,Default,,0000,0000,0000,,of range as the
Dialogue: 0,0:31:28.64,0:31:30.04,Default,,0000,0000,0000,,two entries
Dialogue: 0,0:31:30.04,0:31:35.36,Default,,0000,0000,0000,,apart so as we are working to recreate
Dialogue: 0,0:31:35.36,0:31:39.20,Default,,0000,0000,0000,,our domain and so that is just applying
Dialogue: 0,0:31:39.20,0:31:41.72,Default,,0000,0000,0000,,uh for this new domain field we have
Dialogue: 0,0:31:41.72,0:31:44.20,Default,,0000,0000,0000,,Buttercup games.com and what was
Dialogue: 0,0:31:44.20,0:31:48.20,Default,,0000,0000,0000,,previously the HTTP www. Buttercup
Dialogue: 0,0:31:48.20,0:31:51.44,Default,,0000,0000,0000,,games.com uh we can now use those fields
Dialogue: 0,0:31:51.44,0:31:54.72,Default,,0000,0000,0000,,in a transformation function in this
Dialogue: 0,0:31:54.72,0:31:58.04,Default,,0000,0000,0000,,case simple stats count by status uh in
Dialogue: 0,0:31:58.04,0:32:00.20,Default,,0000,0000,0000,,the
Dialogue: 0,0:32:02.60,0:32:06.96,Default,,0000,0000,0000,,domain so I do want to look at another
Dialogue: 0,0:32:06.96,0:32:10.24,Default,,0000,0000,0000,,uh example here that is similar but
Dialogue: 0,0:32:10.24,0:32:13.64,Default,,0000,0000,0000,,we're going to use a multivalue function
Dialogue: 0,0:32:13.64,0:32:16.92,Default,,0000,0000,0000,,to actually test a condition and so I'm
Dialogue: 0,0:32:16.92,0:32:18.40,Default,,0000,0000,0000,,going
Dialogue: 0,0:32:18.40,0:32:21.64,Default,,0000,0000,0000,,to in this case uh be searching the same
Dialogue: 0,0:32:21.64,0:32:24.24,Default,,0000,0000,0000,,data we're going to start with a stats
Dialogue: 0,0:32:24.24,0:32:28.64,Default,,0000,0000,0000,,command and so a stats count as well as
Dialogue: 0,0:32:28.64,0:32:32.04,Default,,0000,0000,0000,,a values of status and so the values
Dialogue: 0,0:32:32.04,0:32:33.36,Default,,0000,0000,0000,,function is going to provide all the
Dialogue: 0,0:32:33.36,0:32:37.48,Default,,0000,0000,0000,,unique values of a given field uh based
Dialogue: 0,0:32:37.48,0:32:41.84,Default,,0000,0000,0000,,on uh the split by and so that produces
Dialogue: 0,0:32:41.84,0:32:44.96,Default,,0000,0000,0000,,a multivalue field here in the case of
Dialogue: 0,0:32:44.96,0:32:47.28,Default,,0000,0000,0000,,status we have quite a few events uh
Dialogue: 0,0:32:47.28,0:32:50.80,Default,,0000,0000,0000,,that have multiple status codes and as
Dialogue: 0,0:32:50.80,0:32:52.96,Default,,0000,0000,0000,,we're interested in pulling those events
Dialogue: 0,0:32:52.96,0:32:57.48,Default,,0000,0000,0000,,out we can use an MV count function to
Dialogue: 0,0:32:57.48,0:33:01.20,Default,,0000,0000,0000,,eval valate and filter our data set to
Dialogue: 0,0:33:01.20,0:33:04.24,Default,,0000,0000,0000,,those specific events so a very simple
Dialogue: 0,0:33:04.24,0:33:07.20,Default,,0000,0000,0000,,operation here just looking at what has
Dialogue: 0,0:33:07.20,0:33:10.24,Default,,0000,0000,0000,,the uh what has more than a single value
Dialogue: 0,0:33:10.24,0:33:13.40,Default,,0000,0000,0000,,for status uh but very useful as you're
Dialogue: 0,0:33:13.40,0:33:15.92,Default,,0000,0000,0000,,applying this in reporting especially in
Dialogue: 0,0:33:15.92,0:33:19.00,Default,,0000,0000,0000,,combination with others and uh with more
Dialogue: 0,0:33:19.00,0:33:22.64,Default,,0000,0000,0000,,complex conditions
Dialogue: 0,0:33:22.64,0:33:28.20,Default,,0000,0000,0000,,um so uh that is our set of multivalue
Dialogue: 0,0:33:28.20,0:33:32.52,Default,,0000,0000,0000,,eval functions there as streaming
Dialogue: 0,0:33:34.24,0:33:38.28,Default,,0000,0000,0000,,commands so for a uh final section of
Dialogue: 0,0:33:38.28,0:33:42.00,Default,,0000,0000,0000,,the demo I want to talk about a concept
Dialogue: 0,0:33:42.00,0:33:44.72,Default,,0000,0000,0000,,that is not so much a set of functions
Dialogue: 0,0:33:44.72,0:33:47.96,Default,,0000,0000,0000,,uh but really enables uh more complex
Dialogue: 0,0:33:47.96,0:33:50.16,Default,,0000,0000,0000,,and interesting searching and can allow
Dialogue: 0,0:33:50.16,0:33:52.80,Default,,0000,0000,0000,,us to use a few different types of
Dialogue: 0,0:33:52.80,0:33:57.24,Default,,0000,0000,0000,,commands uh in our SPL and so concept of
Dialogue: 0,0:33:57.24,0:34:00.20,Default,,0000,0000,0000,,sub searching for both filtering and
Dialogue: 0,0:34:00.20,0:34:04.28,Default,,0000,0000,0000,,enrichment uh is taking secondary search
Dialogue: 0,0:34:04.28,0:34:06.96,Default,,0000,0000,0000,,results uh and we're using that to
Dialogue: 0,0:34:06.96,0:34:10.36,Default,,0000,0000,0000,,affect a primary search uh so a sub
Dialogue: 0,0:34:10.36,0:34:12.20,Default,,0000,0000,0000,,search will be executed the results
Dialogue: 0,0:34:12.20,0:34:15.08,Default,,0000,0000,0000,,returned and depending on how it's used
Dialogue: 0,0:34:15.08,0:34:17.76,Default,,0000,0000,0000,,uh this is going to be processed in the
Dialogue: 0,0:34:17.76,0:34:21.60,Default,,0000,0000,0000,,original search uh and that is going to
Dialogue: 0,0:34:21.60,0:34:24.36,Default,,0000,0000,0000,,will look at an example that it is
Dialogue: 0,0:34:24.36,0:34:27.40,Default,,0000,0000,0000,,filtering So based on the results we get
Dialogue: 0,0:34:27.40,0:34:31.24,Default,,0000,0000,0000,,a effectively a value equals X or value
Dialogue: 0,0:34:31.24,0:34:34.32,Default,,0000,0000,0000,,equals y uh for one of our fields that
Dialogue: 0,0:34:34.32,0:34:37.16,Default,,0000,0000,0000,,we're looking at in the sub search uh
Dialogue: 0,0:34:37.16,0:34:39.32,Default,,0000,0000,0000,,and then we're also going to look at an
Dialogue: 0,0:34:39.32,0:34:42.40,Default,,0000,0000,0000,,enrichment example so you see this often
Dialogue: 0,0:34:42.40,0:34:45.76,Default,,0000,0000,0000,,when you have uh a data set maybe saved
Dialogue: 0,0:34:45.76,0:34:48.48,Default,,0000,0000,0000,,in a lookup table uh or you just have a
Dialogue: 0,0:34:48.48,0:34:50.08,Default,,0000,0000,0000,,simple reference where you want to bring
Dialogue: 0,0:34:50.08,0:34:52.88,Default,,0000,0000,0000,,in more context maybe descriptions of
Dialogue: 0,0:34:52.88,0:34:54.56,Default,,0000,0000,0000,,event codes things like
Dialogue: 0,0:34:54.56,0:34:59.64,Default,,0000,0000,0000,,that so in that case
Dialogue: 0,0:35:02.16,0:35:05.44,Default,,0000,0000,0000,,we'll look at the First Command here now
Dialogue: 0,0:35:05.44,0:35:08.16,Default,,0000,0000,0000,,I'm going to run my search and we're
Dialogue: 0,0:35:08.16,0:35:12.12,Default,,0000,0000,0000,,going to Pivot over uh to a sub search
Dialogue: 0,0:35:12.12,0:35:14.48,Default,,0000,0000,0000,,tab here and so you can see our sub
Dialogue: 0,0:35:14.48,0:35:19.72,Default,,0000,0000,0000,,search looking at the secure uh logs uh
Dialogue: 0,0:35:19.72,0:35:21.88,Default,,0000,0000,0000,,we are actually just pulling out the
Dialogue: 0,0:35:21.88,0:35:24.36,Default,,0000,0000,0000,,search to see what the results are uh or
Dialogue: 0,0:35:24.36,0:35:26.08,Default,,0000,0000,0000,,what's going to be returned from that
Dialogue: 0,0:35:26.08,0:35:28.84,Default,,0000,0000,0000,,sub search so we're applying the same
Dialogue: 0,0:35:28.84,0:35:31.20,Default,,0000,0000,0000,,rex that we had before to extract our
Dialogue: 0,0:35:31.20,0:35:33.72,Default,,0000,0000,0000,,Fields we're applying a wear a streaming
Dialogue: 0,0:35:33.72,0:35:35.92,Default,,0000,0000,0000,,command looking for anything that's not
Dialogue: 0,0:35:35.92,0:35:38.60,Default,,0000,0000,0000,,null for user we observed that we had
Dialogue: 0,0:35:38.60,0:35:40.92,Default,,0000,0000,0000,,about 60% of our events that were going
Dialogue: 0,0:35:40.92,0:35:43.36,Default,,0000,0000,0000,,to be null based on not having a user
Dialogue: 0,0:35:43.36,0:35:46.80,Default,,0000,0000,0000,,field and so looking at that total data
Dialogue: 0,0:35:46.80,0:35:50.28,Default,,0000,0000,0000,,set uh we're just going to count by our
Dialogue: 0,0:35:50.28,0:35:53.84,Default,,0000,0000,0000,,source IP and this is often a quick way
Dialogue: 0,0:35:53.84,0:35:56.84,Default,,0000,0000,0000,,to really just get a list of unique
Dialogue: 0,0:35:56.84,0:35:59.88,Default,,0000,0000,0000,,values of any given field uh and then
Dialogue: 0,0:35:59.88,0:36:03.12,Default,,0000,0000,0000,,operating on that uh to return just the
Dialogue: 0,0:36:03.12,0:36:05.08,Default,,0000,0000,0000,,the list of values few different ways to
Dialogue: 0,0:36:05.08,0:36:08.80,Default,,0000,0000,0000,,do that uh see stats count pretty often
Dialogue: 0,0:36:08.80,0:36:10.60,Default,,0000,0000,0000,,and in this case we're actually tbling
Dialogue: 0,0:36:10.60,0:36:13.96,Default,,0000,0000,0000,,out just keeping our source IP field and
Dialogue: 0,0:36:13.96,0:36:16.80,Default,,0000,0000,0000,,renaming to client IP so the resulting
Dialogue: 0,0:36:16.80,0:36:20.56,Default,,0000,0000,0000,,data set is a single column table uh
Dialogue: 0,0:36:20.56,0:36:21.44,Default,,0000,0000,0000,,with
Dialogue: 0,0:36:21.44,0:36:26.32,Default,,0000,0000,0000,,182 results and the field name is client
Dialogue: 0,0:36:26.32,0:36:29.88,Default,,0000,0000,0000,,IP so so when returned to the original
Dialogue: 0,0:36:29.88,0:36:32.12,Default,,0000,0000,0000,,search we're running this as a sub
Dialogue: 0,0:36:32.12,0:36:36.32,Default,,0000,0000,0000,,search the effective result of this is
Dialogue: 0,0:36:36.32,0:36:39.96,Default,,0000,0000,0000,,actually client IP equals my first value
Dialogue: 0,0:36:39.96,0:36:43.80,Default,,0000,0000,0000,,here or client IP equals my second value
Dialogue: 0,0:36:43.80,0:36:46.96,Default,,0000,0000,0000,,and so on through the full data set and
Dialogue: 0,0:36:46.96,0:36:49.20,Default,,0000,0000,0000,,so looking at our search here we're
Dialogue: 0,0:36:49.20,0:36:52.36,Default,,0000,0000,0000,,applying this to the access logs you can
Dialogue: 0,0:36:52.36,0:36:55.28,Default,,0000,0000,0000,,see that we had a field named Source IP
Dialogue: 0,0:36:55.28,0:36:58.52,Default,,0000,0000,0000,,in the secure logs uh and we renamed a
Dialogue: 0,0:36:58.52,0:37:02.16,Default,,0000,0000,0000,,client IP so that we could apply this to
Dialogue: 0,0:37:02.16,0:37:05.76,Default,,0000,0000,0000,,the access logs where client IP is the
Dialogue: 0,0:37:05.76,0:37:09.48,Default,,0000,0000,0000,,actual field name for the uh Source IP
Dialogue: 0,0:37:09.48,0:37:13.56,Default,,0000,0000,0000,,data and in this case we are filtering
Dialogue: 0,0:37:13.56,0:37:16.08,Default,,0000,0000,0000,,to the client IPS relevant in the secure
Dialogue: 0,0:37:16.08,0:37:19.84,Default,,0000,0000,0000,,logs for our web access
Dialogue: 0,0:37:19.84,0:37:23.96,Default,,0000,0000,0000,,logs so uncommenting here we have a
Dialogue: 0,0:37:23.96,0:37:26.80,Default,,0000,0000,0000,,series of operations that we're doing uh
Dialogue: 0,0:37:26.80,0:37:29.00,Default,,0000,0000,0000,,and I'm just going to run the mall at
Dialogue: 0,0:37:29.00,0:37:33.08,Default,,0000,0000,0000,,once and talk through uh that we are
Dialogue: 0,0:37:33.08,0:37:37.24,Default,,0000,0000,0000,,counting uh the status or we're counting
Dialogue: 0,0:37:37.24,0:37:40.32,Default,,0000,0000,0000,,the events by status and client IP uh
Dialogue: 0,0:37:40.32,0:37:42.64,Default,,0000,0000,0000,,for the client IPS that were relevant to
Dialogue: 0,0:37:42.64,0:37:44.88,Default,,0000,0000,0000,,authentication failures in the secure
Dialogue: 0,0:37:44.88,0:37:48.76,Default,,0000,0000,0000,,logs we are then creating a status count
Dialogue: 0,0:37:48.76,0:37:52.04,Default,,0000,0000,0000,,field just by combining uh our status
Dialogue: 0,0:37:52.04,0:37:54.68,Default,,0000,0000,0000,,and count Fields uh adding a colant
Dialogue: 0,0:37:54.68,0:37:58.64,Default,,0000,0000,0000,,between them uh and then we are doing a
Dialogue: 0,0:37:58.64,0:38:02.08,Default,,0000,0000,0000,,second uh stats statement here to
Dialogue: 0,0:38:02.08,0:38:03.96,Default,,0000,0000,0000,,actually combine all of our newly
Dialogue: 0,0:38:03.96,0:38:06.32,Default,,0000,0000,0000,,created Fields together in a more
Dialogue: 0,0:38:06.32,0:38:10.56,Default,,0000,0000,0000,,condensed report so transforming command
Dialogue: 0,0:38:10.56,0:38:12.52,Default,,0000,0000,0000,,then streaming for creating our new
Dialogue: 0,0:38:12.52,0:38:15.36,Default,,0000,0000,0000,,field another transforming command and
Dialogue: 0,0:38:15.36,0:38:17.88,Default,,0000,0000,0000,,then our sort for data set processing
Dialogue: 0,0:38:17.88,0:38:20.92,Default,,0000,0000,0000,,actually gives us the results here for a
Dialogue: 0,0:38:20.92,0:38:25.48,Default,,0000,0000,0000,,given client IP and so we are in this
Dialogue: 0,0:38:25.48,0:38:28.44,Default,,0000,0000,0000,,case looking for the scenario that
Dialogue: 0,0:38:28.44,0:38:31.32,Default,,0000,0000,0000,,these client IPS that are involved in
Dialogue: 0,0:38:31.32,0:38:34.24,Default,,0000,0000,0000,,authentication failures to the web
Dialogue: 0,0:38:34.24,0:38:37.32,Default,,0000,0000,0000,,servers in this case these were all over
Dialogue: 0,0:38:37.32,0:38:39.68,Default,,0000,0000,0000,,SSH uh we want to see if there are
Dialogue: 0,0:38:39.68,0:38:42.76,Default,,0000,0000,0000,,interactions by these same Source IPS uh
Dialogue: 0,0:38:42.76,0:38:46.08,Default,,0000,0000,0000,,actually on the uh website that we're
Dialogue: 0,0:38:46.08,0:38:50.20,Default,,0000,0000,0000,,hosting uh so seeing a high number of
Dialogue: 0,0:38:50.20,0:38:53.40,Default,,0000,0000,0000,,failed values looking at actions also is
Dialogue: 0,0:38:53.40,0:38:55.60,Default,,0000,0000,0000,,a use case here for just bringing in
Dialogue: 0,0:38:55.60,0:38:57.68,Default,,0000,0000,0000,,that context and seeing if there's any
Dialogue: 0,0:38:57.68,0:39:00.52,Default,,0000,0000,0000,,sort of relationship between the data uh
Dialogue: 0,0:39:00.52,0:39:04.00,Default,,0000,0000,0000,,this is discussed often as correlation
Dialogue: 0,0:39:04.00,0:39:07.68,Default,,0000,0000,0000,,of logs I'm usually careful about using
Dialogue: 0,0:39:07.68,0:39:09.44,Default,,0000,0000,0000,,the term correlation in talking about
Dialogue: 0,0:39:09.44,0:39:11.12,Default,,0000,0000,0000,,spun queries especially in Enterprise
Dialogue: 0,0:39:11.12,0:39:12.64,Default,,0000,0000,0000,,security talking about correlation
Dialogue: 0,0:39:12.64,0:39:16.12,Default,,0000,0000,0000,,searches where I typically think of
Dialogue: 0,0:39:16.12,0:39:18.48,Default,,0000,0000,0000,,correlation searches as being
Dialogue: 0,0:39:18.48,0:39:20.60,Default,,0000,0000,0000,,overarching Concepts that cover data
Dialogue: 0,0:39:20.60,0:39:23.92,Default,,0000,0000,0000,,from multiple data sources and in this
Dialogue: 0,0:39:23.92,0:39:26.48,Default,,0000,0000,0000,,case correlating events would be looking
Dialogue: 0,0:39:26.48,0:39:28.40,Default,,0000,0000,0000,,at unique data types that are
Dialogue: 0,0:39:28.40,0:39:31.24,Default,,0000,0000,0000,,potentially related uh in finding that
Dialogue: 0,0:39:31.24,0:39:33.84,Default,,0000,0000,0000,,logical connection uh for the condition
Dialogue: 0,0:39:33.84,0:39:35.88,Default,,0000,0000,0000,,that's a little bit more up to the user
Dialogue: 0,0:39:35.88,0:39:38.32,Default,,0000,0000,0000,,it's not uh quite as easy as say
Dialogue: 0,0:39:38.32,0:39:41.52,Default,,0000,0000,0000,,pointing to a specific data
Dialogue: 0,0:39:41.52,0:39:44.88,Default,,0000,0000,0000,,model so we are going to look at one
Dialogue: 0,0:39:44.88,0:39:47.92,Default,,0000,0000,0000,,more sub search here and this case is
Dialogue: 0,0:39:47.92,0:39:52.24,Default,,0000,0000,0000,,going to apply uh the join command and
Dialogue: 0,0:39:52.24,0:39:55.68,Default,,0000,0000,0000,,so I talk about using lookup files uh or
Dialogue: 0,0:39:55.68,0:39:59.00,Default,,0000,0000,0000,,uh other data returned by sub searches
Dialogue: 0,0:39:59.00,0:40:01.60,Default,,0000,0000,0000,,uh to enrich to bring more data in
Dialogue: 0,0:40:01.60,0:40:05.60,Default,,0000,0000,0000,,rather than filter um we are going to
Dialogue: 0,0:40:05.60,0:40:08.96,Default,,0000,0000,0000,,look at our first part of the command
Dialogue: 0,0:40:08.96,0:40:11.48,Default,,0000,0000,0000,,here uh and this is actually just a
Dialogue: 0,0:40:11.48,0:40:15.72,Default,,0000,0000,0000,,simple uh stats report based on this rex
Dialogue: 0,0:40:15.72,0:40:18.08,Default,,0000,0000,0000,,that keeps coming through uh the SPL to
Dialogue: 0,0:40:18.08,0:40:21.00,Default,,0000,0000,0000,,give us those user and Source IP Fields
Dialogue: 0,0:40:21.00,0:40:24.08,Default,,0000,0000,0000,,uh so our result here is authentication
Dialogue: 0,0:40:24.08,0:40:26.20,Default,,0000,0000,0000,,failures for all these web hosts so
Dialogue: 0,0:40:26.20,0:40:28.76,Default,,0000,0000,0000,,similar to what we had previously
Dialogue: 0,0:40:28.76,0:40:31.20,Default,,0000,0000,0000,,returned and then we're going to take a
Dialogue: 0,0:40:31.20,0:40:33.32,Default,,0000,0000,0000,,look at the results of the sub search
Dialogue: 0,0:40:33.32,0:40:35.40,Default,,0000,0000,0000,,here actually split this up so that we
Dialogue: 0,0:40:35.40,0:40:38.84,Default,,0000,0000,0000,,can see uh the first two lines we're
Dialogue: 0,0:40:38.84,0:40:41.76,Default,,0000,0000,0000,,looking at our web access logs for
Dialogue: 0,0:40:41.76,0:40:45.56,Default,,0000,0000,0000,,purchase actions uh and then we are
Dialogue: 0,0:40:45.56,0:40:50.60,Default,,0000,0000,0000,,looking at uh our stats count for errors
Dialogue: 0,0:40:50.60,0:40:52.96,Default,,0000,0000,0000,,and stats count for successes we have
Dialogue: 0,0:40:52.96,0:40:55.08,Default,,0000,0000,0000,,pretty limited status code to return in
Dialogue: 0,0:40:55.08,0:40:59.24,Default,,0000,0000,0000,,this data so this uh is is uh viable for
Dialogue: 0,0:40:59.24,0:41:01.80,Default,,0000,0000,0000,,the data present uh to observe our
Dialogue: 0,0:41:01.80,0:41:03.28,Default,,0000,0000,0000,,errors and
Dialogue: 0,0:41:03.28,0:41:05.88,Default,,0000,0000,0000,,successes and then we are actually
Dialogue: 0,0:41:05.88,0:41:08.16,Default,,0000,0000,0000,,creating a new field based on the
Dialogue: 0,0:41:08.16,0:41:10.84,Default,,0000,0000,0000,,statistics that we're generating uh
Dialogue: 0,0:41:10.84,0:41:13.92,Default,,0000,0000,0000,,looking at our transaction errors so
Dialogue: 0,0:41:13.92,0:41:18.00,Default,,0000,0000,0000,,where we have uh high or low numbers uh
Dialogue: 0,0:41:18.00,0:41:22.08,Default,,0000,0000,0000,,of failed purchase actions uh and then
Dialogue: 0,0:41:22.08,0:41:25.60,Default,,0000,0000,0000,,summarizing that so in the case of our
Dialogue: 0,0:41:25.60,0:41:27.80,Default,,0000,0000,0000,,final command here another transforming
Dialogue: 0,0:41:27.80,0:41:30.64,Default,,0000,0000,0000,,command of table just to reduce this to
Dialogue: 0,0:41:30.64,0:41:35.08,Default,,0000,0000,0000,,a small data set uh to use in the subur
Dialogue: 0,0:41:35.08,0:41:37.44,Default,,0000,0000,0000,,and so in this case we have our host
Dialogue: 0,0:41:37.44,0:41:39.40,Default,,0000,0000,0000,,value and then our transaction error
Dialogue: 0,0:41:39.40,0:41:41.48,Default,,0000,0000,0000,,rate that we observe from the web access
Dialogue: 0,0:41:41.48,0:41:44.76,Default,,0000,0000,0000,,logs and then over in our other search
Dialogue: 0,0:41:44.76,0:41:48.64,Default,,0000,0000,0000,,here uh we are going to perform a left
Dialogue: 0,0:41:48.64,0:41:51.40,Default,,0000,0000,0000,,join based on this host field so you see
Dialogue: 0,0:41:51.40,0:41:53.36,Default,,0000,0000,0000,,in our secure logs we still have the
Dialogue: 0,0:41:53.36,0:41:55.80,Default,,0000,0000,0000,,same host value and this is going to be
Dialogue: 0,0:41:55.80,0:41:59.64,Default,,0000,0000,0000,,used uh to to actually add our
Dialogue: 0,0:41:59.64,0:42:02.76,Default,,0000,0000,0000,,transaction uh error rates in for each
Dialogue: 0,0:42:02.76,0:42:06.40,Default,,0000,0000,0000,,host so as we observe uh increased
Dialogue: 0,0:42:06.40,0:42:08.64,Default,,0000,0000,0000,,authentication failures if there's a
Dialogue: 0,0:42:08.64,0:42:11.96,Default,,0000,0000,0000,,scenario for a breach and some sort of
Dialogue: 0,0:42:11.96,0:42:14.96,Default,,0000,0000,0000,,interruption to the ability to serve out
Dialogue: 0,0:42:14.96,0:42:17.52,Default,,0000,0000,0000,,or perform these purchase actions that
Dialogue: 0,0:42:17.52,0:42:20.96,Default,,0000,0000,0000,,that are affecting uh the intended
Dialogue: 0,0:42:20.96,0:42:23.20,Default,,0000,0000,0000,,operations of the web servers uh we can
Dialogue: 0,0:42:23.20,0:42:25.28,Default,,0000,0000,0000,,see that here of course our tutorial
Dialogue: 0,0:42:25.28,0:42:27.32,Default,,0000,0000,0000,,data there's not really much that
Dialogue: 0,0:42:27.32,0:42:29.88,Default,,0000,0000,0000,,jumping out or showing uh that there is
Dialogue: 0,0:42:29.88,0:42:32.60,Default,,0000,0000,0000,,any correlation between the two but the
Dialogue: 0,0:42:32.60,0:42:34.64,Default,,0000,0000,0000,,purpose of the join is to bring in that
Dialogue: 0,0:42:34.64,0:42:37.44,Default,,0000,0000,0000,,extra data set to give the context to
Dialogue: 0,0:42:37.44,0:42:39.84,Default,,0000,0000,0000,,further
Dialogue: 0,0:42:41.04,0:42:47.44,Default,,0000,0000,0000,,investigate so um that is uh the final
Dialogue: 0,0:42:47.44,0:42:52.36,Default,,0000,0000,0000,,portion of the SPL demo uh and I do want
Dialogue: 0,0:42:52.36,0:42:54.92,Default,,0000,0000,0000,,to say for any questions I'm going to
Dialogue: 0,0:42:54.92,0:42:56.96,Default,,0000,0000,0000,,take a look at the chat I'll do my best
Dialogue: 0,0:42:56.96,0:43:00.08,Default,,0000,0000,0000,,to answer any questions um and then if
Dialogue: 0,0:43:00.08,0:43:03.08,Default,,0000,0000,0000,,you have any other questions uh please
Dialogue: 0,0:43:03.08,0:43:05.80,Default,,0000,0000,0000,,feel free to reach out to my team at
Dialogue: 0,0:43:05.80,0:43:08.60,Default,,0000,0000,0000,,support keny group.com and we'll be
Dialogue: 0,0:43:08.60,0:43:11.92,Default,,0000,0000,0000,,happy to get back to you and help um I
Dialogue: 0,0:43:11.92,0:43:15.44,Default,,0000,0000,0000,,am taking a look
Dialogue: 0,0:43:26.12,0:43:29.12,Default,,0000,0000,0000,,through
Dialogue: 0,0:43:32.20,0:43:33.76,Default,,0000,0000,0000,,okay seeing some questions on
Dialogue: 0,0:43:33.76,0:43:38.28,Default,,0000,0000,0000,,performance of the uh Rex said Rex
Dialogue: 0,0:43:38.28,0:43:41.60,Default,,0000,0000,0000,,commands um so off the top of my head I
Dialogue: 0,0:43:41.60,0:43:43.80,Default,,0000,0000,0000,,I'm not sure about a direct performance
Dialogue: 0,0:43:43.80,0:43:46.40,Default,,0000,0000,0000,,comparison uh of the individual commands
Dialogue: 0,0:43:46.40,0:43:49.20,Default,,0000,0000,0000,,definitely want to look into that um and
Dialogue: 0,0:43:49.20,0:43:52.28,Default,,0000,0000,0000,,definitely follow up uh if you'd like to
Dialogue: 0,0:43:52.28,0:43:54.28,Default,,0000,0000,0000,,uh explain a more detailed scenario or
Dialogue: 0,0:43:54.28,0:43:57.12,Default,,0000,0000,0000,,look at some SPL uh that we can apply in
Dialogue: 0,0:43:57.12,0:43:58.40,Default,,0000,0000,0000,,observe those
Dialogue: 0,0:43:58.40,0:44:01.68,Default,,0000,0000,0000,,changes um the question on getting the
Dialogue: 0,0:44:01.68,0:44:05.48,Default,,0000,0000,0000,,data set uh that is what I mentioned at
Dialogue: 0,0:44:05.48,0:44:07.52,Default,,0000,0000,0000,,the beginning uh reach out to us for the
Dialogue: 0,0:44:07.52,0:44:10.12,Default,,0000,0000,0000,,slides uh or just uh reach out about the
Dialogue: 0,0:44:10.12,0:44:15.48,Default,,0000,0000,0000,,link and the uh Splunk tutorial data you
Dialogue: 0,0:44:15.48,0:44:17.88,Default,,0000,0000,0000,,can actually search that as well um and
Dialogue: 0,0:44:17.88,0:44:20.40,Default,,0000,0000,0000,,there's documentation on how to use the
Dialogue: 0,0:44:20.40,0:44:22.40,Default,,0000,0000,0000,,tutorial data one of the first links
Dialogue: 0,0:44:22.40,0:44:25.64,Default,,0000,0000,0000,,there uh takes you to a page that has uh
Dialogue: 0,0:44:25.64,0:44:29.08,Default,,0000,0000,0000,,it is a tutorial data zip file uh and
Dialogue: 0,0:44:29.08,0:44:31.08,Default,,0000,0000,0000,,instructions on how to injust that it's
Dialogue: 0,0:44:31.08,0:44:34.08,Default,,0000,0000,0000,,just an upload uh for your specific
Dialogue: 0,0:44:34.08,0:44:37.60,Default,,0000,0000,0000,,environment so uh in add data and then
Dialogue: 0,0:44:37.60,0:44:40.04,Default,,0000,0000,0000,,upload data two clicks uh and upload
Dialogue: 0,0:44:40.04,0:44:43.40,Default,,0000,0000,0000,,your file so that is uh freely available
Dialogue: 0,0:44:43.40,0:44:45.76,Default,,0000,0000,0000,,for anyone uh and again that package is
Dialogue: 0,0:44:45.76,0:44:47.44,Default,,0000,0000,0000,,dynamically updated as well so your time
Dialogue: 0,0:44:47.44,0:44:51.36,Default,,0000,0000,0000,,stamps are pretty close to to normal uh
Dialogue: 0,0:44:51.36,0:44:53.44,Default,,0000,0000,0000,,as you download the app kind of depends
Dialogue: 0,0:44:53.44,0:44:55.92,Default,,0000,0000,0000,,on the time of the the cycle for the
Dialogue: 0,0:44:55.92,0:44:58.56,Default,,0000,0000,0000,,update um but search overall time you
Dialogue: 0,0:44:58.56,0:45:02.36,Default,,0000,0000,0000,,won't have any issues there um and then
Dialogue: 0,0:45:02.36,0:45:05.12,Default,,0000,0000,0000,,yeah again on receiving slides uh reach
Dialogue: 0,0:45:05.12,0:45:08.24,Default,,0000,0000,0000,,out to my team uh and we're happy to to
Dialogue: 0,0:45:08.24,0:45:10.24,Default,,0000,0000,0000,,provide those discuss further and we'll
Dialogue: 0,0:45:10.24,0:45:16.04,Default,,0000,0000,0000,,have uh the um the recording available
Dialogue: 0,0:45:16.04,0:45:18.40,Default,,0000,0000,0000,,for this session you should be able to
Dialogue: 0,0:45:18.40,0:45:20.68,Default,,0000,0000,0000,,after uh the recording processes when
Dialogue: 0,0:45:20.68,0:45:22.88,Default,,0000,0000,0000,,the session ends uh actually use the
Dialogue: 0,0:45:22.88,0:45:24.64,Default,,0000,0000,0000,,same link and you can watch this
Dialogue: 0,0:45:24.64,0:45:26.48,Default,,0000,0000,0000,,reporting and post uh without having to
Dialogue: 0,0:45:26.48,0:45:31.80,Default,,0000,0000,0000,,sign up or transfer that file so
Dialogue: 0,0:45:33.68,0:45:38.32,Default,,0000,0000,0000,,um so okay Chris seeing uh seeing your
Dialogue: 0,0:45:38.32,0:45:41.24,Default,,0000,0000,0000,,comment there um let me know if you want
Dialogue: 0,0:45:41.24,0:45:44.48,Default,,0000,0000,0000,,to reach out to me directly anyone as
Dialogue: 0,0:45:44.48,0:45:49.44,Default,,0000,0000,0000,,well um we can discuss what slides and
Dialogue: 0,0:45:49.44,0:45:51.64,Default,,0000,0000,0000,,presentation you had attended I'm not
Dialogue: 0,0:45:51.64,0:45:55.36,Default,,0000,0000,0000,,sure I have the attendance report uh for
Dialogue: 0,0:45:55.36,0:45:57.32,Default,,0000,0000,0000,,for what You' seen previously so uh
Dialogue: 0,0:45:57.32,0:46:00.24,Default,,0000,0000,0000,,happy to get those for
Dialogue: 0,0:46:06.72,0:46:10.32,Default,,0000,0000,0000,,you all right and uh seeing thanks Brett
Dialogue: 0,0:46:10.32,0:46:13.08,Default,,0000,0000,0000,,so you see Brett Woodruff in the chat
Dialogue: 0,0:46:13.08,0:46:16.68,Default,,0000,0000,0000,,commenting uh systems engineer on the uh
Dialogue: 0,0:46:16.68,0:46:18.64,Default,,0000,0000,0000,,expertise on demand team so very
Dialogue: 0,0:46:18.64,0:46:20.40,Default,,0000,0000,0000,,knowledgeable guy and he's going to be
Dialogue: 0,0:46:20.40,0:46:23.72,Default,,0000,0000,0000,,presenting next month's session uh that
Dialogue: 0,0:46:23.72,0:46:25.40,Default,,0000,0000,0000,,is going to take this concept that we
Dialogue: 0,0:46:25.40,0:46:28.76,Default,,0000,0000,0000,,talked about the subur in as a just
Dialogue: 0,0:46:28.76,0:46:30.76,Default,,0000,0000,0000,,general search topic he's going to go
Dialogue: 0,0:46:30.76,0:46:34.32,Default,,0000,0000,0000,,specifically into Data enrichment using
Dialogue: 0,0:46:34.32,0:46:38.08,Default,,0000,0000,0000,,uh joins lookup commands and how we see
Dialogue: 0,0:46:38.08,0:46:41.08,Default,,0000,0000,0000,,uh that used in the wild so definitely
Dialogue: 0,0:46:41.08,0:46:43.36,Default,,0000,0000,0000,,excited for that one encourage you to
Dialogue: 0,0:46:43.36,0:46:46.48,Default,,0000,0000,0000,,register for for that
Dialogue: 0,0:46:46.92,0:46:52.24,Default,,0000,0000,0000,,event all right I'm not seeing any more
Dialogue: 0,0:46:55.84,0:46:57.80,Default,,0000,0000,0000,,questions
Dialogue: 0,0:46:57.80,0:47:02.12,Default,,0000,0000,0000,,all right with that uh I am stopping my
Dialogue: 0,0:47:02.12,0:47:05.08,Default,,0000,0000,0000,,share I'm going to hang around for a few
Dialogue: 0,0:47:05.08,0:47:07.44,Default,,0000,0000,0000,,minutes uh but thank you all for
Dialogue: 0,0:47:07.44,0:47:11.08,Default,,0000,0000,0000,,attending and we'll see you on the next
Dialogue: 0,0:47:15.92,0:47:18.92,Default,,0000,0000,0000,,session