1
00:00:03,570 --> 00:00:08,180
Let's continue with our discussion of understanding the Splunk Web interface.

2
00:00:08,190 --> 00:00:11,760
So now this is a basic search, as we all know.

3
00:00:11,760 --> 00:00:13,860
It is searching for its local audit logs.

4
00:00:14,580 --> 00:00:20,790
After this, there is an event that is selected, these many events, and below that there is something

5
00:00:20,790 --> 00:00:21,900
called timeline.

6
00:00:21,930 --> 00:00:24,390
This timeline is nothing like Facebook timeline.

7
00:00:24,420 --> 00:00:31,380
This is a different timeline where it shows distribution of events over the selected 60 minute window.

8
00:00:31,800 --> 00:00:36,690
If we see selected 60 minute window for the half of the duration, there are no events.

9
00:00:36,990 --> 00:00:39,000
That means my Splunk instance was down.

10
00:00:39,240 --> 00:00:42,910
There was no events because my Splunk instance was on after 30 minutes.

11
00:00:42,930 --> 00:00:49,950
I bought it up from then these many audit events in my log and it has been distributed over a period

12
00:00:49,950 --> 00:00:51,090
of like.

13
00:00:51,980 --> 00:00:52,760
Every minute.

14
00:00:53,560 --> 00:00:54,820
In the last 60 minutes.

15
00:00:54,910 --> 00:00:59,250
This scale is auto calculated based on the time period you choose.

16
00:00:59,280 --> 00:01:02,170
We choose for 30 days each bar represents.

17
00:01:02,170 --> 00:01:06,580
One day we choose 60 minute, each bar represents one minute.

18
00:01:06,610 --> 00:01:08,920
If we choose 15 minutes, probably less.

19
00:01:09,070 --> 00:01:15,010
It is also calculated by plan to fit it in your browser screen so that the events are spread across

20
00:01:15,010 --> 00:01:18,100
from the beginning to end within this timeline.

21
00:01:20,640 --> 00:01:21,750
This timeline.

22
00:01:22,050 --> 00:01:24,030
If you click on one of the bar.

23
00:01:25,000 --> 00:01:26,250
Everything changes.

24
00:01:26,260 --> 00:01:31,660
You can see there are a total of 3000 786 events, but the selected are 385.

25
00:01:31,750 --> 00:01:37,780
That means at this minute there was high number of events from the longer.

26
00:01:37,780 --> 00:01:39,190
But we can see that.

27
00:01:40,060 --> 00:01:41,290
There were a lot of activity.

28
00:01:41,290 --> 00:01:44,650
The 385 events are only during this minute.

29
00:01:44,680 --> 00:01:49,270
If I click that, it will display only events related to that time.

30
00:01:49,690 --> 00:01:53,050
So if I want to come out, I need to click on the select.

31
00:01:55,040 --> 00:02:02,120
And if you want to select some other time frame using the timeline, you can select and you can zoom

32
00:02:02,120 --> 00:02:08,600
to selection so that it will just zoom in and display only those events and it will be spread across

33
00:02:08,630 --> 00:02:09,890
multiple mode.

34
00:02:09,980 --> 00:02:12,590
So it says total timeline is one minute.

35
00:02:13,040 --> 00:02:17,690
So this one minute has been split across based on milliseconds.

36
00:02:18,200 --> 00:02:19,340
This is how it works.

37
00:02:19,340 --> 00:02:20,390
Let me zoom out.

38
00:02:29,500 --> 00:02:32,980
Now we are back to a last 60 minute search.

39
00:02:36,640 --> 00:02:39,250
Now we understand how to use the timeline.

40
00:02:40,450 --> 00:02:41,980
Let us go one step below.

41
00:02:42,010 --> 00:02:44,920
There are three different venues below that timeline.

42
00:02:45,220 --> 00:02:47,710
These are called the Events Menu.

43
00:02:47,950 --> 00:02:58,480
All these three conditions are part of this event's menu where you can use to modify this view or settings.

44
00:02:58,690 --> 00:03:02,260
Here there is a list option by default selected.

45
00:03:02,290 --> 00:03:06,220
If you choose raw, you can see there will be a change in this display.

46
00:03:07,890 --> 00:03:08,700
If you see it all.

47
00:03:08,730 --> 00:03:13,220
These are the actual locks that are being received from your remote data sources.

48
00:03:13,230 --> 00:03:20,420
This remote data sources are sending this information to Splunk and it is passing this information.

49
00:03:20,430 --> 00:03:26,040
If this is the raw log file, if you extract this ISO or if you go to your remote machine and check

50
00:03:26,040 --> 00:03:27,540
the logs, this is how it will be.

51
00:03:27,540 --> 00:03:30,060
It will be a plain text and it will be every line.

52
00:03:31,350 --> 00:03:35,520
But similar to this, if you click on list, it shows.

53
00:03:36,740 --> 00:03:39,680
You would actually log file along with time.

54
00:03:40,770 --> 00:03:47,580
And along with three fields displayed below, it says host source and source type.

55
00:03:47,760 --> 00:03:58,080
Host source and source type are by default known as selected fields for all data sources in Splunk.

56
00:03:58,080 --> 00:04:02,570
Whichever you are integrating, either it can be a scripted database or.

57
00:04:03,980 --> 00:04:08,320
Windows machine, exchange servers, Linux machine, syslog server.

58
00:04:08,330 --> 00:04:14,440
These three fields are mandatory and by default these three fields will be selected.

59
00:04:14,450 --> 00:04:22,350
When you say selected fields, they will be displayed right next to your event in the list form.

60
00:04:22,370 --> 00:04:23,960
If you click on table.

61
00:04:25,410 --> 00:04:30,820
It will be displaying the time and the selected fields as part of table.

62
00:04:30,840 --> 00:04:34,460
It will not display your complete events until you expand.

63
00:04:34,470 --> 00:04:40,050
So if you expand any event, you'll be able to see the complete event and the fields which it contains.

64
00:04:40,140 --> 00:04:41,730
Let me minimize this.

65
00:04:42,330 --> 00:04:43,690
We are the selected fields.

66
00:04:43,710 --> 00:04:47,730
Let's say I need to add one of these fields into selected fields.

67
00:04:47,730 --> 00:04:49,140
So how can I add that?

68
00:04:49,620 --> 00:04:50,370
It's simple.

69
00:04:50,370 --> 00:04:51,780
Just click on actions.

70
00:04:51,780 --> 00:04:53,590
There is selected or no.

71
00:04:53,670 --> 00:04:59,760
I'll click on as it will be auto updated and you can see my action fields starts populating as in the

72
00:04:59,760 --> 00:05:00,330
table.

73
00:05:01,060 --> 00:05:04,180
If you don't want table, you can select list.

74
00:05:04,870 --> 00:05:12,730
It will come back to a default view where audit it shows the complete logs and selected fields as part

75
00:05:12,730 --> 00:05:13,990
of the next line.