The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/657874
31 WWW.ILTANET.ORG Beyond Operational Intelligence with Splunk CASE STUDIES a certain time period, how long did a typical document search take in my environment?" With Splunk, this is a short and simple search in my environment: index=DMS_logs source="*query. log" DMSSEARCH_ms=* | timechart avg(DMSSEARCH_ms) From le to right: The first part tells Splunk to look in the DMS_logs index i Specifically only look at log names ending with query.log i And events that have the DMSSEARCH_ms field i For all events returned, pipe the results to the timechart command This draws a visual representation of the average of the values of the DMSSEARCH_ms field over the time period specified. On running the search, Splunk automatically splits the data into buckets of time depending on the time period and number of events and displays a line graph that you can customize. The only real complexity here is in the last field, DMSSEARCH_ms, which required me to "teach" Splunk how to extract that value from the events using a regular expression. This is because in my environment, our DMS search product logs (SPL), which is used to perform searches on the indexed data, is the main learning curve for users. To get all the alerts, dashboards, reports and more, SPL is the hurdle you have to jump. Installing and configuring the soware took about five minutes. It can be installed on just about any system (Windows, *nix, etc.) and is completely scalable. A single Splunk instance can typically handle all functions for smaller organizations, or it can scale up to take advantage of features like clustering, replication, load-balancing and high availability for indexing, searching and other functions. The Splunk Universal Forwarder agent is the recommended approach for geing data from Windows and *nix hosts into the system. This highly customizable agent gets installed on your endpoints and configured to send data to your indexer(s). Network devices can syslog or send data to Splunk using other protocols such as SNMP. Splunk is licensed by the amount of data we Splunk per day. There are no fees for the number of instances or hosts, and there is a free license that maxes out at 500MB per day. Anyone can quickly get started by installing an almost full-featured version of the enterprise tool on their workstation or development machine. Use Cases and Examples » Event Logs: We started out "Splunking" Windows event logs and creating alerts for known events to become more knowledgeable about errors in our environment before users picked up the phone. Aer experiencing an unforeseen outage, we look through the logs to find the event and use that data to alert us of the same impending outage in the future. We can find the most common errors across the entire organization, see trend lines for different errors and notice spikes or anomalies with minimal effort. » Document Management System (DMS): Continuing my curiosity, we started Splunking some of our many DMS logs. Aer looking at that data, you might ask questions you could never have answered easily before. For example, "During We can find the most common errors across the entire organization, see trend lines for different errors and notice spikes or anomalies with minimal effort.