Using Splunk to Monitor the Customer Experience



Similar documents
Please contact Cyber and Technology Training at for registration and pricing information.

#splunkconf. Analyzing & Mitigating Malicious Web Activity using Splunk Enterprise

Splunk Search Pro Tips

Executive Summary. Public Relations Plan using FAA Case Study

Application for Splunk Enterprise

Microsoft SQL Server Review

Τhe SAS BI delivers business-critical answers ahead of the competition Yannis Salamaras Senior Business Intelligence Consultant SAS Greece & Cyprus

Client Requirement. Why SharePoint

How To Manage Active Directory With Splunk

Service Manager 9.41 Smart Analytics Demo Script

Welcome to the ARCO Group Support Desk

MOC MICROSOFT WINDOWS SERVER 2008 Hs Inicio Fin Días Horario Planning and Implementing Windows Server may. 6-jun.

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

VSI Predict Able. We Focus on Your IT So You Can Focus on Your Business

GSX Monitor & Analyzer. for Microsoft SharePoint

THE OPEN UNIVERSITY OF TANZANIA

Criteria for web application security check. Version

Data Center Services. The Johns Hopkins Health Systems And The Johns Hopkins University

Course 55004A: Installing and Configuring System Center 2012 Operations Manager

SCDOT FTP Server User Guide

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

55004A: Installing and Configuring System Center 2012 Operations Manager

Binding an OS X computer to Active Directory at NEIU (Existing User)

Network Edition Download / Installation Instructions

Qualifying Microsoft Training for Software Assurance Training Vouchers (SATVs)

Grid CompuAng AnalyAcs with Splunk Finnbar Cunningham

Approved SCOM Health Check Report Installation Guide

Barracuda Load Balancer Online Demo Guide

WEB HELP DESK GETTING STARTED GUIDE

BroadWorks Call Center Guide

Using the Findlay City Schools Help Desk Program. This document describes how to submit a helpdesk request into the new system for the first time.

LANDPARK NETWORK IP Landpark, comprehensive IT Asset Tracking and ITIL Help Desk solutions October 2016


Specialized Training Calendar May August Training for Professionals by Professionals

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Partner Gold Learning. Microsoft TRAINING CERTIFICATION

Other documents in this series are available at: servernotes.wazmac.com

my team monitor employee monitoring software keeps both your office based team and virtual teams working efficiently!

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

GSX Monitor & Analyzer for Microsoft Lync 2013

EQUIPMENT OVERVIEW... 4 SETTING UP CALL MANAGER...5

RESOURCES FOR YOUR SUCCESS. Chats with Employees Enhanced

SchoolBooking SSO Integration Guide

Real world Automation with Service Manager and Azure Automation

Protection & Compliance are you capturing what s going on? Alistair Holmes. Senior Systems Consultant

TIME KEEP LEGAL BILLING SOFTWARE REQUIREMENTS SPECIFICATION

Using the Broker s Credit Report for Underwriting Wholesale Version

GSX Monitor & Analyzer for Exchange On premise. Performance, Reporting, Management

What s Up With That Airplane? Visualizing DoD Knowledge Using Splunk Dashboards. Ken Mattern

*376823* Lead Export Configuration Quick Reference Guide. Configuring Lead Export. Configuring ADP CRM

Log Management and Intrusion Detection

Cherwell Service Management 5.0 Integrations List

What s New in WebLOAD 10.1

Project Server Plus Risk to Issue Escalator User Guide v1.1

Enterprise Solutions IT Services 4132 Heartleaf Ln Naperville, IL 60564

INFORMATION TECHNOLOGY SERVICES TECHNICAL SERVICES Program Review

Sisense. Product Highlights.

Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings

Statement of Work Security Information & Event Management (SIEM) December 20, 2012 Request for Proposal No

SQL Server Automated Administration

Network License File. Program CD Workstation

START YOUR INVENTORY WITH SCANFRE

Cybersecurity Continuous Monitoring at Fermilab. Irwin Gaines NLIT 4 May 2015

Monitoring Windows Servers and Applications with GroundWork Monitor Enterprise 6.7. Product Application Guide October 8, 2012

Support Desk Help Manual. v 1, May 2014

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

Splunk for Microsoft Active Directory Domain Services WHITE PAPER

AULA EUROPEA DE EMPRESA

Enabling the Business of IT Through Splunk Dashboarding

EquiHealth Dashboard AVImark SQL

29200 Northwestern Hwy Suite 350 Southfield, MI WINSPC winspc.com

Situational Awareness Through Network Visualization

Microsoft Training and Certification Guide. Current as of December 31, 2013

HHS Accelerator: Account Creation and Access

Enterprise Random Password Manager Training Guide

Microsoft SharePoint

How To Manage A Data Center Remotely From A Computer Or Network Remotely

Integrating ConnectWise Service Desk Ticketing with the Cisco OnPlus Portal

*NOTE: There is an s after the http in the above address. Don t forget the s!

Cloud Services. Sharepoint. Admin Quick Start Guide

Fleet Management System FMS. User Manual

Integrate ExtraHop with Splunk

Client Monitoring with Microsoft System Center Operations Manager 2007

Implementing Data Models and Reports with Microsoft SQL Server

*Not include in promotion. Update 12 November 2014

System Center 2012 R2 Lab 5: Application Management

Business Intelligence for Dynamics GP. Presented By: Rob Jackson, Business Intelligence Consultant Brent Keilin, GP Consultant

B2B Quick Start Guide

EVENT LOG MANAGEMENT...

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

ManageEngine Desktop Central Training

Naverisk 2013 R3 - Road Map

Course 20489B: Developing Microsoft SharePoint Server 2013 Advanced Solutions OVERVIEW

70-243: Administering and Deploying System Center 2012 Configuration Manager : Monitoring and Operating a Private Cloud with System Center 2012

Urchin Demo (12/14/05)

DE-20489B Developing Microsoft SharePoint Server 2013 Advanced Solutions

Transcription:

Using Splunk to Monitor the Customer Experience JUSTIN BROWN Pacific Northwest National Laboratory NLIT Summit 2015

About Me Justin Brown justin@pnnl.gov IT Engineer Automation & Monitoring Team 15 Years at PNNL Lead Engineer for Splunk

The Challenge Traditional monitoring Servers & Services Customer Focused Outside looking in

Why Splunk Pulls together logs from several sources Scripted inputs Database connectivity Visualization Splunk 6.x Dashboard Examples https://splunkbase.splunk.com/app/1603/

The Targets Accounts Workstations Lync Email Websites Network

The Plan

Accounts Account Lockouts Bad Password Attempts Calls to the Help Desk

Accounts: Bad Passwords Source: Domain Controller Event Logs index=os source=wls:security host=dcpn* EventID=4771 Status=0x18 timechart span=1h dc(user) as perhour

Accounts: Account Lockouts Source: Domain Controller Event Logs index=os source=wls:security host=dcpn* EventID=4740 process=security timechart span=1h dc(user) as perhour

Accounts: Help Desk Calls Source: Help Desk Ticket Database dbquery "MAXIMO_PROD" "SELECT TICKETID, DESCRIPTION, COMMODITYGROUP, COMMODITY FROM MAXIMO.TICKET WHERE REPORTDATE > SYSDATE - 1 search (DESCRIPTION=*password* AND COMMODITY=ADACCESS) OR DESCRIPTION=*account*lock* rename REPORTDATE as _time timechart span=1h count(ticketid) as perhour

Workstations Reliability Score Calls to the Help Desk

Workstations: Reliability Score Source: Workstation Event Logs `wls` EventID=2005 ProviderName=Microsoft-Windows-Reliability-Analysis- Engine Stability=* timechart span=1d eval(round(avg(stability),2)) as perday `wls` EventID=2005 ProviderName=Microsoft-Windows-Reliability-Analysis- Engine Stability=* timechart span=1d dc(host) as perday

Lync SCOM Synthetic Transactions Application Crashes and Hangs Calls to the Help Desk

Lync: Synthetic Transactions Source: SCOM Synthetic Transactions in Event Logs index=os source=wls host=<server name> EventID=334 timechart span=1h count as perhour

Lync: Crashes & Hangs Source: Workstation Event Logs `wls` EventID=1001 process=application Data1=APPCRASH Data4=lync.exe timechart span=1h count as perhour

Email SCOM Synthetic Transactions Application Crashes and Hangs Calls to the Help Desk

Email: Synthetic Transactions Source: SCOM Synthetic Transaction Logs index=scom sourcetype=scom_input DistApp=Exchange MaintenanceMode=False Status=Error timechart span=1h count as perhour

Web Applications Selenium Synthetic Transactions SCOM SharePoint monitoring.net Application Errors on Workstations Errors from IIS logs Calls to the Help Desk

Web Applications: Selenium http://www.seleniumhq.org/projects/webdriver/ https://selenium-python.readthedocs.org/ Source: Selenium Synthetic Transactions index=web sourcetype=synthetic:transaction transaction execution_id transaction_name startswith="transaction_start endswith="transaction_end keepevicted=true maxspan=5m search closed_txn=0 timechart span=1h count as perhour

Web Applications:.Net Errors Source: Workstation Event Logs `wls` EventID=1309 RequestURL=http*://* Eventmessage="An unhandled exception has occurred. timechart span=1h dc(user) as perhour

Network Solar Winds via SCOM Alerts Calls to the Help Desk

Building Each Row index=os source=wls:security host=dcpn* EventID=4740 timechart span=1h dc(user) as perhour stats sparkline(max(perhour),1h) as Trend, max(perhour) as Highest, latest(perhour) as Now eval Section="Account Lockouts table Section, Trend, Now rename Now as "Current Count"

Adding the Status index=os source=wls:security host=dcpn* EventID=4740 timechart span=1h dc(user) as perhour stats sparkline(max(perhour),1h) as Trend, max(perhour) as Highest, latest(perhour) as Now rangemap field=now low=0-10 elevated=11-20 default=severe rename range as "Current Status rangemap field=highest low=0-10 elevated=11-20 default=severe rename range as "Past 24 Hours eval Section="Account Lockouts table Section, Trend, Now, "Past 24 Hours", "Current Status" rename Now as "Current Count

Combining Queries eval Section="Account Lockouts table Section, Trend, Now rename Now as "Current Count append [ search index=os source=wls:security host=dcpn* EventID=4771 Status=0x18 timechart span=1h dc(user) as perhour... eval Section="Bad Passwords ]

Adding Icons Custom JavaScript & CSS

Custom Drilldowns index=os source=wls:security host=dcpn* EventID=4740 timechart span=1h dc(user) as perhour stats sparkline(max(perhour),1h) as Trend, max(perhour) as Highest, latest(perhour) as Now eval Section="Account Lockouts eval Drilldown=ced_account_dashboard table Section, Trend, Now rename Now as "Current Count"

Questions?