Copyright 2013 Splunk Inc. Windows Inputs and MicrosoC Apps Strategy Sharad Kylasam Sr. Product Manager #splunkconf
Legal NoIces During the course of this presentaion, we may make forward- looking statements regarding future events or the expected performance of the company. We cauion you that such statements reflect our current expectaions and esimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in this presentaion are being made as of the Ime and date of its live presentaion. If reviewed acer its live presentaion, this presentaion may not contain current or accurate informaion. We do not assume any obligaion to update any forward- looking statements we may make. In addiion, any informaion about our roadmap outlines our general product direcion and is subject to change at any Ime without noice. It is for informaional purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaion either to develop the features or funcionality described or to include any such feature or funcionality in a future release. Splunk, Splunk>, Splunk Storm, Listen to Your Data, SPL and The Engine for Machine Data are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respeccve owners. 2013 Splunk Inc. All rights reserved. 2
About Me Sharad Kylasam:! At Splunk for 1 year! Product Manager responsible for Splunk on Windows and MicrosoC Apps! Previously at MicrosoC for 6 years as PM in Windows Networking working on Remote Access technologies 3
Agenda! Windows Inputs New inputs (Splunk Enterprise 6 only) Host monitoring, network monitoring, file monitoring Changes to exising inputs Demo! Fundamentals improvements! MicrosoC Apps Now and What s coming 4
Windows Inputs - New
Host Monitoring! Used to capture hardware and socware a`ributes of a given host! Fairly staic, low volume, high value data! Split collecions for data that you want to capture at different frequencies [WinHostMon://WinHostMon]! interval = 86400! type = Computer;OperatingSystem;Disk;N etworkadapter;processor;driver; Process;Service;Application! 6
Network Monitoring! Used to capture network traffic characterisics - inbound and outbound connecions from a given host! High volume, high value data! Filtering and MulIKV opions to reduce data volumes while maintaining data integrity [WinNetMon://WinNetMon]! addressfamily = ipv6;ipv4! direction = inbound;outbound! packettype = connect;accept! protocol = tcp;udp! 7
Print Monitoring! Used to monitor printer- related acivity from print servers and clients! Low/medium volume, medium value! Baseline opion to gather current state when monitoring begins [WinPrintMon://WinPrintMon]! baseline = 1! type = Port;Job;Driver;Printer! 8
File Monitoring Live Tailing! Used for live monitoring of a file! Use this instead of monitor stanza where monitor does not work with files that have conflicing file handles; e.g DNS debug log! Some limitaions Doesn t currently include baseline funcionality Currently only supports monitoring of one file at a given Ime [MonitorNoHandle://C:\Windows\System32\dns \debug.log]! disabled = 0! index = main! 9
Windows Inputs Enhancements
Changes to ExisIng Inputs! Converted exising inputs to modular inputs Regmon, Admon and Eventlog Note: All new inputs previously discussed are also implemented as modular inputs Benefits: 1. Backward compat ExisIng custom dashboard built on this data coninue to work in Splunk Enterprise 6 2. Built on standard plakorm Streamlined Windows input processing pipeline 3. More reliable Gets data into Splunk without risk of losing events 4. More performant Less custom processing on the UF for line breaking and parsing resuling in a more performant input 11
Perfmon! Ability to capture short- lived processes! Ability to enabling sampling and derive addiional staisics average, std. deviaion, max, min! Added support for regex on object parameter! Ability to reduce data volumes using MulIKV format [perfmon://perfmon]! counters = % C1 Time;% C2 Time;% C3 Time;% DPC Time;% Idle Time;% Interrupt Time;% Privileged Time;% Processor Time;% User Time;C1 Transitions/sec;C2 Transitions/sec;C3 Transitions/sec;DPC Rate;DPCs Queued/sec;Interrupts/sec! instances = _Total! interval = 10! object = Processor! samplinginterval=1000! stats=average;min;max;dev;count! mode=single! 12
File Monitoring Access! Leverage Windows security audit mechanism h`p://technet.microsoc.com/en- us/library/cc727935%28v=ws.10%29.aspx! AddiIonal filtering capability whitelist, blacklist on a per stanza basis [WinEventLog://Security]! checkpointinterval = 5! current_only = 0! disabled = 0! start_from = oldest! whitelist=4663! 13
Demo Common Use Cases for New Inputs
Fundamentals
Performance Splunk Add- On for Windows default configuraion:! 3 event log channels security, system and applicaion! 4 performance objects Memory, CPU, disk, network interface CPU Splunk 5.x CPU Splunk 6 Memory Splunk 5.x (in MB) Note All performance tests were conducted on Windows 7 Hyper- V VM, 4 cores, 4GB Memory Memory Splunk 6 (in MB) splunkd 2.80 0.28 85 75 Splunk- perfmon 0.10 0.01 17 11 Splunk- wineventlog N/A 2.33 N/A 9 16
Performance Windows Event log input: 1 Channel Indexing Time for 300K events Input Thruput (Avg eps) Splunk Enterprise 5.X 250 seconds 1200 Splunk Enterprise 6 130 seconds 2300 64 Channels Indexing Time for 300K events Input Thruput (Avg eps) Splunk Enterprise 5.X 270 seconds 1083 Splunk Enterprise 6 50 seconds 6000 17
Performance Perfmon: 100 CollecSons (1 counter) Interval 1 sec Splunk- perfmon CPU Splunk- perfmon Memory Splunk Enterprise 5.X 1.44 18.85 MB 98.83 Splunk Enterprise 6 1.60 18.32 MB 100 Input thruput (eps) Processor, Physical and Logical Disk and Memory objects (60 sec collecson interval, 10 sec sampling) Splunk- perfmon Avg. CPU Splunk- perfmon Avg. Memory Splunk Enterprise 6 UF 0.039 5.34 MB - - Splunk Enterprise 6 UF with 0.026 5.35 MB 5.9953 Sampling Avg samples per interval (expected 6) 18
MicrosoC Apps
MicrosoC ApplicaIons! New combined app in development Exchange, AD and Windows Customizable install experience In- app customizaion for building custom dashboard! Azure DiagnosIcs storage app Published! SQL server app Published! Sharepoint app Private beta 20
Demo MicrosoC App
Summary
Summary! Download and install Splunk Enterprise 6 and explore the windows inputs! Call to AcIon : Contact MicrosoC@splunk.com to be part of the MicrosoC App beta program! Call to AcIon ParIcipate in ODBC driver private Beta! Contact devinfo@splunk.com for access 23
Next Steps 1 2 3 Download the.conf2013 Mobile App If not iphone, ipad or Android, use the Web App Take the survey & WIN A PASS FOR.CONF2014 Or one of these bags! Go to Remote Data CollecSon and Forwarder Management with Splunk Enterprise Room: Nolita 2, Level 4 Today, 11:30-12:30pm 24
AddiIonal Resources Related.conf sessions! Splunk Apps for Monitoring MicrosoC based Infrastructure: Now and What's Coming Nolita 2 10/1 10:15 11:15! Deployment Best PracIces for Splunk Apps Monitoring MicrosoC based Infrastructure Brera 2 & 3 10/2 10:15-11:15! Technical Deep Dive: ODBC driver for Windows Brera 6 10/3 13:45-14:45 Visit the MicrosoC Booth Talk to the experts! 25
Thank You!