What's in this manual
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
What's in this manual
This Application Management manual is intended to provide guidelines and examples for using Splunk in an application management environment. Whether you're responsible for developing, supporting, maintaining, or testing applications, this manual is for you.
The Application Management manual is an ongoing project with a ton more work to do. To make as much information as possible available, we are exposing it as a work-in-progress. In some places, the manual has use cases and walkthroughs that show how to use Splunk in typical application management scenarios. In other places, it is just an outline to be filled in later.
Application management use cases
An application environment has a lot of data, a lot of tools, many groups of people, and too little communication between groups. It's difficult to troubleshoot and manage interdependent, distributed applications because no single person or department holds the keys to all of the data needed to conduct a proper analysis. Because Splunk can eat data from almost any source -- consumer endpoints such as browsers, custom business modules and services, database applications, platform software and hardware, network services and hardware, and back-end legacy systems -- it is unique in its ability to let you go beyond a siloed view of application management and grasp what's really going on in your environment. The consolidation of logs, events, messages, configurations and changes in Splunk can be used for:
- Indexing data
- Troubleshooting and investigation
- Application monitoring
- Application development and testing
- Configuration monitoring
- Reporting business metrics
- Integration with other tools
- Aggregating data and creating shared views
Walkthroughs
This manual includes a series of step-by-step walkthroughs for simple application management use cases in Splunk. These walkthroughs assume little or no prior knowledge of Splunk and introduce key Splunk concepts in the context of application management. The walkthroughs cover the following information:
- Index data: describes an application management scenario and shows how to index the data from your logs.
- Troubleshoot using ID and time: shows an example of how to use Splunk to search across logs, pinpoint the exact time where the problem occurred, and examine the timeframe immediately before the problem to discover the root cause.
- Group events into transactions: shows how to group events into transactions, search for transactions that exceed a specified time interval, extract fields, and construct more complicated transactions.
- Monitor transaction performance: shows how to save a search and run it hourly to trigger an alarm if certain conditions are met, how to group events into event types, and create and save a report.
- Business metrics: shows how to use a lookup table to translate codes in your logs to intelligible labels and to set up a simple dashboard based on saved searches and reports.
Example Library
As this manual expands, it will include short examples of different uses of Splunk for application management.
Other resources
Splunk documentation
This manual is intended to be used in conjunction with the rest of the Splunk documentation set.
- The Installation manual shows you how to install a single Splunk instance, gives an overview of licensing, and discusses storage requirements and hardware capacity planning.
- The User manual gives a general introduction to Splunk. It also includes a Search tutorial with a sample data set.
- The Admin manual covers configuring and maintaining Splunk for a large deployment. You need this manual to get Splunk up and running, make sure your indexes are set up right, get data from remote machines, deploy more than one Splunk instance, and control access based on users and roles. It also contains a reference for Splunk's many configuration files.
- The Search Reference manual tells you everything about searching, including statistics, charting, and tying together transactions.
- The Knowledge Manager manual covers tools to make your data more comprehensible and your searches easier and more repeatable, such as extracting fields from your indexed data, saving searches, adding information like tags, event types and macros, and best practices for naming and sharing all of these across a team.
- The Developer manual tells you how to package your knowledge and create cool dashboards and apps, run searches using the REST API, and create custom commands using a Python script.
Splunk blogs
The Splunk blogs have a lot of useful content, including content which is relevant to application management. For example:
- Universally Indexing Business Data talks about using Splunk to index data that goes beyond traditional IT data.
- Simple Transactions and Splunk for Xitive Xactions discuss ways to use Splunk's
transactioncommand. - Many of the Splunk Live! posts include summaries of talks by users who are managing real applications.
Splunk Answers
Splunk Answers allows users to post questions and rate answers. Splunk Answers is actively monitored by Splunk employees and is a mine of useful data about indexing, forwarders, transactions, etc. You can also post your own questions or answer someone else's.
Make a PDF
If you'd like a PDF of any version of this manual, click the pdf version link above the table of contents bar on the left side of this page. A PDF version of the manual is generated on the fly for you, and you can save it or print it out to read later.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.