Knowledge Management

Resources to learn about statistics used in Splunk

certifsan
New Member

I have a technical and mainly a security/SIEM background. So I have no issues with understanding the SPL language in general, the administration etc etc. I however do fall flat on my face whenever I want to do anything more advanced with the SPL language and statistics.

This SplunkConf talk for example talks about actionable alerting https://conf.splunk.com/files/2016/slides/writing-actionable-alerts.pdf
and in the last slides talks about Nth percentage, proper time groups, outliers etc etc. It sounds great, but I'm a techie, not a statistician or data scientist, so my queries simple don't work as they should as I fail to understand the concepts I think. Splunk documentation is more explaining the command or argument, but not the concept as a whole.

I'm guessing other people must have had the same issues with this. Do you know of any materials that get my knowledge up a little bit, especially in relation to Splunk? I have looked around the Answer forum and other sites but did not see much that would help me I don't feel like going into a full blown statistics course would be the proper thing to do for the somewhat more advanced queries I want to write.

Any Advice?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Thanks for your patience with my reply and thanks for listening to my talks!

I agree that our documentation is great with highlighting the usage but sometimes it's hard to see why or how that might be useful. As a result, I often go straight to the examples part of the docs entry for an spl command. Those tend to make things more concrete for me, from a concept point of view, that is.

I'd recommend the free Splunk Book. It applies spl in a more real world scenario and takes it's time explaining the scenarios: http://www.splunk.com/goto/book

I'd also recommend the conf talk's associated blog post: http://blogs.splunk.com/2016/01/29/writing-actionable-alerts which might provide an easier medium to digest the concepts.

Lastly, learn by doing! I don't have a statistics background (other than what I got from computer science and an MBA) but I def learned a lot by not being afraid to try and fail. That and answers.splunk.com. If you want to do something in splunk, outline the concept in a post, let your fellow splunkers translate what that might be in statistics and then into spl. Then you'll learn that new building block from which you can create more. Notice I highlighted outlining the real world challenge in your post - that's because if you try to ask about a specific implementation, you won't be inviting potential new approaches to solve the same problem and therefore won't be learning. Always focus on your challenge in the post, rather than your attempts at implementing.

Other than that, if you provide specific things you've struggled with, I might be able to get more pointers and resources to you.

Good luck!

muebel
SplunkTrust
SplunkTrust

Hi certifsan,

In lieu of going through a stats course to understand the underlying principles, the next best bet is probably to find somebody nearby (coworker/colleague, or maybe a local stats/data science focused meetup) to have a dialog with to better understand whats going on here.

Along with this, I'd recommend toying around with the stats functions.

If you have access to Splunk Enterprise Security, then George Starcher's series on utilizing Extreme Search is a good starting point for a practical application of stats

Please let me know if this helps!

certifsan
New Member

Thanks for your reply. It's not that I don't want to follow a statistics course, but it seems to quickly become too advanced for my current needs. As Statistics is a profession and discipline on it's own.

I do have access to Splunk Enterprise Security, but the hardware for it won't be here for quite some time. So I'll have to wait with that one unfortunately

0 Karma

certifsan
New Member

Can't post links. The reference Talk is the below:

Talk: Writing Actionable Alerts
Speaker: Burch Simon, Senior Sales Engineer, Splunk

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Author of that session here! Thanks to Alexa for bringing to my attention. I'll need a chance to review later and give you some feedback and ideas on where to begin.

certifsan
New Member

Looking forward to some more information as your conf16 sessions were very interesting .

0 Karma

muebel
SplunkTrust
SplunkTrust

awesome 😄

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...