2. Agenda
•
•
•
•
•
•
•
What is Splunk
Why Splunk
Splunk Architecture
Splunk Data Storage
Splunk Installation Configuration
Splunk Apps
Splunk Searching, Reporting and
Alerting
• Splunk Dashboard
3. What is Splunk
Splunk (the product) captures, indexes and correlates real-time data
in a searchable repository from which it can generate graphs,
reports, alerts, dashboards and visualizations
Splunk aims to make machine data accessible across an organization
and identifies data patterns, provides metrics, diagnoses problems
and provides intelligence for business operation.
Splunk is a used for application management, security and
compliance, as well as business and web analytics.
Splunk has over 5,200 licensed customers in 74 countries, including
more than half of the Fortune 100.
8. Getting Data Into Splunk
Agent and Agent-less Approach for Flexibility
9. How Splunk Stores Data
Splunk is ingesting data and storing it in two types of files
o Raw Data
o Index File
Splunk indexes are stored in directories called Buckets
o This consists of the index file and the raw data
o Buckets move through stages as they age
10. Splunk Licenses
Free Download Limits Indexing to 500MB/day
•
•
Enterprise Trial License expires after 60 days
Reverts to Free License
Features Disabled in Free License
•
•
•
•
•
Multiple user accounts and role-based access controls
Distributed search
Deployment management
Scheduled saved searches and alerting
Summary indexing
Other License Types
•
Enterprise, Trial
11. Splunk Installation
Splunk Platform
•
32 or 64 bit
•
Indexer or Universal Forwarder
•
www.splunk.com/download
Start Splunk
• WIN: Program FilesSplunkbinsplunk.exe start (services start)
• *NIX: /opt/splunk/bin/splunk start
Splunk Home
•
WIN: Program FilesSplunk
•
Other: /opt/splunk (Applications/splunk)
12. Splunk Universal Forwarder Setup
Unix Platform
• Configure universal forwarder to auto-start
$./splunk enable boot-start
• Configure the universal forwarder to forward to a receiving indexer:
$./splunk add forward-server <host>:<port> -auth
<username>:<password>
Windows Platform:
• Configure the universal forwarder to forward to a receiving indexer
14. Log Monitoring Configuration
Splunk's monitor process consumes any new data written to that
file or directory. Sample inputs.conf configuration:
Monitor a File:
[monitor:/var/log/cassandra/system.log]
sourcetype = log4j
disabled = false
Monitor a Directory files:
[monitor:/var/log/]
disabled = false
15. Splunk Searching
• Wildcards are supported - *
• Search terms are case insensitive.
• Boolean searches are supported with AND, OR,
NOT. Just remember that Booleans must be
uppercase.
• There is an implied AND between the search
terms, and for complex searches, use
parenthesis. (error OR failed)
• Historical, custom, or real-time
16. Search Commands
Search results are “piped” to the
command:
• Manipulating fields
• Formatting
• Handling results
• Reporting
20. Reporting
Build reports from the results of any search
Select type of report (Values over time, Top Values, Rare Values)
and on which fields to report or perform statistics
Choose the type of chart (line, area, column, etc) and
other formatting options
20
21. Reporting Examples
• Use wizard or reporting commands (timechart, top, etc)
• Build real-time reports with real-time searches
• Save reports for use on dashboards
21
22. Dashboards
The Splunk Web Framework provides various
options for creating dashboards:
• Simple XML
• Advanced XML
• Splunk SDKs
26. Where to Go for Help
• Documentation
– http://www.splunk.com/base/Documentation
• Technical Support
– http://www.splunk.com/support
• Videos
– http://www.splunk.com/videos
• Education
– http://www.splunk.com/goto/education
• Community
– http://answers.splunk.com
• Splunk Book
– http://splunkbook.com
26
