Splunk Guide

Whats is Splunk ?

In simple words Splunk is Google for all your machine data /logs

-It's a powerful software/Engine which can be used to search,investigate, troubleshoot, monitor,

visualize,alert, and report on everything that's happening in your entire IT infrastructure from one
location in real time.

- You have to only enter the search keyword in search bar and done. Splunk will search logs of all
machines/Servers /Network devices from your enterprise and will present available info as result just
like Google.

- you don't need to login to multiple servers and dig for all logs for particular event .Splunk will do it for
you in smarter way.

- For example if you want to know particular users activity on all servers then you just need to enter
username in searchbar and hit enter.Splunk will collect and display all activities performed by user on
all machines in few seconds

- You can even monitor your twitter feeds, gmail, mailbox etc using splunk

What insights you can get into IT operations with Splunk?

Understanding Splunk Architecture

To understand how to implement splunk and how splunk works it's necessary to first understand
splunk architecture and it's components. Splunk is mainly combination of four components which works
together to provide full functionality. We can install all of the components on single server or each
component on different servers as per our performance needs. So lets first go through basic
introduction to splunk components:

Below are the components of splunk Architecture:

1) Search Head --> Splunk search head is basically GUI for splunk where we can search,analyse and
report

2) Forwader --> Splunk forwarder is a splunk components which works like an agent for splunk .It
collects da,routers etc. ta from different sources like windows server,linux server,routers,firewalls etc
and forwards collected data to indexer for indexing

There are two types of splunk forwarder as below

a) universal forwarder(UF) -Splunk agent installed on non-Splunk system to gather data locally, can’t
parse or index data
b) Heavy weight forwarder(HWF) - full instance of splunk with advance functionality.
- Generally works as a remote collector, intermediate forwarder, and possible data filter because
they parse data, they are not recommended for production systems

3) Indexer -->The indexer is the Splunk Enterprise component that creates and manages indexes. The
primary functions of an indexer are
-Indexing incoming data
-Searching the indexed data

Below are stages in which splunk indexer process logs and store them for searching later
4) Deployment Server -->The Splunk deployment server is a full Splunk instance used to host and deploy
apps to different components within the Splunk infrastructure. It is most often used to deploy
technology add-ons to forwarders and indexers for index-time knowledge

5) Licensing server -->Licensing server manages and monitors license usage.It can be installed on any of
the above mentioned server.

Type of Deployment :

Basic Deployment : With this type of deployment all Splunk components are installed on single system (
Search Head, Indexer, Deployment Server, Master Server & License server)

Distributed Deployment :

Each Splunk component is installed on independent server.

Splunk Port Requirements