Scribd
Upload
18 views2 pages

Splunk

Splunk is a software platform designed for searching, analyzing, and visualizing machine-generated data from various sources within IT infrastructure. It consists of components such as forwarders, indexers, and search heads, and utilizes specific ports for communication. The platform also provides powerful search commands for data manipulation and analysis.

Uploaded by

fiweyi8093
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views2 pages

Splunk

Splunk is a software platform designed for searching, analyzing, and visualizing machine-generated data from various sources within IT infrastructure. It consists of components such as forwarders, indexers, and search heads, and utilizes specific ports for communication. The platform also provides powerful search commands for data manipulation and analysis.

Uploaded by

fiweyi8093
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Splunk

• Splunk is a software platform to search, analyze and visualize the machine-generated data
gathered from the websites, applications, sensors, devices etc. which make up your IT
infrastructure and business.

Ports

• Web Port: 8000


• Management Port: 8089
• Network port: 514
• Index Replication Port: 8080
• Indexing Port: 9997
• KV store: 8191
Components

• Forwarders: Splunk forwarders are lightweight agents installed on data sources such as servers,
network devices, or applications. They collect and send data to the Splunk indexing servers.
• Indexers: The indexers receive data from forwarders, parse it into events, and store it in indexed
files. The indexed data allows for fast and efficient search and retrieval.
• Search Head: The search head provides the user interface for searching, analyzing, and visualizing
data. It enables users to create searches, reports, dashboards, and alerts.
• Universal Forwarders: Universal Forwarders are a lightweight version of forwarders designed for
efficient data collection from a wide range of data sources.
• Heavy Forwarders: Heavy Forwarders offer additional functionalities, such as data transformation
and event correlation, in addition to regular forwarding capabilities.
• License Master: The license master centrally manages licensing information for all Splunk
components.
• License Slave: License slaves are components that receive licensing information from the license
master.
Splunk Instances

• The advantages of getting data into Splunk via forwarders are TCP connection, bandwidth throttling,
and secure SSL connection for transferring crucial data from a forwarder to an indexer.
Important configuration files of Splunk

• Inputs file
• Transforms file
• Server file
• Indexes file
• Props file
Types of data sources in Splunk Enterprise

• Files and directories


• Network events
• Windows data
• Other sources
Splunk offers a wide range of powerful search commands to analyse and manipulate data. Here are
some commonly used commands in Splunk:

1. search: The primary command used to retrieve data from the index. For example, search
index=main error.
2. | (Pipe): Used to chain commands together. For example, index=main | stats count by source.
3. stats: Used for statistical calculations like count, sum, avg, min, max, etc. For example, stats
count by host.
4. timechart: Used to create time-based charts and graphs. For example, timechart count by
source.
5. eval: Used to create new fields or modify existing ones. For example, eval new_field=field1 +
field2.
6. where: Used to filter events based on specific conditions. For example, index=main | where
status=200.
7. table: Used to display specific fields in tabular format. For example, index=main | table host,
status.
8. rex: Used for regular expression extraction to extract fields from event data. For example, rex
"error code is (?<error_code>\d+)".
9. transaction: Used to group related events together based on a common field value. For
example, index=main | transaction user.
10. top: Used to find the most frequently occurring values in a field. For example, index=main | top
limit=10 host.
11. dedup: Used to remove duplicate events based on specified fields. For example, index=main |
dedup user.
12. chart: Used to create charts and graphs. For example, index=main | chart count by status.
13. rename: Used to rename fields. For example, index=main | rename source as sourcetype.
14. join: Used to join results from two different searches based on a common field. For example,
search index=main | join user [search index=login].
15. spath: Used to extract JSON data into fields. For example, index=main | spath input=rawfield.
16. makemv: Used to convert a field value into a multivalue field. For example, index=main |
makemv fieldname.
17. multikv: Used to extract multiple key-value pairs from a single event. For example, index=main
| multikv.
18. lookup: Used to enrich data by matching fields with data from external lookup tables. For
example, index=main | lookup ip_to_location ip.
19. append: Used to combine multiple search results into a single result set. For example,
index=main sourcetype=access_* | append [ search index=main sourcetype=error_* ].

You might also like