SPLUNK OVERVIEW

(Module - 1)
What Is Splunk?
Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc.
which make up your IT infrastructure and business. Splunk can read this unstructured, semi-structured or rarely structured data. After reading the data, it
allows to search, tag, create reports and dashboards on these data. It is also used to analyze big data.

Product Categories
Splunk is available in three different product categories as follows −

Splunk Enterprise − It is used by companies which have large IT infrastructure and IT driven business. It helps in
gathering and analysing the data from websites, applications, devices and sensors, etc.

Splunk Cloud − It is the cloud hosted platform with same features as the enterprise version. It can be availed from
Splunk itself or through the AWS cloud platform.

Splunk Light − It allows search, report and alert on all the log data in real time from one place. It has limited
functionalities and features as compared to the other two versions.
Splunk Features:
● Data Ingestion: Splunk can ingest a variety of data formats like JSON, XML and
unstructured machine data like web and application logs. The unstructured data can be
modeled into a data structure as needed by the user.
● Data Indexing: The ingested data is indexed by Splunk for faster searching and
querying on different conditions.
● Data Searching: Searching in Splunk involves using the indexed data for the
purpose of creating metrics, predicting future trends and identifying patterns in the data.
● Using Alerts: Splunk alerts can be used to trigger emails or RSS feeds when some
specific criteria are found in the data being analyzed.
● Dashboards: Splunk Dashboards can show the search results in the form of charts,
reports and pivots, etc.
Components of splunk:
Indexer
Splunk indexers provide data processing and storage for local and remote data and host the primary Splunk data store.

Search head
A search headis a Splunk Enterprise instance that distributes searches to indexers (referred to as "search peers" in this context). Search
heads can be either dedicated or not, depending on whether they also perform indexing. Dedicated search heads don't have any indexes
of their own, other than the usual internal indexes. Instead, they consolidate and display results that originate from remote search peers.

Forwarder
Forwarders are Splunk instances that forward data to remote indexers for data processing and storage. In most cases, they do not index
data themselves.

Deployment server
A Splunk Enterprise instance can also serve as a deployment server. The deployment server is a tool for distributing configurations,
apps, and content updates to groups of Splunk Enterprise instances. You can use it to distribute updates to most types of Splunk
Install and Configure Splunk Enterprise on
ubuntu?
Download splunk package after logging into website or use below document to reference for host specifications for all types of deployment.

● wget -O splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb
"https://download.splunk.com/products/splunk/releases/9.1.2/linux/splunk-9.1.2-b6b9c8185839-linux-2.6-amd64.deb"

● dpkg -i <package_name>

● ./splunk start --accept-license --answer-yes

● ./splunk enable boot-start -user splunk

● ./splunk set default-hostname

Once the package is configured you can access Web UI of splunk using https://<host_name/Ip>:8000

Enable clustering: ./splunk edit cluster-config -mode manager -replication_factor 4 -search_factor 3 -secret
Hello_Okta@007 -cluster_label cluster1
Splunk Enterprise default ports:
Port Type Description

9997 Convention Splunk-to-Splunk (e.g., Forwarding Data)

8000 Default Splunk Web (HTTP by Default)

8089 Default API Access to Servers

8089 Default Non-Forwarding Splunk-to-Splunk Communication

9100 / 8080 Convention Index Cluster Replication. (Different sources list different recommendation)

9200 / 9777 Convention Search Head Cluster Replication (Different sources list different recommendation)

8191 Default KVStore, Internal and Replication

8088 Default HTTP Event Collector

514 Convention – Not Recommended Syslog, TCP or UDP. (Recommendation is to send Syslog to a Syslog Collector tool (Syslog-
NG, rsyslog, etc) instead of to Splunk)
Create Users in Splunk:
You can create a user at any time and assign several aspects to that user. When you clone a user, you use this procedure. The user
that you clone must have a different username than any existing user.

● From the system bar, select Settings > Users.

● Select New User.
● In the Name field, provide a username. This is the what the user provides at the login page.
● In the Full Name field, provide the first and last name of the user.
● In the Email Address field, provide the user email address.
● In the Set password field, create a password.
● Confirm the new password in the Confirm Password field.
● Confirm that the password you created meets the password requirements as displayed near the "Confirm
password" field.
● (Optional) Select the user's time zone in the Time Zone field.
● In the Default App field, select the app that the user will land in by default when they log into the Splunk platform
instance. The default is "Home". "Search" is a common default app as well.
● In Assign to Roles, you can select any roles that you want for your user to hold.
● Select Create a role for user if you want to user's new assignments to be created as a role assigned specifically
to this user.
● Check Require password change on first login to force your user to change their password when they first log
into the Splunk platform instance.
● Select Save. The Splunk platform creates the user and returns you to the "Users" page.