Splunk 7.x Quick Start Guide

Splunk 7.x Quick Start Guide

by James H. Baxter
Released November 2018
Publisher(s): Packt Publishing
ISBN: 9781789531091

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn how to architect, implement, and administer a complex Splunk Enterprise environment and extract valuable insights from business data.

Key Features

  • Understand the various components of Splunk and how they work together to provide a powerful Big Data analytics solution.
  • Collect and index data from a wide variety of common machine data sources
  • Design searches, reports, and dashboard visualizations to provide business data insights

Book Description

Splunk is a leading platform and solution for collecting, searching, and extracting value from ever increasing amounts of big data - and big data is eating the world! This book covers all the crucial Splunk topics and gives you the information and examples to get the immediate job done. You will find enough insights to support further research and use Splunk to suit any business environment or situation.

Splunk 7.x Quick Start Guide gives you a thorough understanding of how Splunk works. You will learn about all the critical tasks for architecting, implementing, administering, and utilizing Splunk Enterprise to collect, store, retrieve, format, analyze, and visualize machine data. You will find step-by-step examples based on real-world experience and practical use cases that are applicable to all Splunk environments. There is a careful balance between adequate coverage of all the critical topics with short but relevant deep-dives into the configuration options and steps to carry out the day-to-day tasks that matter.

By the end of the book, you will be a confident and proficient Splunk architect and administrator.

What you will learn

  • Design and implement a complex Splunk Enterprise solution
  • Configure your Splunk environment to get machine data in and indexed
  • Build searches to get and format data for analysis and visualization
  • Build reports, dashboards, and alerts to deliver critical insights
  • Create knowledge objects to enhance the value of your data
  • Install Splunk apps to provide focused views into key technologies
  • Monitor, troubleshoot, and manage your Splunk environment

Who this book is for

This book is intended for experienced IT personnel who are just getting started working with Splunk and want to quickly become proficient with its usage. Data analysts who need to leverage Splunk to extract critical business insights from application logs and other machine data sources will also benefit from this book.

Table of contents

  1. Title Page
  2. Copyright and credits
    1. Splunk 7.x Quick Start Guide
  3. Dedication
  4. About Packt
    1. Why subscribe?
    2. Packt.com
  5. Contributors
    1. About the author
    2. About the reviewer
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Download the color images
      3. Conventions used
    4. Get in touch
      1. Reviews
  7. Introduction to Splunk
    1. What is Splunk?
      1. Splunk products
      2. The history of Splunk
    2. Installing Splunk for free
    3. Splunk components
    4. Splunk processing tiers
    5. Splunk events
    6. Splunk information resources
    7. Summary
  8. Architecting Splunk
    1. Selecting a Splunk configuration
      1. Data collection – data inputs
      2. Data collection – concurrent searches
      3. Distributed versus clustered Splunk environments
      4. Replication and search factor
        1. Replication factor
        2. Search factor
      5. Hot/warm and cold buckets
      6. Search head clusters
      7. Making a design decision
    2. Selecting Splunk hardware options
      1. Performance considerations
      2. Making a hardware selection
      3. Disk-sizing calculations
    3. Summary
  9. Installing and Configuring Splunk
    1. Installing Splunk Enterprise
      1. Installing Splunk on Linux
        1. Linux settings
          1. User–group – environment settings
          2. ulimits
          3. Transparent huge pages
        2. Starting Splunk
          1. Starting on reboot
          2. Stopping Splunk
      2. Installing Splunk on Windows server
        1. Disabling antivirus software
        2. Installing Splunk with a short pathname
        3. Installing Splunk via the GUI
          1. Stopping and starting Splunk on Windows
      3. Synchronization of system clocks
    2. Configuring Splunk components
      1. Splunk directory structure
      2. Configuration file precedence
      3. Splunk installation checklist
        1. Component and IP address list
        2. Installation steps
      4. Individual component configurations
        1. License master and cluster master
          1. Forwarding Splunk's internal logs to the indexers
          2. Pointing servers to the license master
        2. Indexing cluster
          1. Configuring a TCP input
        3. Deployer
        4. Search heads
          1. Designating and starting a search head captain
          2. Checking search head cluster status
        5. Deployment server
      5. Multisite environments
        1. Cluster master
        2. Indexers
        3. Search heads
      6. Cross-environment search
    3. Documenting your Splunk deployment
    4. Summary
  10. Getting Data into Splunk
    1. Installing Splunk universal forwarder
      1. Installation steps
      2. Starting/stopping the universal forwarder
      3. Configuring outputs.conf
      4. Configuring inputs.conf
    2. Setting up a heavy forwarder
    3. Configuring other data source inputs
    4. Configuring an HTTP Event Collector
      1. Testing the HTTP Event Collector
    5. Introduction to apps
    6. Using the deployment server
      1. Configuring a deployment client
      2. Configuring the deployment server
        1. Creating deployment apps
        2. Creating a serverclass.conf file
      3. Using forwarder management in Splunk web
    7. Managing Splunk Indexes
      1. Creating an index
      2. Deleting index data
      3. Summary indexes
      4. Metrics indexes
    8. Splunk sourcetypes
      1. Creating custom source types
    9. Using the cluster master
      1. Distributing the configuration bundle
    10. Summary
  11. Administering Splunk Apps and Users
    1. Using the deployer
      1. Deploying new or updated apps
    2. Configuring users and roles
      1. Splunk authentication
      2. LDAP authentication
      3. SAML authentication
      4. Managing Splunk roles
        1. Search restrictions
        2. Capabilities
        3. Indexes
        4. authorize.conf
        5. Working with authentication.conf and authorize.conf
    3. Best practices for administering Splunk
      1. Index naming conventions
      2. Source type naming conventions
      3. Location of indexes.conf, props.conf, and transforms.conf
    4. Supporting your Splunk Deployment
      1. Splunk support personnel
      2. Funding Your Splunk deployment
      3. Splunk resource cost calculations
    5. Summary
  12. Searching with Splunk
    1. The Splunk Web interface
      1. Search controls
      2. Timeline and events
    2. Creating Splunk searches
      1. Basic search commands
        1. Index
        2. Time-range selection
      2. Search filters
      3. Search commands
        1. Eval
        2. Stats
        3. Dedup
        4. Rex
        5. Where
      4. Formatting commands
        1. Rename
        2. Sort/reverse
        3. Head/tail
        4. Top/rare
    3. Visualizing search results
      1. Table/fields
        1. Chart/timechart
        2. Chart
        3. Timechart
        4. Visualizations in Splunk web
    4. Advanced search commands
      1. Subsearches
      2. Join
      3. Transaction
      4. Streaming versus transforming commands
      5. Optimizing searches
        1. Optimizing search jobs
        2. Job inspector
    5. Summary
  13. Splunk Knowledge Objects
    1. Field extractions
      1. Index-time field extractions
      2. Search-time field extractions
      3. Using the extract fields interface
    2. Other knowledge objects
      1. Event types – tags – aliases
        1. Event type
        2. Tags
        3. Field aliases
      2. Lookups
      3. Macros
      4. Datasets and data models
        1. Datasets
        2. Data models
          1. Using data models in search
          2. Data model acceleration
      5. Pivot tables
    3. Summary
  14. Splunk Reports, Dashboards, and Alerts
    1. Introduction
    2. Creating reports
      1. Scheduling a report
    3. Creating a dashboard
      1. Adding a new panel with inline search
      2. Editing panel characteristics
      3. Using dashboard forms
        1. Using tokens
      4. Working with Simple XML
      5. Improving dashboard performance
      6. Using JavaScript and CSS within a dashboard
        1. Event-handlers
    4. Creating an alert
    5. Summary
  15. Splunk Applications
    1. Splunk apps and add-ons
    2. Creating a Splunk app
      1. App context and permissions
    3. Using Splunkbase
      1. Splunk app and add-on for Unix and Linux
      2. Machine learning toolkit
    4. Splunk DB Connect
      1. Requirements and installation
        1. Hardware requirements
        2. Java runtime
        3. Installing DB connect
        4. Database JDBC drivers
      2. Configuring DB Connect
        1. Configuring task server
        2. Database drivers
      3. Configuring database input
        1. Identities and roles
        2. Connections
        3. Input
        4. Output
        5. Lookups
      4. Troubleshooting DB Connect
        1. HEC port conflicts
    5. Splunk Premium apps
      1. IT service intelligence
      2. Enterprise security and UBA
    6. Summary
  16. Advanced Splunk
    1. Troubleshooting Splunk
      1. Splunk logs
      2. btool
      3. diag
      4. Opening a Splunk support case
        1. Locked license issue
    2. Performance and capacity
    3. REST API endpoints
    4. Splunk Monitoring Console
      1. Configuring the monitoring console
      2. Using the Monitoring Console
      3. Data rebalancing
        1. Indexer clustering and bucket status
      4. Upgrading Splunk Enterprise
    5. Splunk development
      1. Software Development Kits
        1. Using the Python SDK
      2. The REST API
    6. Additional study topics
    7. Summary
  17. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Splunk 7.x Quick Start Guide
  • Author(s): James H. Baxter
  • Release date: November 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781789531091