Splunk Basic Tutorial

Objective
1. What is Splunk?
2. How Splunk works?
3. Various Modules in splunk.
4. How to search in splunk data?
5.Dashboards.
What is splunk?
In simple words Splunk is Google for all your machine data /logs. It is basically a log analysis tool and monitoring
tool.
-It's a powerful software/Engine which can be used to search, investigate, troubleshoot, monitor, visualize, alert,
and report on everything that's happening in your entire IT infrastructure from one location in real time.
- You have to only enter the search keyword in search bar and done. Splunk will search logs of all
machines/Servers /Network devices from your enterprise and will present available info as result just like Google.
- you don't need to login to multiple servers and dig for all logs for particular event .Splunk will do it for you in
smarter way.
- For example if you want to know particular users activity on all servers then you just need to enter username in
search bar and hit enter. Splunk will collect and display all activities performed by user on all machines in few
seconds
-splunk has capability show your data in different form of dashboards which is useful for the application users and
higher leadership.
Splunk Features
1. Log Analysis
2. Monitoring
3. Reporting
4. Alerting
5. Dashboard
Splunk Architecture
How Splunk works?
Indexer Stages

Input Parsing Indexing Searching

(Data Input) (Event Parsing) (Writing to Disk) (Search Head)

Disk/Index
Components of Splunk
Data Input Parsing Indexing Searching

Forwarders Indexer Search Head

Collect the data from remote Processing the incoming data End User Interact with splunk
machine. to real time. using search head.
Forward the data to indexer Stores and indexes the data Allow user to do searching,
in real time. to disk analysis and Visualization
 Splunk End to End pipeline

Forwarders

Indexers
Forwarders Search Head

Indexers

Forwarders
Different port number used by Splunk.
Service Port number Used

Splunk Web Port: 8000

Splunk Management Port: 8089
Splunk Indexing Port: 9997
Splunk Index Replication Port 8080
Splunk network port: 514 (Used to get data in from netwok port i.e. UDP data)

How to set port number :./splunk set web-port 9000

How to check port number ./splunk show web-port
You can also check all port in web.config file on location : $SPLUNK_HOME/etc/system/local/
web.conf
 Basic about Forwarder configuration
Before a forwarder can forward data, it must have a configuration. A configuration:
1.Tells the forwarder what data to send.
Configure a data input on the forwarder
./splunk add monitor /var/log
2. Tells it where to send the data.
Configure the universal forwarder to connect to a receiving indexer
./splunk add forward-server <host name or ip address>:<listening port>
Key configuration files are:
inputs.conf controls how the forwarder collects data.
outputs.conf controls how the forwarder sends data to an indexer or other forwarder.
server.conf for connection and performance tuning.
deploymentclient.conf for connecting to a deployment server.
How to search in splunk data?
Splunk search head is the main GUI/front end for splunk ,commonly accessed via browser .
search head is somewhat similar to google where you have to enter keywords and click on
search to get expected.
Example Query : index=_internal sourcetype=main userid=test
Dashboards & Visualizations
A dashboard is the collection of different visualization of data on page.
Q&A