Академический Документы
Профессиональный Документы
Культура Документы
2
Ver.
1.0
Class Goals
Describe Splunk installation and server operations
Configure data inputs
Describe default processing and understand how to modify data inputs
Manage Splunk datastores
Add users, configure groups, and understand authentication
Describe alert configurations
Configure forwarding/receiving and clustering
Use Splunks Deployment Server
Manage jobs and knowledge objects
Find out where to get help
Operational Intelligence
Course Outline
1. Installing Splunk
2. Configuring Data Inputs
3. Modifying Data Inputs
4. Config File Precedence
5. Splunk's Data Stores
6. Users, Groups, and Authentication
7. Forwarding and Receiving
8. Distributed Environments
9. Licensing
10. Security
11. Jobs, Knowledge Objects, and Alerts
12. Troubleshooting
Operational Intelligence
Section 1:
Installing Splunk
Operational Intelligence
Section objectives
List Splunks hardware/software requirements
Describe how to install Splunk
Perform server basics; starting, stopping, and restarting Splunk
Describe the Splunk license model
List the basic tools to configure Splunk: Manager, CLI, and editing config
files
Describe apps
Upgrade to 4.2
List whats new in Splunk 4.2 for administrators
Operational Intelligence
OS requirements
Splunk works on Windows, Linux, Solaris, FreeBSD, MacOS
X, AIX, and HP-UX
Check current documentation for specifics for each OS
Operational Intelligence
Hardware Requirements
Platform
Recommended Configuration
Minimum Configuration
Non-Windows
OS
Windows
Pentium 4 or equivalent
at 2Ghz, 2GB RAM
Operational Intelligence
Supported browsers
Firefox 2.x, 3.0.x, 3.5.x (3.5.x only supported on 4.0.6 and later)
Internet Explorer 6, 7, & 8
Safari 3
Chrome 9
All browsers need Flash 9 to render reports and display the
flash timeline
Operational Intelligence
Operational Intelligence
10
Operational Intelligence
11
Install it!
For zipped tarballs simply unpack the contents into the
directory you want to install Splunk
For Windows just double click on the MSI file
See the docs for OS specific packages, and Windows
command line install instructions
Splunk install directory is referred to as $SPLUNK_HOME in
both the docs and courseware
- UNIX default is /opt/splunk
- Windows default is C:\Program
Operational Intelligence
Files\splunk
12
Operational Intelligence
13
Operational Intelligence
14
15
Splunk subdirectories
Executables are located in $SPLUNK_HOME/bin
License and other important files are in $SPLUNK_HOME/etc
Indexes by default are in $SPLUNK_HOME/var/lib/splunk
Same directories in Windows, just different slashes
Operational Intelligence
16
executables
executables
bin
bin
system
system
etc
etc
licenses,
licenses, configs
configs
apps
apps
users
users
var
var
lib
lib
splunk
splunk
indexes
indexes
search
search
Operational Intelligence
<custom
<custom app>
app>
launcher
launcher
17
Operational Intelligence
18
19
The first time you start Splunk, avoid the prompt to accept the
license by using the command line tag --accept-license
# pwd
/opt/splunk/bin
# ./splunk start --accept-license
Operational Intelligence
20
# ./splunk start
# ./splunk stop
Restarting Splunk
# ./splunk restart
Is Splunk running?
# ./splunk status
or
# ps ef | grep splunk
Operational Intelligence
21
Operational Intelligence
22
Scripted inputs
Cold to frozen scripts
Operational Intelligence
23
Operational Intelligence
24
Apps
Apps are configurations of a Splunk environment designed to meet a specific
business need
- Manage a specific technology
- Manage a specific OS
- Manage compliance
PCI
Enterprise Security Suite
Operational Intelligence
25
splunkbase
Choose from hundreds
of apps on
splunkbase.splunk.com
- Apps developed by Splunk
Operational Intelligence
26
Operational Intelligence
27
command
command
object
object
Operational Intelligence
authentication
authentication
(inline)
(inline)
28
29
syntax
page
Operational Intelligence
30
Operational Intelligence
31
Manager link
Operational Intelligence
32
Operational Intelligence
33
/opt/splunk
Operational Intelligence
34
Operational Intelligence
35
require a restart
Operational Intelligence
36
More Resources
Look on Splunkbase for additional Apps to help you manage your
Splunk servers
http://www.splunkbase.com/apps/All/4.x
Operational Intelligence
37
Lab 1
Operational Intelligence
38
Section 2:
39
Section objectives
Set up data inputs
List Splunks data input types and explain how they differ
Set input properties such as host, ports, index, source type,
etc.
Operational Intelligence
40
Splunk Web
- You can configure most inputs using the Splunk Web data input pages
CLI
- You can use the CLI (command line interface) to configure most types of inputs
inputs.conf
- When you use Splunk Web or CLI, configurations are saved to inputs.conf
- You can edit that file directly to handle advanced data requirements
Operational Intelligence
41
Types of inputs
Files and directories monitor physical files on disk
Network inputs monitor network data feeds on specific ports
Scripted inputs import from non-traditional sources, APIs, databases,
etc.
Windows inputs Windows specific: Windows event logs,
performance monitoring, AD monitoring, and local registry monitoring
File system change monitoring monitor the state: permissions, read
only, last changed, etc. of key config or security files
Operational Intelligence
42
configure
configure input
input through
through
app
app setup
setup process
process
Operational Intelligence
43
inputs.conf is
determined by app
context
Operational Intelligence
44
**Using the -uri flag you can send remote CLI commands from a local Splunk instance to a remote
instance without shell access. See the docs for details.
http://www.splunk.com/base/Documentation/latest/Admin/AccessandusetheCLIonaremoteserver
Operational Intelligence
45
[default]
host = mysplunkserver.mycompany.com
[monitor:///opt/secure]
disabled = false
followTail = 0
host_segment = 3
index = default
sourcetype = linux_secure
Shell/console access to
Splunk server required
Changes made this way
require a restart
Operational Intelligence
[monitor:///opt/tradelog]
disabled = false
sourcetype = trade_entries
46
inputs.conf (cont.)
Input path specifications in inputs.conf (monitor stanzas) use Splunkdefined wildcards (also used by props.conf, discussed in next section)
(these are not REGEX-compliant expressions)
Wildcard
Description
...
Regex
equivalent
.*
[^/]*
Example(s)
/var/log//apache.log matches the
files
/var/log/www1/apache.log,
/var/log/www2/apache.log, etc.
/logs/*.log matches all files with
the .log extension, such as
/logs/apache.log.
It does not match /logs/apache.txt.
47
inputs.conf (cont.)
So
. . . matches any character(s) recursively
* matches anything 0 or more times except the /
. is NOT a wildcard and simply matches the . Literally
Syntax details:
$SPLUNK_HOME/etc/system/README/inputs.conf.spec
http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf
http://www.splunk.com/base/Documentation/latest/Admin/Specifyinputp
athswithwildcard
Operational Intelligence
48
Sourcetype
- Most default processing for standard data types is based on sourcetype Whenever
possible use automatic sourcetype, select from Splunks list, or use the recipes
Host
- Opt for specific hostnames/FQDN as much as possible since the host field is a key
search tool
Operational Intelligence
49
How
- Unzips compressed files automatically before indexing them
- Eats new data as it arrives
- Automatically detects and handles log rotation
- Remembers where it was in a file and picks up from that spot after restart
Operational Intelligence
50
Operational Intelligence
51
add
add new
new input
input
edit
edit existing
existing input
input
Operational Intelligence
52
Operational Intelligence
53
Operational Intelligence
54
Operational Intelligence
55
/var/log/www1.log
/var/log/www1.log will
will extract
extract www1
www1
/var/log/www_db1.log
/var/log/www_db1.log will
will extract
extract www_db1
www_db1
Operational Intelligence
56
Operational Intelligence
57
Manual
- Enter a name for a
specific sourcetype
From list
- Choose the sourectype
58
Operational Intelligence
59
Operational Intelligence
60
61
62
Scripted inputs
Splunk can run scripts periodically that generate input
- Scripts need to be shell (.sh) on *nix or batch (.bat) on Windows
- Or Python on any platform
- Can use any scripting language the OS will run if wrapped in a shell or batch wrapper
63
Operational Intelligence
64
Operational Intelligence
65
Interval is in seconds,
though you can also
specify a schedule
using CRON syntax
The interval is the time
period between script
executions
Operational Intelligence
66
Operational Intelligence
67
68
Operational Intelligence
69
Operational Intelligence
70
71
Setting up fsmonitor
Set up a stanza in inputs.conf
[fschange:/etc/]
pollPeriod = 60
host = splunkserver.company.com
Default sourcetype=
fs_notification
pollPeriod is interval in seconds
Splunk checks the files for changes
Operational Intelligence
72
Windows inputs
Windows inputs must be set up on a Windows Splunk instance
UNIX indexers CAN and will index and search Windows inputs
Set up a Universal Forwarder or Light Forwarder to get
Windows inputs to a UNIX indexer
Operational Intelligence
73
Operational Intelligence
74
Operational Intelligence
75
to populate the
separated by commas
Operational Intelligence
76
Operational Intelligence
77
Operational Intelligence
78
Operational Intelligence
79
Operational Intelligence
80
Operational Intelligence
81
82
Operational Intelligence
83
Operational Intelligence
84
Section 3: Modifying
Data Inputs
Operational Intelligence
85
Section objectives
Describe how data moves from input to index
Understand the default processing that occurs during indexing
List the config files that govern data processing
Learn how to override default data processing
Learn how to discard unwanted events
Learn how mask sensitive data
Learn how to extract fields
Operational Intelligence
86
Win
dow
s in
puts
Disk
Monitor inputs
s
t
u
p
n
i
d
e
t
p
ri
c
S
Operational Intelligence
87
Input Phase:
Raw data from
all forms of
input collected
Operational Intelligence
Parsing Phase:
Raw data
broken down
into events, and
then event by
event
processing
88
License Meter
Indexing phases
Indexing Phase:
Index generated
and data is
written to disk
props.conf
windows files
wmi.conf and
regmon-filters.conf
See: www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F
for details
Operational Intelligence
89
props.conf
props.conf is a config file that plays a role in all aspects of Splunk data
processing
Governs most aspects of data processing, can also invoke settings in
other config files
Uses similar stanza format of inputs.conf and other Splunk config
files
See $SPLUNK_HOME\etc\system\README\props.conf.spec and
props.conf.example for syntax and examples
Operational Intelligence
90
props.conf specifications
props.conf stanzas use specifications to map configurations to data
streams
The specification can be either host, source, or sourcetype
Patter
n
[host::<hostname>]
Examp
[host::www1]le
attribute = value
TZ = US/Pacific
[source::<source>]
attribute = value
[source::/var/log/trade.log]
sourcetype = trade_entries
[<sourcetype>]
attribute = value
[syslog]
TRANSFORMS-host=per_event_host
91
[source::...\\web\\iis*]
sourcetype = iis_access
CHARSET spec can be set at this time. Default is automatic, use this
setting to override if auto is not working correctly. See docs for list of
character sets
[source::.../seoul/*
]
CHARSET = EUC-KR
[source::h:\\web\\\\*]
CHARSET = Georgian-Academy
www.splunk.com/base/Documentation/base/Data/
Configurecharactersetencoding
Operational Intelligence
92
Operational Intelligence
Broken into
individual events.
93
Event-by-event
processing
override
auto-sourcetyping,
autodate/timestamping, and
auto-linebreaking, time
zone
per-event REGEX
based sourcetype, host,
or index settings,
custom line breaking
and date/timestamping
Operational Intelligence
94
custom
REGEX/SEDCMD
rewrites, per-event
routing to other
indexers, 3rd party
systems, or the null
queue
Operational Intelligence
95
Its automatic . . .
Success rate of automatic processing will vary. For standard data types
such as syslog, web logs, etc., Splunk does a great job. For custom, or
esoteric logs youll need to test, though even then the odds are good it
will get it right.
- Correct date/timestamping and linebreaking are key to subsequent processing
www.splunk.com/base/Documentation/base/Data/Overviewofeventpro
cessing
Operational Intelligence
96
Line breaking
If automatic event boundary detection is not working correctly
- Bad event breaking is usually easy to detect in indexed test data, but be careful
2 methods
- SHOULD_LINEMERGE=false(most efficient)
Using this method Splunk cuts the data stream directly into finished events using either
the new line \n or carriage return \r characters (default) or a REGEX you specify with
LINE_BREAKER
- SHOULD_LINEMERGE=true
Splunk uses a configurable two-step process to split your data into individual events
Operational Intelligence
97
SHOULD_LINEMERGE = false
Already set for many standard types of data including syslog (including
snare), windows inputs, and web data
- See $SPLUNK_HOME/systemor
apps/<app_name>/default/props.conffor details
Should be set for custom data with one event per line formats
- breaking on /n or /r characters
Operational Intelligence
98
SHOULD_LINEMERGE = true
The default if not specified
Splunk merges multiple lines of data into single events based on the
rule, new line with a date at the start or 256 total lines marks an event
boundary
- BREAK_ONLY_BEFORE_DATE=true(the default)
- MAX_EVENTS=256(default)
Certain predefined data types like log4j and other application server
logs use BREAK_ONLY_BEFORE=<REGEXpattern>that when
matching the start of a new line, marks the start of a new event
Operational Intelligence
99
details
- see also
$SPLUNK_HOME/etc/system/README/props.conf.spec
or www.splunk.com/base/Documentation/latest/Admin/Propsconf
Operational Intelligence
100
Date/timestamp extraction
Like event boundaries, correct date/timestamp extraction is key to
Splunking your data
Verify timestamping when setting up new data types
- Pay close attention to time stamping during testing/staging of custom/or non-
http://www.splunk.com/base/Documentation/latest/Data/ConfigureTimestampRe
cognition
for details
Operational Intelligence
101
events that have data that looks like a timestamp but isnt that confuses the
processor
1989/12/3116:00:00edMay2315:40:212011ERRORUserManagerExceptionthrown
1989/12/3116:00:00edMay2315:40:212011ERRORUserManagerExceptionthrown
Start
Start looking
looking here
here for
for
date/timestamp
date/timestamp
[my_custom_source_or_sourcetype]
TIME_PREFIX = \d{4}/\d{2}/\d{2} \d{2}:\d{2}:\d{2} \w+\s
Operational Intelligence
102
103
Time zones
Splunk follows these default rules when it attaches a time zone to a
time stamp
1. It looks in the raw event data for a time zone indicator such as
GMT+8 or PST and uses that
2. It looks in props.conf to see if a TZ attribute has been given for this
data stream based on standard settings referenced here: en
.wikipedia.org/wiki/List_of_zoneinfo_timezones
3. If all else fails it will apply the time zone of the indexer
[host::nyc*]
TZ = America/New York
Operational Intelligence
[source::/mnt/cn_east/*]
TZ = Asia/Shanghai
104
Operational Intelligence
105
Operational Intelligence
106
transforms.conf
Config file whose stanzas are invoked by props.conf
- All caps TRANSFORMS=<transforms.conf_stanza>syntax used to
[syslog]
TRANSFORMS = syslog-host
Operational Intelligence
[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|
local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1
107
transforms.conf (cont.)
Transforms uses standard settings to indicate what its REGEX will
match and what it will rewrite based on the match
The source and destination of these tranformations are referred to as
keys
- SOURCE_KEY tells Splunk where to apply the REGEX (optional)
- DEST_KEY tells Splunk where to apply the data modified by the REGEX and
108
Keys in action
From the default syslog host extraction
[syslog-host]
DEST_KEY = MetaData:Host
REGEX = :\d\d\s+(?:\d+\s+|(?:user|daemon|
local.?)\.\w+\s+)*\[?(\w[\w\.\-]{2,})\]?\s
FORMAT = host::$1
The
The REGEX
REGEX pattern
pattern here
here is
is looking
looking for
for aa host
host
name
name embedded
embedded in
in syslog
syslog data.
data. Only
Only one
one
nd set of
capture
capture group
group is
is referenced
referenced here:
here: the
the 22nd
set of
parenthesis.
parenthesis. In
In this
this circumstance
circumstance we
we would
would
nd
expect
expect the
the host
host name
name to
to appear
appear within
within the
the 22nd
set
set of
of parenthesis.
parenthesis.
FORMAT
FORMAT specifies
specifies what
what is
is written
written out
out to
to the
the
DEST_KEY.
DEST_KEY. Here
Here host::$1
host::$1 means
means host=1
host=1stst
REGEX
REGEX capture
capture group.
group.
Operational Intelligence
We
We are
are updating
updating the
the host
host field,
field, so
so our
our
DEST_KEY
DEST_KEY is
is MetaData:Host,
MetaData:Host, for
for sourcetype
sourcetype itit
would
would be
be MetaData:Sourcetype,
MetaData:Sourcetype, for
for index
index itit
would
would be_MetaData:Index
be_MetaData:Index (Case
(Case and
and for
for index
index
the
the underscore
underscore counts!)
counts!) See
See
transforms.conf.spec
transforms.conf.spec for
for details.
details.
109
source based sourcetyping using just props.conf are less resource intensive
In props.conf
A
A value
value after
after TRANSFORMS
TRANSFORMS give
give this
this
[source::udp:514]
TRANSFORMS-1srct = custom_sourcetyper
In transforms.conf
Any
Any event
event from
from this
this source
source where
where the
the last
last word
word
of
of the
the line
line is
is Custom
Custom will
will get
get the
the sourcetype
sourcetype of
of
custom_log
custom_log
[custom_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = .*Custom$
FORMAT = sourcetype::custom_log
Operational Intelligence
transformation
transformation aa name
name space,
space, this
this comes
comes into
into
play
play for
for multiple
multiple transformations
transformations and
and provides
provides
precedence
precedence ifif needed
needed
110
Note
Note the
the use
use of
of _MetaData:Index
_MetaData:Index
[routed_sourcetype]
TRANSFORMS-1indx = custom_sourcetype_index
transforms.conf
[custom_sourcetype_index]
DEST_KEY = _MetaData:Index
REGEX = .
FORMAT = custom_index
Operational Intelligence
Were
Were using
using aa wide
wide open
open REGEX
REGEX since
since
we
we want
want everything
everything classified
classified as
as this
this
sourcetype
sourcetype routed
routed to
to aa different
different index.
index.
More
More granular
granular routing
routing would
would have
have aa more
more
complex
complex REGEX
REGEX
For
For index
index routing,
routing, the
the FORMAT
FORMAT simply
simply
takes
takes the
the name
name of
of the
the index
index you
you are
are
routing
routing to
to
111
props.conf
[WinEventLog:System]
TRANSFORMS-1trash = null_queue_filter
transforms.conf
Since
Since Windows
Windows Event
Event logs
logs are
are multiline
multiline
events
events we
we need
need to
to use
use the
the REGEX
REGEX
multiline
multiline indicator
indicator (?m).
(?m). Applies
Applies to
to any
any
multiline
multiline event
event and
and REGEX,
REGEX, not
not just
just null
null
queue
queue
[null_queue_filter]
DEST_KEY = queue
REGEX = (?m)^EventCode=(592|593)
FORMAT = nullQueue
Operational Intelligence
Here
Here our
our DEST_KEY
DEST_KEY is
is queue
queue since
since were
were
routing
routing these
these events
events outside
outside the
the data
data flow
flow
FORMAT
FORMAT indicating
indicating nullQueue
nullQueue means
means we
we
are
are throwing
throwing away
away events
events that
that match
match this
this
pattern
pattern
112
Other routing
Beyond routing to the nullQueue, you can also route data to:
- other Splunk indexers
- 3rd party systems
Operational Intelligence
113
Operational Intelligence
114
DEST_KEY
DEST_KEY == _raw
_raw indicates
indicates we
we are
are
modifying
modifying the
the actual
actual log
log data
data
transforms.conf
[cc_num_anon]
DEST_KEY = _raw
REGEX = (.*CC_Num:/s)\d{12}(\d{4}.*)
FORMAT = $1xxxxxxxxxxxx$2
Operational Intelligence
115
$1
$1 preserves
preserves all
all the
the data
data prior
prior to
to the
the first
first
12
12 digits
digits of
of the
the credit
credit card
card number.
number. $2
$2
grabs
grabs everything
everything after
after including
including the
the last
last 44
digits,
digits, we
we need
need to
to do
do this
this since
since we
we are
are
rewriting
rewriting the
the raw
raw data
data feed
feed
s:
SEDCMD<name>=s/<REGEX>/<replacement>/flags
flags are either g to replace all matches, or a number to just replace that number of matches
SEDCMD<name>=y/<string1>/<string2>
Operational Intelligence
116
SEDCMD cont
An example SEDCMD REGEX based replacement to overwrite the
first 5 digits of an account number anytime it appears in the
\1
\1 here
here works
works like
like aa
accounts.log source
[source::.../accounts.log]
SEDCMD-1accn = s/id_num=\d{5}(\d{5})/id_num=xxxxx\1/g
$1
$1 back-reference
back-reference in
in
transforms.conf
transforms.conf
REGEX
REGEX
117
$SPLUNK_HOME/etc/<app_name>/local
$SPLUNK_HOME/etc/system/local/props.conf
[syslog]
TRANSFORMS =
Operational Intelligence
overwrites
118
[syslog]
TRANSFORMS = syslog-host
Operational Intelligence
Keyword index
created, _raw is
compressed and
both are written to
disk
119
Disk
Persisted to disk
Once data reaches hard disk all modifications and extractions are
written to disk along with _raw
- source, sourcetype, host, timestamp, and punct
Operational Intelligence
120
Disk
Operational Intelligence
Search time
modifications
121
Index phase
Disk
Operational Intelligence
Search time
modifications
122
Operational Intelligence
123
Remember, apps/add ons are bundles of search time lookups, field extractions, tags, etc.
NOT just views and dashboards
124
Operational Intelligence
125
Operational Intelligence
126
127
props.conf EXTRACT
A single stanza in props.conf using EXTRACT with a source,
sourcetype, or host spec (usually a sourcetype)
Use the EXTRACT command with a name and the REGEX after the
equals sign
props.conf
[tradelog]
EXTRACT-1type = .*type:\s(?<acct_type>personal|business)
Wrap
Wrap parenthesis
parenthesis around
around your
your field
field value
value to
to
created
created aa named
named capture,
capture, and
and then
then embed
embed
your
your field
field name
name within
within those
those parenthesis
parenthesis
with
with ?<field_name>
?<field_name>
Operational Intelligence
128
When users create or modify these Splunk Web simply writes to these
files for them
Admins can directly modify these files, though we recommend using
Manager if possible
See .conf files in $SPLUNK_HOME/etc/system/READMEand the
docs for details on specific files
Operational Intelligence
129
Lab 3
Operational Intelligence
130
Section 4:
Config Precedence
Operational Intelligence
131
Operational Intelligence
132
133
apps
apps
system
system
6
1
default
default
users
users
unix
unix
local
local
default
default
search
search
4
local
local
default
default
joe
joe
134
admin
admin
unix
unix
search
search
local
local
local
local
local
local
Operational Intelligence
mary
mary
135
$SPLUNK_HOME
$SPLUNK_HOME
etc
etc
apps
apps
system
system
7
4
default
default
users
users
unix
unix
local
local
default
default
search
search
6
local
local
default
default
joe
joe
local
local
Operational Intelligence
136
mary
mary
admin
admin
unix
unix
search
search
local
local
local
local
Precedence is cumulative
At index time if $SPLUNK_HOME/etc/system/local/props.conf contained this stanza
[source::/opt/tradelog/trade.log]
sourcetype=tradelog
And if $SPLUNK_HOME/etc/apps/tradeapp/local/props.confcontained
[source::/opt/tradelog/trade.log]
SHOULD_LINEMERGE=True
BREAK_ONLY_BEFORE=TradeID
Becomes
[source::/opt/tradelog/trade.log]
sourcetype=tradelog
SHOULD_LINEMERGE=True
BREAK_ONLY_BEFORE=TradeID
Operational Intelligence
137
However
At index time if $SPLUNK_HOME/etc/system/local/props.confcontained the following stanza
[source::/opt/tradelog/trade.log]
sourcetype=tradelog
Becomes:
[source::/opt/tradelog/trade.log]
sourcetype=tradelog
SHOULD_LINEMERGE=True
BREAK_ONLY_BEFORE=TradeID
Operational Intelligence
138
Section 5:
Splunks Data Store
Operational Intelligence
139
Section Objectives
Learn index directory structure
Answer the question: What are buckets? and describe how they
move from hot to cold
Describe how to configure aging and retention times
Show how to set up indexes
Learn how to set up volumes on hard disk
Describe back up strategies
Show how to clean out an entire index or selectively delete data
Operational Intelligence
140
Operational Intelligence
141
os
os
defaultdb
defaultdb
$SPLUNK_DB
_internaldb
_internaldb
etc
etc
index=main
db
db
colddb
colddb
thaweddb
thaweddb
hot / warm
buckets
cold
buckets
unarchived
buckets
Operational Intelligence
142
Index divisions
Splunk divides its indexes into 3 sections, plus a special restored from
archive section, for fastest searching and indexing
- Hot most recently indexed events, multiple buckets, read and write, same
directory as warm
- Warm next step in the aging process, multiple buckets, read only, same
directory as hot
- Cold final step in the aging process, multiple buckets, read only, separate
directory from warm and hot
- Thawed restored from archive data, read only, separate directory from the
rest
Operational Intelligence
143
Periodically, Splunk runs the optimize process on the hot section of the index to optimize
the placement of events in the buckets
Once a hot bucket reaches its size limit, it will be automatically rolled into warm
Default bucket size is set automatically by Splunk at install based on OS type
- Once rolled into warm, each individual bucket is placed in a directory with 2 time
144
Operational Intelligence
145
Operational Intelligence
146
GB (64-bit) buckets
147
[w ebfarm ]
hom ePath = h:\splunk_index\db
coldPath = h:\splunk_index\colddb
thaw edPath = h:\splunk_index\thaw db
Operational Intelligence
148
warm
- Max total data size (in MB)
[w ebfarm ]
hom ePath = h:\splunk_index\db
coldPath = h:\splunk_index\colddb
thaw edPath = h:\splunk_index\thaw db
m axW arm D BCount = 150
m axTotalD ataSizeM B = 850000
frozenTim ePeriodInSecs = 2598000
- frozenTimePeriodInSecs = time in
149
Cold to frozen
Frozen is either archive or oblivion default is deletion
To archive you must define :
- coldToFrozenPath - location where Splunk automatically archives frozen data
- Splunk will strip away the index data and only stores the raw data in the frozen
location
- Frozen can be slow inexpensive NAS, tape, etc.
- Older versions of Splunk used cold to frozen scripts, those are still supported,
though if you specify both a coldToFrozenPath and a coldToFrozenScript the
path setting will take precedence
Operational Intelligence
150
Operational Intelligence
151
indexes.conf or in Manager
Operational Intelligence
[w ebfarm ]
hom ePath = h:\splunk_index\db
coldPath = \\fi
ler\splunk_cold\colddb
thaw edPath = h:\splunk_index\thaw db
m axW arm D BCount = 150
m axTotalD ataSizeM B = 850000
frozenTim ePeriodInSecs = 2598000
152
Storage volumes
You can specify locations and maximum size for index partitions using
volume stanzas
- Handy way to group and control multiple indexes
- Volume size limits apply to all indexes that use the volume
Use
Use volumes
volumes in
in index
index definitions
definitions
Create
Create volumes
volumes in
in indexes.conf
indexes.conf
[netw ork]
m axW arm D BCount = 150
frozenTim ePeriodInSecs = 15778463
hom ePath = volum e:hotN w arm \netw ork
coldPath = volum e:cold\netw ork
Be
Be sure
sure to
to use
use subdirectories
subdirectories for
for your
your indexes
indexes to
to
avoid
avoid collisions
collisions
153
Operational Intelligence
154
User data
- Things such as event types, saved searches, etc.
- $SPLUNK_HOME/etc/users/
Splunk configurations
- Configuration files updated either by hand or Manager
- $SPLUNK_HOME/etc/system/local
- $SPLUNK_HOME/etc/apps/
Operational Intelligence
155
Backups: How
Recommended method
Using the incremental backup of your choice backup:
- Warm and cold sections of your indexes
- User files
- Archive or backup configuration files
- Hot cannot be backed up without stopping Splunk
156
enough making you worried about losing data in hot between backups
How
- Roll the hot db into warm with a script right before backing up
- Restarting splunkd also forces a roll from hot to warm
- Example roll command for the CLI
157
Operational Intelligence
158
search to delete
- Note that this is a virtual delete. Splunk marks the events as deleted and they
will never show in searches again, but they will continue to take up space on
disk.
Operational Intelligence
159
Operational Intelligence
160
Operational Intelligence
161
Section 6:
Users, Groups, and
Authentication
Operational Intelligence
162
Section Objectives
Understand user roles in Splunk
Create a custom role
Understand the methods of authentication in Splunk
Operational Intelligence
163
Operational Intelligence
164
User roles
There are three built-in user roles:
Admin, Power, User
(Can Delete is a special case already covered)
Administrators can configure custom roles
- Name the role
- Specify a default app
- Define the capabilities for the role
- Limit the time ranges the role can use
- Specify both default and accessible indexes
165
Operational Intelligence
166
Operational Intelligence
167
Operational Intelligence
168
Operational Intelligence
169
Operational Intelligence
170
Operational Intelligence
171
Operational Intelligence
172
LDAP authentication
Splunk can be configured
to work with most LDAP
including Active Directory
LDAP can be configured
from Splunk Manager
See the docs for details
www.splunk.com/base/Documentation/latest/Admin/
SetUpUserAuthenticationWithLDAP
Operational Intelligence
173
Scripted Authentication
Leverage existing PAM or RADIUS authentication systems for Splunk
For the most up-to-date information on scripted authentication, see the
README file in
$SPLUNK_HOME/share/splunk/authScriptSamples/
There are also sample authentication scripts in that directory
Operational Intelligence
174
Single Sign On
Authentication is moved to a web proxy which passes along
authentication to Splunk Web
Auth
Auth server
server
SSO
SSO client
client
Splunk
Splunk server
server
1 Splunk request
175
Lab
Operational Intelligence
176
Section 7: Forwarding
and Receiving
Operational Intelligence
177
Section objectives
Understand forwarders
Compare forwarder types
Examine topology examples
Deploy and configure forwarders
Operational Intelligence
178
Light forwarder
- Full Splunk in Light forwarder mode (no separate install), otherwise works the same as Universal forwarder
Heavy forwarder
- Full Splunk instance does everything but write data to index
- Breaks data into events before forwarding
- Can handle content-based routing
Operational Intelligence
179
Comparing forwarders
If you need to
use
Forward unparsed data to a
Universal forwarder
receiver or indexer
Collect data on a forwarder that
Light forwarder
requires a python-based scripted
input
Route collected data based on
event info or filter data prior to
WAN/slower connection
Operational Intelligence
Heavy forwarder
180
Operational Intelligence
181
* Requires
distributed search
covered later in
this section
Operational Intelligence
182
Operational Intelligence
183
Operational Intelligence
184
splunkd ports
Operational Intelligence
185
Operational Intelligence
186
Balancing
Restart required
Operational Intelligence
187
Operational Intelligence
188
later module
Operational Intelligence
189
Operational Intelligence
190
191
You want to clone a system image for cloning that includes a Universal
Forwarder
Operational Intelligence
192
msiexec.exe/isplunkuniversalforwarder_x86.msi
DEPLOYMENT_SERVER="deploymentserver1:8089"AGREETOLICENSE=Yes/quiet
msiexec.exe/isplunkuniversalforwarder_x86.msiLOGON_USERNAME="AD\splunk"
LOGON_PASSWORD="splunk123"DEPLOYMENT_SERVER="deploymentserver1:8089"
LAUNCHSPLUNK=0AGREETOLICENSE=Yes/quiet
Operational Intelligence
193
installation
-
msiexec.exe/isplunkuniversalforwarder_x86.msi
RECEIVING_INDEXER="indexer1:9997"WINEVENTLOG_SEC_ENABLE=1
WINEVENTLOG_SYS_ENABLE=1AGREETOLICENSE=Yes/quiet
msiexec.exe/isplunkuniversalforwarder_x86.msi
RECEIVING_INDEXER="indexer1:9997"MIGRATESPLUNK=1AGREETOLICENSE=Yes/quiet
Operational Intelligence
194
splunksetdeploypoll<host:port>
- Client without deployment server: splunkenabledeployclient
- Forward to an indexer: splunkaddforwardserver<host:port>
195
Migration can only occur the first time you start the universal forwarder, post-installation. You
cannot migrate at any later point
1.
2.
3.
4.
5.
Migration process only copies checkpoint files you should manually copy over the old
forwarder's inputs.conf
Operational Intelligence
196
Forwarding configurations
inputs.conf on the forwarder gathers the local logs/system info
needed
- You can include input phase settings in props.conf on light forwarders
- Per-event processing must be done on the indexer
$SPLUNK_HOME/etc/system/local
Operational Intelligence
197
Operational Intelligence
[tcpout]
Global
Global settings
settings
defaultGroup=web_indexers
disabled=false
[tcpout:web_indexers]
Receiving
Receiving server
server
server=splunk1.company.com:9997
compressed=true
[tcpoutserver://splunk1.company.com:9997]
198
[tcpout]
[tcpout:uk_clone]
Global
Global settings
settings
IndexAndForward=true
Receiving
Receiving server
server
Compressed=true
Server=uk_splunk.company.com:9997
- Compression is turned on
- Server setting refers to either the
Operational Intelligence
199
signed certificates
[tcpout:indexer]
server=splunk.company.com:9997
sslPassword=ssl_for_m3
sslCertPath=$SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath=$SPLUNK_HOME/etc/auth/cacert.pem
Operational Intelligence
200
Operational Intelligence
201
[tcpout:list_LB]
autoLB=true
server=splunk1.company.com:9997,splunk2.company.com:9997
Operational Intelligence
202
splunk1A10.20.30.40
splunk2A10.20.30.41
splunk1bA10.20.30.40
splunk1bA10.20.30.41
[tcpout:DNS_LB]
autoLB=true
server=splunk1b.mycompany.com:9997
autoLBFrequency=60
Operational Intelligence
203
Operational Intelligence
204
Indexer Acknowledgement
Guards against loss of data when forwarding to an indexer
- Forwarder will re-send any data not acknowledged as "received" by the indexer
Disabled by default
Requires version 4.2 of both forwarder and receiver
Can also be used for forwarders sending to an intermediate forwarder
Operational Intelligence
205
The indexer receives a block of data, then parses and writes to disc
Once on disc, indexer sends acknowledgment to forwarder
Upon acknowledgment, the forwarder releases the block from memory
- If the wait queue is of sufficient size, it doesn't fill up while waiting for
acknowledgments to arrive
- Wait queue size can be increased (covered in a later slide)
Operational Intelligence
206
for one of the blocks, at which point it can free up space in the queue.
Operational Intelligence
207
Handling duplicates
If there's a network problem that prevents an acknowledgment from
reaching the forwarder, dupes may occur
- Example: indexer receives a data block then generates the acknowledgment
Operational Intelligence
208
- Disabled by default
209
be 6MB
Operational Intelligence
210
211
Lab
Operational Intelligence
212
Section 8: Distributed
Environments
Operational Intelligence
213
Objectives
List Splunk server types
Understand Distributed search
Describe search head pooling
Understand Deployment server
Operational Intelligence
214
universal
universal forwarders
forwarders
search
search head
head
Separate install.
Gathers data and
forwards to indexer.
Search peer
accessed by users.
Runs ad-hoc and
scheduled
searches/alerts.
Distributes
searches out to all
peers and
combines results.
heavy
heavy forwarders
forwarders
Gather or receives
data, processes it
and then forwards
on to indexer.
Operational Intelligence
215
forwarders
forwarders
- Input
- Parsing
- Indexing
Indexer
- Search
Search head
Operational Intelligence
216
indexer
indexer
search
search head
head
Deployment Server
- Manage multiple, varying Splunk instance configurations from a single server
Operational Intelligence
217
Distributed Search
Operational Intelligence
218
Operational Intelligence
219
Operational Intelligence
220
department B
Operational Intelligence
221
Operational Intelligence
222
Operational Intelligence
223
Operational Intelligence
224
Operational Intelligence
225
226
User
logs
in
Operational Intelligence
Layer
Layer 77 Load
Load
Balancer
Balancer
227
User
logs User
in logs
in
Operational Intelligence
User
logs
in
228
User
logs
in
Operational Intelligence
229
Operational Intelligence
230
into /tmp/nfs/apps
- Similarly, copy the user subdirectories: $SPLUNK_HOME/etc/users/into
/tmp/nfs/users
Operational Intelligence
231
Operational Intelligence
232
splunkpoolingdisable
$
$
pooling
pooling
enable /opt/splunk
display
head
splunkpoolingdisplay
search head
Operational Intelligence
splunk
splunk
233
Configuration changes
Once pooling is enabled on a search head, you must notify the search
head if you directly edit a .configfile
If you add a stanza to any config file in a local directory, you must run
the following command:
splunkbtoolfixdangling
Not necessary if you make changes via Splunk Web Manager or CLI
Operational Intelligence
234
Deployment Server
Operational Intelligence
235
instance
Operational Intelligence
236
Deployment Terminology
Deployment server
- A Splunk instance that acts as a centralized configuration manager
- Supplies configurations to any number of Splunk instances
- Any Splunk instance can act as a deployment server
Deployment client
- Splunk instances that are remotely configured
- A Splunk instance can be both a deployment server and client at the same time
Server class
- A logical grouping of deployment clients based on need for the same configs
Deployment app
- Set of deployment content (including configuration files) deployed as a unit to clients of a server
class.
Operational Intelligence
237
- Database group
Operational Intelligence
238
Database
- Solaris servers (sunos-sun4u)
- Oracle
239
www2-forwarder
www3-forwarder
db1-forwarder
db2-forwarder
db-loggingforwarder server
class
www-forwarder
server class
Deployment server
Operational Intelligence
240
Operational Intelligence
241
Server-class
Server-class
specific
specific settings
settings
[global]
repositoryLocation=$SPLUNK_HOME/etc/deploymentApps
targetRepositoryLocation=$SPLUNK_HOME/etc/apps
Where
Where apps
apps are
are stored
stored on
on
the
the deployment
deployment server
server
Where
Where apps
apps will
will be
be
delivered
delivered on
on the
the client
client
[serverClass:AppsByMachineType]
[serverClass:AppsByMachineType:app:win_eventlog]
Operational Intelligence
242
www-forwarder
server class
whitelist.0=*.10.1.1*
Server
Server class
class only
only applies
applies to
to
clients
clients in
in the
the 10.1.1*
10.1.1* IP
IP range
range
[serverClass:wwwforwarder:app:webfarmforwarders]
stateOnClient=enabled
Deploy
Deploy this
this
app
app to
to
clients
clients that
that
match
match
[serverClass:dbloggingforwarder]
filterType=blacklist
db-loggingforwarder server
class
blacklist.0=*
whitelist.0=*.192.2*
[serverClass:dbloggingforwarder:app:dbforwarder]
stateOnClient=enabled
Operational Intelligence
Server
Server class
class only
only applies
applies to
to
clients
clients in
in the
the 192.2*
192.2* IP
IP range
range
243
Deploy
Deploy this
this
app
app to
to
clients
clients that
that
match
match
Administering Splunk 4.2
[serverClass:AppsByMachineType:app:SplunkDesktop]
machineTypes=WindowsIntel
[serverClass:AppsByMachineType:app:unix]
Deploy
Deploy this
this app
app only
only to
to Linux
Linux 32
32
or
or 64
64 bit
bit machines
machines
machineTypes=linuxi686,linuxx86_64
Operational Intelligence
244
restartSplunkWeb=<TrueorFalse>
Defaults
Defaults to
to true
true
restartSplunkd=<TrueorFalse>
stateOnClient=<enabled,disabled,noop>
Enable
Enable or
or disable
disable apps
apps on
on the
the
client
client after
after installation
installation or
or change
change
Operational Intelligence
245
Operational Intelligence
246
URI
URI of
of deployment
deployment
server
server
Command
Command output
output
Deploymentclient:ip=192.168.2.4,dns=192.168.2.4,
hostname=mycompanyPC64,mgmt=8089,build=64889,
name=deploymentClient,
id=connection_192.168.2.4_8089_192.168.2.4_deploymentClient,
utsname=windowsunknown
Operational Intelligence
247
Deployment actions
Default poll period is 30 seconds
client
- Specified in serverclass.conf
Poll
Poll server
server
Send
Send
instructions
instructions
Get
Get content
content
deployment server
Operational Intelligence
248
Operational Intelligence
249
Section 9: Licensing
Operational Intelligence
250
Section Objectives
Identify license types
Understand license violations
Define license groups
Define license pooling and stacking
Add and remove licenses
Operational Intelligence
251
Operational Intelligence
252
Free license
- Activates automatically when 60 day trial enterprise license expires
- Can be activated before 60 days by using Manager
- Doesnt allow authentication, forwarding to non-Splunk servers, or alerts
- Does allow 500mb/day of indexing and forwarding to other Splunk instances
Operational Intelligence
253
Operational Intelligence
254
License groups
License types are organized into groups
- Enterprise Group
- Free Group
- Forwarder Group
Operational Intelligence
255
Enterprise trial license that comes with the Splunk download cannot be
stacked
Free license cannot be stacked
Pools can be created for a given stack
- Specify Splunk indexing instances as members of a pool for the purpose of
256
300GB
300GB License
License
200GB
200GB License
License
Operational Intelligence
257
Pool
Pool 22 100GB
100GB
Entitlement
Entitlement
Operational Intelligence
300GB
300GB License
License
200GB
200GB License
License
Pool
Pool 44 100GB
100GB
Entitlement
Entitlement
Asdasd
Asdasd
Pool
Pool 33 200GB
200GB
Entitlement
Entitlement
258
Operational Intelligence
259
Operational Intelligence
260
Operational Intelligence
261
Adding a license
Any 4.x license can be added
- 4.2 licenses can be uploaded, or
Operational Intelligence
262
License stacks
4.2
4.2 Enterprise
Enterprise
license
license
Enterprise
Enterprise
Stack
Stack
Operational Intelligence
4.1
4.1 Enterprise
Enterprise
license
license
263
License pools
For each stack, you can create
one or more additional license
pools
- Define a maximum volume for the
pool
- Select indexers for the pool
Operational Intelligence
264
Default
Default pool
pool
Added
Added pool
pool
Operational Intelligence
265
Viewing alerts
windows
Operational Intelligence
enterprise
266
267
Operational Intelligence
268
Lab
Operational Intelligence
269
Operational Intelligence
270
Section objectives
Learn what you can secure in Splunk
Understanding SSL and Splunk
Learn about user group and index security
Learn what is recorded in the audit log
Describe how to secure the audit log
Understand archive data signing
Operational Intelligence
271
Audit
- user actions
- file system
Data Signing
- cold to frozen archive data
- audit data in Splunk
Operational Intelligence
272
SSL
Already enabled between splunkd and Splunk Web
Can be enabled via Splunk Web > Manager or by editing web.conf
- Splunk will automatically generate homemade certificates
- You can pay for certificates to avoid browser complaints
Operational Intelligence
273
Operational Intelligence
274
Auditing
Splunk automatically creates an audit trail of Splunk user actions
- Stored in the _audit index
- Accessible only by administrators by default
- Useful for monitoring for prying eyes
Operational Intelligence
275
http://www.splunk.com/base/Documentation/latest/Admin/Signauditeven
ts
Operational Intelligence
276
automatically
Operational Intelligence
277
278
Section 11:
Jobs, Knowledge Objects, and
Alerts
Operational Intelligence
279
Section objectives
Understand jobs
Manage jobs
Understand alerts, and alert settings
Understand PDF server and alerts
Understand what knowledge objects are and how to set their
permissions
Operational Intelligence
280
Operational Intelligence
281
Operational Intelligence
282
283
job
Operational Intelligence
284
Alerts Review
Alerts are saved searches
that run on a schedule and
do something based on the
data that is returned
Alerts can send an email,
trigger a shell script, or
create an RSS feed
Operational Intelligence
285
Operational Intelligence
286
forwarder
See
www.splunk.com/base/Documentation/latest/Installation/Conf
igurePDFprintingforSplunkWeb
for details
Operational Intelligence
287
Scripted alerts
You can have an alert that activates a script
Scripts must be located in $SPLUNK_HOME/bin/scripts
Scripts can be in any language the underlying operating
system can run
Splunk passes a number of variables to the script
For details on variables etc., see the docs:
http://www.splunk.com/base/Documentation/latest/admin/Confi
gureScriptedAlerts
Operational Intelligence
288
Knowledge Objects
Knowledge objects are user-created things such as
- Eventtypes
- Saved Searches
- Field Extractions using IFX (Interactive Field Extractor)
- Tags
289
Operational Intelligence
290
Section 12:
Troubleshooting
Operational Intelligence
291
Section objectives
Learn how to set specific log levels using Manager
Learn basic troubleshooting steps to solve/identify common
issues
Learn how to get community help with Splunk
Understand how to contact Splunk Support
Operational Intelligence
292
Operational Intelligence
293
294
295
Deployment monitor
The Deployment Monitor is a collection of dashboards and drilldown
pages with information to help monitor the health of a system
- Index throughput over time
- Number of forwarders connecting to the indexer over time
- Indexer and forwarder abnormalities
- Details for individual forwarders and indexers, such as status and forwarding
Operational Intelligence
296
Operational Intelligence
297
Operational Intelligence
298
Operational Intelligence
299
Operational Intelligence
300
Configuring alerts
Click configure alerting to modify
the underlying saved
search/alert
Operational Intelligence
301
Operational Intelligence
302
Indexer Properties
Data specific to a given indexer
- Drill-down from All Indexers view
- Can drill-down on any chart item to
Operational Intelligence
303
All Sourcetypes
Shows MB Received by
sourcetype
Table display shows each
sourcetype, current status, last
received, and total MB received
Drill down on any item for
underlying events
Operational Intelligence
304
Sourcetype info
Drill-down from All
sourcetypes shows info
for single sourcetype
Operational Intelligence
305
License Usage
Cumulative MB per day by
Sourcetype
MB Received
- By sourcetype, source, host, forwarder,
Usage statistics
- By sourcetype, source, host, forwarder,
306
Backfill data
Use backfill Summary Indexes to add two-weeks worth of data to the
summary indexes (useful for new Deployment Monitor installation on existing
Splunk instance)
Use Flush and Backfill to erase old data and re-populate
Operational Intelligence
307
308
Splunk Support
Contact Splunk Support email: support@splunk.com
File a case online
http://www.splunk.com/index.php/submit_issue
24/7 phone depending on support contract
Operational Intelligence
309
Operational Intelligence