Splunk 7.x Quick Start Guide
eBook - ePub

Splunk 7.x Quick Start Guide

Gain business data insights from operational intelligence

  1. 298 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Splunk 7.x Quick Start Guide

Gain business data insights from operational intelligence

Book details
Book preview
Table of contents
Citations

About This Book

Learn how to architect, implement, and administer a complex Splunk Enterprise environment and extract valuable insights from business data.

Key Features

  • Understand the various components of Splunk and how they work together to provide a powerful Big Data analytics solution.
  • Collect and index data from a wide variety of common machine data sources
  • Design searches, reports, and dashboard visualizations to provide business data insights

Book Description

Splunk is a leading platform and solution for collecting, searching, and extracting value from ever increasing amounts of big data - and big data is eating the world! This book covers all the crucial Splunk topics and gives you the information and examples to get the immediate job done. You will find enough insights to support further research and use Splunk to suit any business environment or situation.

Splunk 7.x Quick Start Guide gives you a thorough understanding of how Splunk works. You will learn about all the critical tasks for architecting, implementing, administering, and utilizing Splunk Enterprise to collect, store, retrieve, format, analyze, and visualize machine data. You will find step-by-step examples based on real-world experience and practical use cases that are applicable to all Splunk environments. There is a careful balance between adequate coverage of all the critical topics with short but relevant deep-dives into the configuration options and steps to carry out the day-to-day tasks that matter.

By the end of the book, you will be a confident and proficient Splunk architect and administrator.

What you will learn

  • Design and implement a complex Splunk Enterprise solution
  • Configure your Splunk environment to get machine data in and indexed
  • Build searches to get and format data for analysis and visualization
  • Build reports, dashboards, and alerts to deliver critical insights
  • Create knowledge objects to enhance the value of your data
  • Install Splunk apps to provide focused views into key technologies
  • Monitor, troubleshoot, and manage your Splunk environment

Who this book is for

This book is intended for experienced IT personnel who are just getting started working with Splunk and want to quickly become proficient with its usage. Data analysts who need to leverage Splunk to extract critical business insights from application logs and other machine data sources will also benefit from this book.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Splunk 7.x Quick Start Guide by James H. Baxter in PDF and/or ePUB format, as well as other popular books in Computer Science & Data Processing. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Packt Publishing
Year
2018
ISBN
9781789538021
Edition
1
Topic
Computer Science
Subtopic
Data Processing
Index
Computer Science

Splunk Applications

In this chapter, we'll cover how to combine configuration files, scripts, knowledge objects, and reports/dashboards into packages called apps that make Splunk more useful and relevant to specific technologies or business-driven use cases. This chapter will also introduce several of the most useful (and mostly free) apps and add-ons available from Splunkbase that further extend the value of Splunk by providing optimized data collection and management functions for a wide variety of technologies, including Linux and Windows servers, databases, and various logs and metrics from AWS, to give just a few examples. Finally, we'll review the Splunk Machine Learning Toolkit, DB Connect, and Splunk's premium apps – IT Service Intelligence, Enterprise Security, and User Behavior Analytics, and see how they fit into comprehensive monitoring and situational-detection solutions.
The specific topics discussed in this chapter include the following:
  • Apps and Add-Ons
  • How to create Splunk apps from templates
  • Using Splunkbase to find and install free apps
  • Using Linux and Windows TA applications to monitor the infrastructure
  • Installing and configuring Splunk DB Connect to work with data from relational databases
  • Installing and getting familiar with the ML toolkit
  • Becoming aware of the Splunk Premium apps
Let's get started with Splunk apps!

Splunk apps and add-ons

Apps and add-ons extend the functionality of the Splunk platform. A Splunk app is a collection of knowledge objects, and as you know, a knowledge object is a broad term that is applied to configuration files, saved searches, macros, lookups, and so on. An app can also include scripts that are used to retrieve data from external sources and/or HTML, CSS, XML, image, and other files to create user interfaces and visualizations that expand and increase Splunk's functionality to meet user needs.
By default, the Splunk platform includes one basic app that enables you to work with your data: Search & Reporting. To expand Splunks' functionality, you can install other apps from Splunkbase or create your own. Most of the apps provided by Splunk or other users on Splunkbase are fairly sophisticated and greatly extend the functionality of the Splunk platform.
An add-on, on the other hand, is generally an app that enables the Splunk platform to collect and ingest a particular type of data from other technologies or vendors. An Add-on will typically include a script or code and related configuration files to support the data-collection process and task-specific saved searches and macros, and many do not include a user interface—they play a supporting role only. Examples include the Splunk Add-on for Unix and Linux and the Add-on for Microsoft Windows, both of which collect OS-level logs and metrics, and the Splunk Add-on for Amazon Web Services, which interfaces with various AWS technologies to collect and store logs and metrics data into Splunk indexes.
To generalize, apps offer user interfaces and tools that enable you to work with your data, and they often rely on add-ons to ingest various types of data. This will all make more sense as you actually work with apps—let's get started.

Creating a Splunk app

As we mentioned, you can create your own apps in Splunk. In practice, user-created apps—or more specifically, the app directories and their contents—are typically used as a container for your saved searches, reports, dashboards, and configuration files that pertain to the data for a specific technology, application, environment, or business unit. These apps can be as simple as a few .conf files (such as indexes.conf or inputs.conf) to configure Splunk to import and store data, or a sophisticated collection of knowledge objects, scripts, and a full-featured user interface to allow data collection, visualization, analysis, and reporting. All of the files within an app are in plain text (and can be edited) and Splunk provides full documentation on all of its .conf files—including the stanzas, attributes, and possible values—so that the purpose of each configuration setting is transparent.
You can create a new Splunk app from Splunk Web yourself by going through the following steps:
  1. Click the Apps dropdown
  2. Select Manage Apps
  3. Click Create app
  4. In the form that appears, give the app a name that will be displayed in the left-hand menu, as well as a recognizable, OS-friendly folder name
  5. The Version can be 1.0 (it's your first one!)
  6. If you want your app to have an icon with its name listed on the left-hand side with all the other Splunk apps, provide a user interface for selecting reports, dashboards, and so on, and set Visible to Yes—if it is just going to be a container for some configuration files, set this to No
  7. Author and description are self-explanatory
The following screenshot shows an example form:
Fig 9.1: Creating a new Splunk app
Splunk uses one of two selectable Ttemplate for creating the starting structure of your new app: barebones and sample_app. You can select barebones if your app is not going to have a user interface; otherwise, choose sample_app. Finally, you can click Choose File to upload any user interface files (HTML, CSS, JS, images) to be used with your app. Then click Save.
After you have created your app, your app directory (for Linux), its subdirectories, and the general contents of each folder will be shown here as shown in the following code; if you chose the barebones template, the appserver folder will be missing:
/opt/splunk/etc/apps/mytestapp/

 appserver/static # images, html, css, etc. files for the user interface
 bin/ # script files that collect or manipulate data 
 default/ # app.conf and several other default conf files
 local/ # where you and Splunk put .conf files for inputs, indexes, props, etc.
 metadata/ # default.meta and local.meta files - stores access permissions
The app.conf file in .../mytestapp/default contains the entries you made when you created the app—whether it's visible, the label, author, description, and version. If your app is going to have a user interface, then the .../appserver/static/ folder is where you can put your own image files to use in the app, as well as alter the provided application.css file to customize the look of your app; this file is nicely commented to help you find and alter its effects on the app's appearance. Also of note is a default.xml file in .../mytestapp/local/data/ui/nav/ that configures the navigation bar across the top of your app, which you can alter to suit your needs....

Table of contents

  1. Title Page
  2. Copyright and credits
  3. Dedication
  4. About Packt
  5. Contributors
  6. Preface
  7. Introduction to Splunk
  8. Architecting Splunk
  9. Installing and Configuring Splunk
  10. Getting Data into Splunk
  11. Administering Splunk Apps and Users
  12. Searching with Splunk
  13. Splunk Knowledge Objects
  14. Splunk Reports, Dashboards, and Alerts
  15. Splunk Applications
  16. Advanced Splunk
  17. Other Books You May Enjoy