Study Splunk

Want to learn about Splunk?, you came to the right spot ;) What does this blog contain so far?  What is Splunk? Splunk Enterprise Components? Installing Splunk? Installing Splunk Universal Forwarder? Walkthrough of Splunk Interface Search Modes Searching in Splunk #1 Splunk sub(commands) [top, rare, fields, table, rename, sort] #2 Splunk sub(commands) [eval, trim, chart, showperc, stats, avg] #3 Splunk sub(commands) [eval, round, trim, stats, ceil, exact, floor, tostring] #4 Splunk sub(commands) [timechart, geostats, iplocation] #5 Splunk sub(Commands) [sendemail, dedup, eval, concatenate, new_field] #6 Splunk sub(Commands) [fields, rename, replace, table, transaction] Bringing data into Splunk Bringing data into Splunk (Continued...) Enable receiving port on Splunk server Dealing with Time Still I am in a process of writing couple of more topics related to Splunk, but you can go thru any of the links given above !! Do let me know if you have...

Splunk Enterprise Components? Search Head Basically its a graphical user interface and contains all the dashboards, charts etc. Also it enables us to have a solution to query the data according to our needs. Indexer It is the core component which do all the heavy tasks. Major task is to get the data parsed i.e. your data is broken down into events and stored in the indexer. Used by search head to query the data, once the data is queried all the events based on the search are returned back to the search head. Forwarders Universal For understanding sake you can say it as an agent. Collect data from remote data sources and feed it to Splunk indexer. Example: Flat files, logs (web-server, database). Very small daemon (light weight). Heavy Its heavier than universal forwarder. Additional capabilities of parsing and storing the data. Logically storing on heavy forwarder is not recommended. Parsing means masking of the data (removing secret information like pa...