topic Re: What is the easiest method of starting a new Splunk environment? in Deployment Architecture

What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 00:48:16 GMT

What is the easiest method of starting a new Splunk environment? I was suggested to create a virtual machine with my choice of Linux OS, but the installation of Splunk in any Linux suite has been a nightmare. Is there any way to simply create a new instance within my already existing Splunk windows suite?

Re: What is the easiest method of starting a new Splunk environment?

richgalloway — Sun, 26 Aug 2018 12:19:58 GMT

Running multiple instances of Splunk on a server can be more of a nightmare than learning Linux.
Installing Splunk on a Linux system is usually quite simple. Do you have specific questions about installing Splunk on Linux?

Re: What is the easiest method of starting a new Splunk environment?

jkat54 — Sun, 26 Aug 2018 14:43:54 GMT

I agree with Rich. I think it’s probably easier to spin up an AWS or Azure Linux server, log in and install as per the docs:

http://docs.splunk.com/Documentation/Splunk/7.1.2/Installation/InstallonLinux

In Azure there is a marketplace splunk that sets up an entire cluster.

In AWS there’s the same thing using cloud formation templates. I wouldn’t say the AWS approach is the easiest.

So I’d go with the Azure splunk offering found here if I just wanted simplicity:

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/splunk.splunk-enterprise

Re: What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 16:35:13 GMT

Thank you both for the advice! I will give it another shot- as this is the reoccurring suggestion for beginners like myself. Out of curiosity though, how does this work in a professional setting. Let's say if you are a contracted Data Analyst who does reporting on a per basis workflow, constantly working with new companies and new data. Does one constantly clear their Splunk, create new Indexes for each company worked with, etc? I know this is somewhat of an advanced question above my current knowledge base- just very curious on how this is done in practice.

Thank you!

Re: What is the easiest method of starting a new Splunk environment?

skoelpin — Sun, 26 Aug 2018 18:18:18 GMT

@woodcock has a pretty good post about this

https://answers.splunk.com/answers/516059/what-are-the-pain-points-with-deploying-your-splun.html

Re: What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 18:28:19 GMT

Thank you @skoelpin!

Re: What is the easiest method of starting a new Splunk environment?

MuS — Sun, 26 Aug 2018 19:59:13 GMT

Just my 2cents on this: if you think installation of Splunk on *nix is a nightmare, you will soon realise that running Splunk on Windows is the much bigger nightmare. The reasons for this can be found in that said answer above ^^^ 😉

cheers, MuS

Re: What is the easiest method of starting a new Splunk environment?

DalJeanis — Sun, 26 Aug 2018 20:27:09 GMT

@GIPO29 - that's dependent on various things, most especially what you mean by "reporting on a per-basis workflow."

If you mean that a company gives you access to certain data, you ingest, process and analyze it, and then give them reports and recommendations once, then thereafter have no need of the data, then you just create a new index for each company's data and drop the index (or set the data to quickly age and migrate to cold).

On the other hand, if you will have ongoing responsibilities, and if there is a chance you may need to give the client access to look at their data in your splunk instance, then you will want to consider creating a splunk instance specific to that customer.

Either way, you will create and centralize all your reporting and your specialized ingestion routines in one or more apps specific to that client, and use a naming convention so that you always can find it again.

If you want to chat about this further, then join the splunk slack channel, and open a conversation in #general for suggestions.

Re: What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 21:08:57 GMT

For reasons beyond me- the same commands I used yesterday worked today. Possibly got file allocation mixed up or slight typos in the terminal. Either way, I now have it up and running! Thank you for the offer to help. It is very much appreciated. 🙂

Re: What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 21:32:27 GMT

Thanks, Friends!! I managed to get Splunk running on my VM Linux (Ubuntu). Now ready to tinker! 🙂

Steps I took to install:

-Downloaded Splunk .deb

Once downloaded run> sudo dpkg -i Downloads/"ENTER SPLUNK FILE NAME".deb
First time start up run> /opt/splunk/bin/splunk start
You'll get prompted to Agree To Terms and Set Admin Password

-Once you've set everything up:

To start run> sudo /opt/splunk/bin/splunk start
Wait for output The Splunk web interface is at http://"YOURUSERNAME":8000
Go to output and get to Splunking!

Hope this helps anyone who was having trouble with the regular Docs instructions like me.

Re: What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 21:35:22 GMT

@MuS after much reading, I came across this as well and will be going forward with the suggested Linux hosting alternate. Thanks for your input!

Re: What is the easiest method of starting a new Splunk environment?

GIPO29 — Sun, 26 Aug 2018 21:39:40 GMT

@DalJeanis Thank you for the insightful answer, Dal! That definitely covers some of my major curiosities. The Slack chat is great, although not always as responsive or interactive as one would like.