topic Re: Splunk enterprise configuration in Monitoring Splunk

Splunk enterprise configuration

adminp4l — Mon, 21 Jun 2021 04:23:31 GMT

Hi,

We are planing to go for Splunk Enterprise. Could you please clarify my below queries to make us more understandable.

1. Can we use multiple projects in one login itself.
2. How can we search individual projects in Splunk, means each project owner have only access or visible to their particular projects.
3. Is all logging happened in the server where we hosted our applications.
4. Duration for maintaining all logs. Are we get logs for last 1 year. I can see up to 30 days in the filter option.
5. Cost for the subscription which includes support.

6. How about the renewal options.

Re: Splunk enterprise configuration

gcusello — Mon, 21 Jun 2021 06:09:02 GMT

Hi @adminp4l ,

I try to answer to your questions:

1. Can we use multiple projects in one login itself.

If you're speaking of Splunk Could, users of a subscription can access only data and apps of the subscription.

Then, In Splunk it's possible to define roles (containing also one user) and to give to one role the grants on an App or one or more knowledge objects.

So each login can see the Apps shared with his role, and the Search and Reporting App that's common (it's also possible to disable access to this app).

2. How can we search individual projects in Splunk, means each project owner have only access or visible to their particular projects.

What do you mean with "Projects"?

If you mean an App, each user can build his apps and define the share rules:

Open to all: sharing with "Everyone" apps and knowledge objects,
Open to App: sharing objects at app level and defining the roles that can access an app,
Private: each user can see only his apps and knowledge objects.

3. Is all logging happened in the server where we hosted our applications.

Splunk logs every action on the system in the _audit and _internal indexes.

4. Duration for maintaining all logs. Are we get logs for last 1 year. I can see up to 30 days in the filter option.

If you're speaking of Splunk on premise, you can define the retention of your logs by yourself, but remember that you have to do a Capacity Plan to define the storage requirements for a retention of one year.

If instead you're speaking of Splunk Cloud, the default retention is 90 days but you can buy a longer retention.

About filters, for my knowledge, it isn't possible to limit the filtering period, but you can delete the default filter options greater than 30 days, but this doesn't limity the possibility to manually set a greater search period.

5. Cost for the subscription which includes support.

Abut costs, they depends on the volume of your logs: you pay a license for the daily indexed logs.

You have to define your usual logs volume and buy a license for them, you can exceed this value for 45 times in the last 60 days, so you have to make a puntual Capacity Plan for your license.

For the cost, you have to ask to your Splunk partner that asks to the local distributor.

Here you can find more infos:

https://www.splunk.com/en_us/software/pricing.html?utm_campaign=google_emea_tier2_en_search_brand

In Internet there is also this site, but I'm not sure that's a Splunk official site https://splunkpricing.com/

Some months ago there was an official Splunk prices page, but now there isn't more.

6. How about the renewal options.

You can renew your subscription when it's finishing, contacting the Partner that sold you the original subscription.

Ciao.

Giuseppe

Re: Splunk enterprise configuration

adminp4l — Mon, 21 Jun 2021 12:34:51 GMT

It would be helpful if u provide a tutorial about this topic for Splunk Enterprise

Re: Splunk enterprise configuration

gcusello — Mon, 21 Jun 2021 12:45:22 GMT

Hi @adminp4l,

which topic are you speaking of?

You can find a Tutorial for the SQL (the search language of Splunk) at https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchTutorial/WelcometotheSearchTutorial

You can find free courses about Splunk fundamentals and architecture at https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html and https://www.splunk.com/en_us/training/free-courses/splunk-infastructure-overview.html

Then you can find many videos on YouTube.

Ciao.

Giuseppe

Re: Splunk enterprise configuration

adminp4l — Tue, 22 Jun 2021 03:40:02 GMT

Dear Gcusello,

I am using Splunk enterprise and looking for how to configure only respective team members have access to their own projects not other projects.

It would be very much helpful if you could provide any tutorials for creating multiple projects logs with permission to access in one login itself.

Re: Splunk enterprise configuration

gcusello — Tue, 22 Jun 2021 06:49:16 GMT

Hi @adminp4l,

as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Aboutusersandroles, the steps to configure access grants to apps is something like this (with only local users):

create a role for each group of users with the access rights [Settings -- Roles -- New Role],
don't use "Inheritance" in role creation, but assign only the needed functions and indexes,
assign each user to one or more roles [Settings -- Users]
assign to each App only the roles for that App [Apps -- Manage Apps --- Permissions].
assign to each Knowledge Objects of each App only the roles for that App [Permissions].

In this way you're sure that each user can access only the neede Apps, Functions and Indexes.

Probably this video will help you https://www.youtube.com/watch?v=A4IRcdSKmys

If you use Active Directory or SAML as authentication the procedure is the same for the roles creation and different in User / rolesa association as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.0/InheritedDeployment/Usersrolesandauthentication

Ciao.

Giuseppe

Re: Splunk enterprise configuration

adminp4l — Wed, 23 Jun 2021 03:35:20 GMT

Hi Gcusello,

Thanks for your valuable comments. Let me try to implement according to user specific in my c# code. If any blockages will reach out to you.

Appreciate your support.

Re: Splunk enterprise configuration

gcusello — Wed, 23 Jun 2021 06:25:32 GMT

Hi @adminp4l,

let me know if I'll be able to help you next time.

Ciao and happy splunking.

Giuseppe

P.S.: karma Points are appreciated 😉

Re: Splunk enterprise configuration

adminp4l — Mon, 28 Jun 2021 06:55:37 GMT

Hi gcusello,

We have created different user roles. But each user can able to view all project logs. Can we restrict these user to view other project logs.

It would be much appreciate if you can share settings the view permission to restrict for other projects view.

Re: Splunk enterprise configuration

gcusello — Mon, 28 Jun 2021 09:15:09 GMT

Hi @adminp4l,

at first check the enabled indexes for each roles: you have to give to each solo, only the access to the requested indexes.

Then you have to check if there's some "Inheritance", because in this case, the role takes the grantes of the inheritated role.

Ciao.

Giuseppe

Re: Splunk enterprise configuration

adminp4l — Tue, 29 Jun 2021 05:01:02 GMT

Hi gcusello

Thanks for sharing the information, Can we get any video tutorial for the same.

Also we are implementing logs from our C# code. It would be much helpful if you can consider this also.

Re: Splunk enterprise configuration

gcusello — Wed, 30 Jun 2021 06:53:21 GMT

Hi @adminp4l,

use Google to search Splunk videos and you'll surely find!

Anyway, for Users and roles see this: https://www.youtube.com/watch?v=A4IRcdSKmys

Ciao.

Giuseppe