All Apps and Add-ons

Automation using Splunk

Explorer

I have a server which stores some logs. Everyday news logs are added. So what I want is, every week, on a particular day, (say Friday @ 12 AM), a script will be triggered which will forward these logs from the server to Splunk installed in a windows PC. Then the analysis of these logs will begin automatically based on some predefined scenarios (say for example, how many users are using the server per month, per week or per day). The search strings for these scenarios will be already stored in a database and I need to fetch those strings one by one and execute them. The reports generated for all these scenarios will then be mailed to some predefined mail ids. That's the thing which I am trying to achieve, in short. 😄

Now the issues here are :
1. Is this thing even feasible considering that Splunk is not open source? 😄
2. I tried to configure the Splunk Universal Forwarder but it did not work. I made the necessary changes in the inputs.conf and outputs.conf file, added the receiving indexer using the command (splunk add forward-server :9997) and also configured receiving options in Splunk Enterprise to listen to port 9997. Still no success. Did I miss anything?
3. Using DB Connect app we can connect Splunk to a database and also fetch the search strings as well. But how do I ensure that the strings will be executed automatically one after the other?
4. How do I mail the reports generated for each scenario automatically to some predefined recipients?

I am a beginner in Splunk and need some assistance to get this done. Any help would be highly appreciated.

Thanks 🙂

0 Karma
1 Solution

Legend

Hi mmukherjee,
sorry but I don't understand your needs.

Splunk isn't Open Source and it's licensed by dayly indexed logs, if you want there is also a free license with some limit (see https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html).

Why you want to forward logs from your server to splunk once a week? you have less network bandwidth occupation forwarding logs to Splunk continuously, anyway, you can schedule your Forwarder activity.

When you have logs in your Splunk Enterprise server you can create all the alerts, reports and dashboard you need and they are already stored in Splunk and not in an external DB.

To answer to your questions:

  1. all the things you described are feasible in Splunk, remeber that if you use Splunk free you haven't any features (see https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html)
  2. did you checked if there are firewalls rules? you can try this using telnet IP_Splunk_server 9997 from the monitored server
  3. you can schedule DB Connect queries execution
  4. yes, you can send reports and/or alerts to predefined emails.

Bye.
Giuseppe

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Yes, what you want to do can certainly be done. For you it will take weeks of learning, trial and error. For a seasoned Splunk administrator, probably a day or two at most (though the analysis of the data is not described, so that is an unknown). If you want to do this by yourself you will have to dedicate a lot of time to making it happen. If it is worth that to you, go for it. If you want to do what you have described, though, you'll probably have to get a license, because the free version will not do everything that you want. If you need it soon, it would be best to hire someone with the expertise to do what you want, and learn from observing. There are the costs, either time or money, plus probably licensing fees in either case.

You aren't looking at a very difficult thing to do in Splunk, but it requires an understanding of the product that comes with a price.

0 Karma

Legend

Hi mmukherjee,
sorry but I don't understand your needs.

Splunk isn't Open Source and it's licensed by dayly indexed logs, if you want there is also a free license with some limit (see https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html).

Why you want to forward logs from your server to splunk once a week? you have less network bandwidth occupation forwarding logs to Splunk continuously, anyway, you can schedule your Forwarder activity.

When you have logs in your Splunk Enterprise server you can create all the alerts, reports and dashboard you need and they are already stored in Splunk and not in an external DB.

To answer to your questions:

  1. all the things you described are feasible in Splunk, remeber that if you use Splunk free you haven't any features (see https://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html)
  2. did you checked if there are firewalls rules? you can try this using telnet IP_Splunk_server 9997 from the monitored server
  3. you can schedule DB Connect queries execution
  4. yes, you can send reports and/or alerts to predefined emails.

Bye.
Giuseppe

View solution in original post

0 Karma