I know very little about splunk :(. Our only splunk expert decided to quit and i have been asked to take the responsibility starting with enterprise administration. Is referring to splunk admin manuals/documentation enough to start?
I mean is it 100% knowledge base or just to get you to speed?
Sorry if it sounds silly . I am running in 1000 directions right now
Any help is much appreciated.
How little is little exactly? If you haven't really used Splunk before, going straight into the admin manual might be a big jump. I'd suggest going through the Search Tutorial on the Splunk documentation page (http://docs.splunk.com/Documentation ) first which will help you get started with understanding Splunk and its many features, just to touch the surface.
Do you know what version of Splunk you are running?
Hi ppablo, i have experience in building reports,dashboards, alerts, knowledge objects and installed splunk free and edited conf files on a tiny scale setup (used 4 laptops - 2 having forwarders etc) . i haven't done administration at all. Example: I know indexer and how it is a full splunk ent version but don't know how to disable features like 'use it only for indexing but not searching'. Basically, i am reading all different manuals without knowing the practical way of doing it. Any help would be great. My ADHD situation is making it worse :(.Thank you!
In that case, I think going through the suggested documentation referenced by @piebob would be a good place to start since you're familiar with the basics. The apps suggested by @MarioM (and many other apps) will definitely be worth checking out once you have a better grasp on your role and knowledge as an admin. Good luck!
it sounds like you need to get an understanding of what your current deployment looks like, and to review this manual, starting with this topic:
once you have reviewed this, you can move on to learning about the different roles/components of Splunk:
at that point, you should be able to start asking specific questions (after first searching in the docs of course :)). this site (Answers) is much better suited to specific questions.
You know more than I did when I became Splunk in-house "expert" (as I say to people I "went from zero to SME in the space of 5 days"). This is not to dismiss your concerns. Quite the contrary. I want to give you confidence that it is achievable very quickly. For the most part I would (as the others have said) learn the shape of your actual Splunk infrastructure. I had help, in that I was guided through a new set of installations by one of the previous admins, and I would say that a test installation (which you can afford to break and start from scratch), and a bit of tinkering will get you a long way.
Other than that I would suggest that you use the documentation (the online manual), the Wiki, and "Answers" as reference material, and for anything else you genuinely cannot find solutions for or which confuse you ask here. It's not as daunting as it may seem.
(Personally I don't recommend Splunk-on-Splunk, but that is because I have a personal prejudice about adding secondary packages like the third-party side utils SoS is dependent on. If you can frame a Splunk query, you can understand pretty much everything you need to from Splunks own "_*" indexes for yourself, and besides it is a good didactic exercise doing so and learning what you can find in there.)