Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk enterprise configuration

adminp4l
Explorer
‎06-20-2021 09:23 PM
Hi,
 
We are planing to go for Splunk Enterprise. Could you please clarify my below queries to make us more understandable.
 
1. Can we use multiple projects in one login itself.
2. How can we search individual projects in Splunk, means each project owner have only access or visible to their particular projects.
3. Is all logging happened in the server where we hosted our applications.
4. Duration for maintaining all logs. Are we get logs for last 1 year. I can see up to 30 days in the filter option.
5. Cost for the subscription which includes support.
6. How about the renewal options.
 
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-20-2021 11:09 PM

Hi @adminp4l ,

I try to answer to your questions:

1. Can we use multiple projects in one login itself.
If you're speaking of Splunk Could, users of a subscription can access only data and apps of the subscription.
Then, In Splunk it's possible to define roles (containing also one user) and to give to one role the grants on an App or one or more knowledge objects.
So each login can see the Apps shared with his role, and the Search and Reporting App that's common (it's also possible to disable access to this app).
 

2. How can we search individual projects in Splunk, means each project owner have only access or visible to their particular projects.

What do you mean with "Projects"?

If you mean an App, each user can build his apps and define the share rules:
  • Open to all: sharing with "Everyone" apps and knowledge objects,
  • Open to App: sharing objects at app level and defining the roles that can access an app,
  • Private: each user can see only his apps and knowledge objects.

3. Is all logging happened in the server where we hosted our applications.

Splunk logs every action on the system in the _audit and _internal indexes.

4. Duration for maintaining all logs. Are we get logs for last 1 year. I can see up to 30 days in the filter option.

If you're speaking of Splunk on premise, you can define the retention of your logs by yourself, but remember that you have to do a Capacity Plan to define the storage requirements for a retention of one year.

If instead you're speaking of Splunk Cloud, the default retention is 90 days but you can buy a longer retention.

About filters, for my knowledge, it isn't possible to limit the filtering period, but you can delete the default filter options greater than 30 days, but this doesn't limity the possibility to manually set a greater search period.

5. Cost for the subscription which includes support.

Abut costs, they depends on the volume of your logs: you pay a license for the daily indexed logs.

You have to define your usual logs volume and buy a license for them, you can exceed this value for 45 times in the last 60 days, so you have to make a puntual Capacity Plan for your license.

For the cost, you have to ask to your Splunk partner that asks to the local distributor.

Here you can find more infos:

https://www.splunk.com/en_us/software/pricing.html?utm_campaign=google_emea_tier2_en_search_brand

In Internet there is also this site, but I'm not sure that's a Splunk official site https://splunkpricing.com/

Some months ago there was an official Splunk prices page, but now there isn't more.

6. How about the renewal options.
You can renew your subscription when it's finishing, contacting the Partner that sold you the original subscription.
 
Ciao.
Giuseppe
0 Karma
Reply

adminp4l
Explorer
‎06-21-2021 05:34 AM

It would be helpful if u provide a tutorial about this topic for Splunk Enterprise

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-21-2021 05:45 AM

Hi @adminp4l,

which topic are you speaking of?

You can find a Tutorial for the SQL (the search language of Splunk) at https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchTutorial/WelcometotheSearchTutorial

You can find free courses about Splunk fundamentals and architecture at https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html and https://www.splunk.com/en_us/training/free-courses/splunk-infastructure-overview.html

Then you can find many videos on YouTube.

Ciao.

Giuseppe

Reply

adminp4l
Explorer
‎06-21-2021 08:40 PM

Dear Gcusello,

I am using Splunk enterprise and looking for how to configure only respective team members have access to their own projects not other projects. 

It would be very much helpful if you could provide any tutorials for creating multiple projects logs with permission to access in one login itself. 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-21-2021 11:48 PM

Hi @adminp4l,

as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Aboutusersandroles, the steps to configure access grants to apps is something like this (with only local users):

  • create a role for each group of users with the access rights [Settings -- Roles -- New Role],
  • don't use "Inheritance" in role creation, but assign only the needed functions and indexes,
  • assign each user to one or more roles [Settings -- Users]
  • assign to each App only the roles for that App [Apps -- Manage Apps --- Permissions].
  • assign to each Knowledge Objects of each App only the roles for that App [Permissions].

In this way you're sure that each user can access only the neede Apps, Functions and Indexes.

Probably this video will help you https://www.youtube.com/watch?v=A4IRcdSKmys

If you use Active Directory or SAML as authentication the procedure is the same for the roles creation and different in User / rolesa association as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.0/InheritedDeployment/Usersrolesandauthentication 

Ciao.

Giuseppe

Reply

adminp4l
Explorer
‎06-22-2021 08:35 PM

Hi 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-22-2021 11:25 PM

Hi @adminp4l,

let me know if I'll be able to help you  next time.

Ciao and happy splunking.

Giuseppe

P.S.: karma Points are appreciated 😉

Reply

adminp4l
Explorer
‎06-27-2021 11:55 PM

Hi 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-28-2021 02:15 AM

Hi @adminp4l,

at first check the enabled indexes for each roles: you have to give to each solo, only the access to the requested indexes.

Then you have to check if there's some "Inheritance", because in this case, the role takes the grantes of the inheritated role.

Ciao.

Giuseppe

Reply

adminp4l
Explorer
‎06-28-2021 10:01 PM

Hi 

Thanks for sharing the information, Can we get any video tutorial for the same.

Also we are implementing logs from our C# code. It would be much helpful if you can consider this also.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-29-2021 11:53 PM

Hi @adminp4l,

use Google to search Splunk videos and you'll surely find!

Anyway, for Users and roles see this: https://www.youtube.com/watch?v=A4IRcdSKmys

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...