Security

Question for new user

jigneshjsoni71
New Member

I am new user to Splunk and having difficulty understanding how to use it. I have some questions to start with. Please answer it, so that my use of Splunk can be easy

1) Does Splunk need to be installed on every server, whose log files are to be searched ?

2) If I install Splunk on my laptop, how do I specify files to be indexed and what fields to be indexed ? Is every file that need to be indexed, need to be specified in Splunk ?

3) If I have installed Splunk on 6 servers, how can I link all these instances for viewing ? eg I have installed Splunk on 3 servers and then I install it on 4th server, how do I add this 4th server in th UI to make it available for viewing ?

4) Do I need to specify which event to index from a file ?

Are all these things for a user OR Administrator OR developer ?

What language knowledge does a Splunk developer need ?


Does a Splunk Administrator need knowledge of operating system only OR does he need anything more than that ?

Thanks

Tags (1)
0 Karma

kml_uvce
Builder

1) Does Splunk need to be installed on every server, whose log files are to be searched ?
you need to install forwarder on servers from where you want to read the data, you can also configure syslog in servers and send data to splunk
2) If I install Splunk on my laptop, how do I specify files to be indexed and what fields to be indexed ? Is every file that need to be indexed, need to be specified in Splunk ?
you need to specify file(in inputs.conf) in splunk ,you can upload file from webgui, if file format is already in splunk(like csv etc) then it will create fields else you need to create fields.
3) If I have installed Splunk on 6 servers, how can I link all these instances for viewing ? eg I have installed Splunk on 3 servers and then I install it on 4th server, how do I add this 4th server in th UI to make it available for viewing ?
it depends on what splunk components are this setup.
you need to check doc http://docs.splunk.com/Documentation/Splunk and connnection between diffrent components
4) Do I need to specify which event to index from a file ?
No, every event will be indexed in splunk and you need to break event properly.

Are all these things for a user OR Administrator OR developer ?
Its more for Administrator but can be for developer also.

What language knowledge does a Splunk developer need ?
you need xml,advanced xml, python, regex

Does a Splunk Administrator need knowledge of operating system only OR does he need anything more than that ?
basic networking, regex etc

0 Karma

aweitzman
Motivator
0 Karma

aweitzman
Motivator

Yes, it's provided by Splunk.

http://docs.splunk.com/Splexicon:Universalforwarder

http://www.splunk.com/download/universalforwarder

http://docs.splunk.com/Special:SplunkSearch/docs?q=universal+forwarder

It's not 100% a requirement - it depends on exactly what you need to do, and what the best way to do that thing is. It's not necessary to collect syslog at all, for instance. However, it's very useful for collecting log files.

0 Karma

jigneshjsoni71
New Member

Is forwarder a software which is provided by Splunk and it needs to be installed o runtime environment ? We can not get logs from runtime environment without forwarder ? Is forwarder a deployment software ? Can we use any other deployment software instead of forwarder ?

Thanks

0 Karma

aweitzman
Motivator
  1. No, you can also install Splunk in one place and forward the logs from other servers to it. If you have a large installation, you'll want multiple machines running Splunk in a distributed fashion (see 3), but they'll all be looking at that multi-sourced data.
  2. You specify files to be indexed in a number of ways. It would be easier if you described a specific use case that the Answers community can help you with. You should look at http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/WhatSplunkcanmonitor to start, and then ask more targeted questions.
  3. A Splunk "instance" consists of one or multiple machines handling multiple tasks (forwarding, indexing, etc.) over the same data. You can read about it here: http://docs.splunk.com/Documentation/Splunk/6.1.3/Deploy/Distributedoverview
  4. You do need to specify which things to index from your file. These instructions can be very simple or very complex. Again, it depends on the use case. The link in 2 should help here as well.

As for languages, you'll need to get to know Splunk's search language, and if you make dashboards, those are done in XML. If you want to do anything really fancy (like create a custom search command), you'll have to know Python.

Hope this can get you started.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...