I am new user to Splunk and having difficulty understanding how to use it. I have some questions to start with. Please answer it, so that my use of Splunk can be easy
1) Does Splunk need to be installed on every server, whose log files are to be searched ?
2) If I install Splunk on my laptop, how do I specify files to be indexed and what fields to be indexed ? Is every file that need to be indexed, need to be specified in Splunk ?
3) If I have installed Splunk on 6 servers, how can I link all these instances for viewing ? eg I have installed Splunk on 3 servers and then I install it on 4th server, how do I add this 4th server in th UI to make it available for viewing ?
4) Do I need to specify which event to index from a file ?
Are all these things for a user OR Administrator OR developer ?
What language knowledge does a Splunk developer need ?
Does a Splunk Administrator need knowledge of operating system only OR does he need anything more than that ?
Thanks
1) Does Splunk need to be installed on every server, whose log files are to be searched ?
you need to install forwarder on servers from where you want to read the data, you can also configure syslog in servers and send data to splunk
2) If I install Splunk on my laptop, how do I specify files to be indexed and what fields to be indexed ? Is every file that need to be indexed, need to be specified in Splunk ?
you need to specify file(in inputs.conf) in splunk ,you can upload file from webgui, if file format is already in splunk(like csv etc) then it will create fields else you need to create fields.
3) If I have installed Splunk on 6 servers, how can I link all these instances for viewing ? eg I have installed Splunk on 3 servers and then I install it on 4th server, how do I add this 4th server in th UI to make it available for viewing ?
it depends on what splunk components are this setup.
you need to check doc http://docs.splunk.com/Documentation/Splunk and connnection between diffrent components
4) Do I need to specify which event to index from a file ?
No, every event will be indexed in splunk and you need to break event properly.
Are all these things for a user OR Administrator OR developer ?
Its more for Administrator but can be for developer also.
What language knowledge does a Splunk developer need ?
you need xml,advanced xml, python, regex
Does a Splunk Administrator need knowledge of operating system only OR does he need anything more than that ?
basic networking, regex etc
Here's a rundown of all the ways you can get data into Splunk:
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/AboutgettingdataintoSplunk
Take some time to read the tutorial:
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchTutorial/WelcometotheSearchTutorial
Yes, it's provided by Splunk.
http://docs.splunk.com/Splexicon:Universalforwarder
http://www.splunk.com/download/universalforwarder
http://docs.splunk.com/Special:SplunkSearch/docs?q=universal+forwarder
It's not 100% a requirement - it depends on exactly what you need to do, and what the best way to do that thing is. It's not necessary to collect syslog at all, for instance. However, it's very useful for collecting log files.
Is forwarder a software which is provided by Splunk and it needs to be installed o runtime environment ? We can not get logs from runtime environment without forwarder ? Is forwarder a deployment software ? Can we use any other deployment software instead of forwarder ?
Thanks
As for languages, you'll need to get to know Splunk's search language, and if you make dashboards, those are done in XML. If you want to do anything really fancy (like create a custom search command), you'll have to know Python.
Hope this can get you started.