Monitoring Splunk

Splunk enterprise configuration

adminp4l
Explorer
Hi,
 
We are planing to go for Splunk Enterprise. Could you please clarify my below queries to make us more understandable.
 
1. Can we use multiple projects in one login itself.
2. How can we search individual projects in Splunk, means each project owner have only access or visible to their particular projects.
3. Is all logging happened in the server where we hosted our applications.
4. Duration for maintaining all logs. Are we get logs for last 1 year. I can see up to 30 days in the filter option.
5. Cost for the subscription which includes support.
6. How about the renewal options.
 
Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adminp4l ,

I try to answer to your questions:

1. Can we use multiple projects in one login itself.
If you're speaking of Splunk Could, users of a subscription can access only data and apps of the subscription.
Then, In Splunk it's possible to define roles (containing also one user) and to give to one role the grants on an App or one or more knowledge objects.
So each login can see the Apps shared with his role, and the Search and Reporting App that's common (it's also possible to disable access to this app).
 

2. How can we search individual projects in Splunk, means each project owner have only access or visible to their particular projects.

What do you mean with "Projects"?

If you mean an App, each user can build his apps and define the share rules:
  • Open to all: sharing with "Everyone" apps and knowledge objects,
  • Open to App: sharing objects at app level and defining the roles that can access an app,
  • Private: each user can see only his apps and knowledge objects.

3. Is all logging happened in the server where we hosted our applications.

Splunk logs every action on the system in the _audit and _internal indexes.

4. Duration for maintaining all logs. Are we get logs for last 1 year. I can see up to 30 days in the filter option.

If you're speaking of Splunk on premise, you can define the retention of your logs by yourself, but remember that you have to do a Capacity Plan to define the storage requirements for a retention of one year.

If instead you're speaking of Splunk Cloud, the default retention is 90 days but you can buy a longer retention.

About filters, for my knowledge, it isn't possible to limit the filtering period, but you can delete the default filter options greater than 30 days, but this doesn't limity the possibility to manually set a greater search period.

5. Cost for the subscription which includes support.

Abut costs, they depends on the volume of your logs: you pay a license for the daily indexed logs.

You have to define your usual logs volume and buy a license for them, you can exceed this value for 45 times in the last 60 days, so you have to make a puntual Capacity Plan for your license.

For the cost, you have to ask to your Splunk partner that asks to the local distributor.

Here you can find more infos:

https://www.splunk.com/en_us/software/pricing.html?utm_campaign=google_emea_tier2_en_search_brand

In Internet there is also this site, but I'm not sure that's a Splunk official site https://splunkpricing.com/

Some months ago there was an official Splunk prices page, but now there isn't more.

6. How about the renewal options.
You can renew your subscription when it's finishing, contacting the Partner that sold you the original subscription.
 
Ciao.
Giuseppe
0 Karma

adminp4l
Explorer

It would be helpful if u provide a tutorial about this topic for Splunk Enterprise

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adminp4l,

which topic are you speaking of?

You can find a Tutorial for the SQL (the search language of Splunk) at https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchTutorial/WelcometotheSearchTutorial

You can find free courses about Splunk fundamentals and architecture at https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html and https://www.splunk.com/en_us/training/free-courses/splunk-infastructure-overview.html

Then you can find many videos on YouTube.

Ciao.

Giuseppe

adminp4l
Explorer

Dear Gcusello,

I am using Splunk enterprise and looking for how to configure only respective team members have access to their own projects not other projects. 

It would be very much helpful if you could provide any tutorials for creating multiple projects logs with permission to access in one login itself. 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adminp4l,

as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/Aboutusersandroles, the steps to configure access grants to apps is something like this (with only local users):

  • create a role for each group of users with the access rights [Settings -- Roles -- New Role],
  • don't use "Inheritance" in role creation, but assign only the needed functions and indexes,
  • assign each user to one or more roles [Settings -- Users]
  • assign to each App only the roles for that App [Apps -- Manage Apps --- Permissions].
  • assign to each Knowledge Objects of each App only the roles for that App [Permissions].

In this way you're sure that each user can access only the neede Apps, Functions and Indexes.

Probably this video will help you https://www.youtube.com/watch?v=A4IRcdSKmys

If you use Active Directory or SAML as authentication the procedure is the same for the roles creation and different in User / rolesa association as you can see at https://docs.splunk.com/Documentation/Splunk/8.2.0/InheritedDeployment/Usersrolesandauthentication 

Ciao.

Giuseppe

adminp4l
Explorer

Hi 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adminp4l,

let me know if I'll be able to help you  next time.

Ciao and happy splunking.

Giuseppe

P.S.: karma Points are appreciated 😉

adminp4l
Explorer

Hi 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adminp4l,

at first check the enabled indexes for each roles: you have to give to each solo, only the access to the requested indexes.

Then you have to check if there's some "Inheritance", because in this case, the role takes the grantes of the inheritated role.

Ciao.

Giuseppe

adminp4l
Explorer

Hi 

Thanks for sharing the information, Can we get any video tutorial for the same.

Also we are implementing logs from our C# code. It would be much helpful if you can consider this also.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @adminp4l,

use Google to search Splunk videos and you'll surely find!

Anyway, for Users and roles see this: https://www.youtube.com/watch?v=A4IRcdSKmys

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...