View
326
Download
1
Category
Preview:
DESCRIPTION
SplunkLive! Kansas City 2012
Citation preview
About MeAbout Me
Linux System AdministratorLinux System Administrator
Husband and Father of 2 KidsHusband and Father of 2 Kids
DevOps, Productivity Hacks and DevOps, Productivity Hacks and Tools, The Big LebowskiTools, The Big Lebowski
Growing SplunkGrowing SplunkTyler Rutschman - Garmin InternationalTyler Rutschman - Garmin International
OH: (during an outage)OH: (during an outage)I don’t want to live in a I don’t want to live in a world without Splunk.world without Splunk.
BackstoryBackstory
Free instance installed in 2009Free instance installed in 2009
Single Instance on Central Log Single Instance on Central Log serverserver
Upgrade to EnterpriseUpgrade to Enterprise
Level 2Level 2
Split Splunk onto dedicated Split Splunk onto dedicated instanceinstance
License overwhelmed by Garmin License overwhelmed by Garmin ConnectConnect
Limited visibility and useLimited visibility and use
IF YOU HAVE MORE INPUTS THAN IF YOU HAVE MORE INPUTS THAN LICENSELICENSE
YOU’RE GONNA HAVE A BAD TIMEYOU’RE GONNA HAVE A BAD TIME
Super Cool Ski InstructorSuper Cool Ski Instructor
Plan for ExpansionPlan for Expansion
Decided to make application more Decided to make application more robustrobust
Read the DocumentationRead the Documentation
.conf 2011.conf 2011
Enterprise ArchitectureEnterprise ArchitectureOutlineOutline
Puppet DeploymentPuppet Deployment
Infrastructure LayoutInfrastructure Layout
GotchasGotchas
Future PlansFuture Plans
PuppetPuppet
Search, Indexer and Forwarder are Search, Indexer and Forwarder are “turn-key”“turn-key”
ex: include splunk::indexer ...doneex: include splunk::indexer ...done
Really Awesome for ForwardersReally Awesome for Forwarders
Why not use Splunk Deployment Why not use Splunk Deployment Manager?Manager?
InfrastructureInfrastructure
How We Use SplunkHow We Use Splunk
Web Access LogsWeb Access Logs
Internal Application AuditsInternal Application Audits
Windows Security EventsWindows Security Events
Why I Like SplunkWhy I Like Splunk
Makes Users HappyMakes Users Happy
Real Time DataReal Time Data
No AlternativesNo Alternatives
GotchasGotchas
Don’t Index a lot of data over NFSDon’t Index a lot of data over NFS
Shared Knowledge Bundle Time Shared Knowledge Bundle Time SyncSync
Tag and Search permissionsTag and Search permissions
Future PlansFuture Plans
Scale Central System LoggingScale Central System Logging
More Splunk from a User/Developer More Splunk from a User/Developer POVPOV
Additional InputsAdditional Inputs
TrainingTraining
Tips and AdviceTips and Advice
WMI Event Filter for Windows WMI Event Filter for Windows Events - Events - http://t.co/gexrFnrc
Splunkbase AnswersSplunkbase Answers
Questions & FeedbackQuestions & Feedback
Recommended