Upload
franzz
View
26
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Splunk 6.2.3 Overview
Citation preview
Splunk Enterprise 6.2.3
Splunk Enterprise Overview
Generated: 5/04/2015 5:21 am
Copyright (c) 2015 Splunk Inc. All Rights Reserved
Table of ContentsIntroduction..........................................................................................................1
What's in this manual................................................................................1
About Splunk Enterprise.....................................................................................2 About Splunk Enterprise...........................................................................2 About Splunk Enterprise users..................................................................3 About Splunk Enterprise deployments......................................................4
Splunk Enterprise Resources and Documentation..........................................7 Product resources.....................................................................................7 Splunk Enterprise Administration..............................................................8 Searching and Reporting........................................................................11 Managing Knowledge..............................................................................13 Customize and Extend Splunk Enterprise...............................................15 Troubleshooting......................................................................................16
i
Introduction
What's in this manual
This manual serves two purposes.
About Splunk Enterprise: Provides a technical overview of SplunkEnterprise and its users. Discusses the Splunk Enterprise features anddescribes the components that make up a Splunk Enterprise deployment.
•
Splunk Enterprise Resources and Documentation: Provides topics thathelp you navigate the documentation based on tasks you want tocomplete.
•
1
About Splunk Enterprise
About Splunk Enterprise
What is Splunk Enterprise
Splunk Enterprise is a software platform to search, analyze, and visualize themachine-generated data gathered from the websites, applications, sensors,devices, and so on, that comprise your IT infrastructure or business.
After you define the data source, Splunk Enterprise indexes the data stream andparses it into a series of individual events that you can view and search.
You can use the search processing language or the interactive pivot feature tocreate reports and visualizations.
Splunk Enterprise features
The following table highlights seven Splunk Enterprise features. You can readabout more features on Splunk.com.
Feature Description
Indexing
Splunk indexes machine data. This includes data streamingfrom packaged and custom applications, application servers,web servers, databases, networks, virtual machines, telecomsequipment, operating systems, sensors, and so on, that makeup your IT infrastructure. The maximum indexing volumedepends on the Splunk Enterprise license.
Data model
A data model is a hierarchically-structured search-time mappingof semantic knowledge about one or more datasets. It encodesthe domain knowledge necessary to build a variety ofspecialized searches of those datasets. These specializedsearches are used by Splunk Enterprise to generate reports forPivot users. Data model objects represent different datasetswithin the larger set of data indexed by Splunk Enterprise.
Pivot Pivot refers to the table, chart, or data visualization you createusing the Pivot Editor. The Pivot Editor lets users map attributesdefined by data model objects to a table or chart datavisualization without having to write the searches to generate
2
them. Pivots can be saved as reports and added todashboards.
Search
Search is the primary way users navigate data in SplunkEnterprise. You can write a search to retrieve events from anindex, use statistical commands to calculate metrics andgenerate reports, search for specific conditions within a rollingtime window, identify patterns in your data, predict futuretrends, and so on. Searches can be saved as reports and usedto power dashboard panels.
Alerts
Alerts are triggered when conditions are met by search resultsfor both historical and real-time searches. Alerts can beconfigured to trigger actions such as sending alert informationto designated email addresses, post alert information to an RSSfeed, and run a custom script, such as one that posts an alertevent to syslog.
Reports
Reports are saved searches and pivots. You can run reports onan ad hoc basis, schedule them to run on a regular interval, seta scheduled report to generate alerts when the results of theirruns meet particular conditions. Reports can be added todashboards as dashboard panels.
Dashboards
Dashboards are made up of panels that contain modules suchas search boxes, fields, charts, tables, forms, and so on.Dashboard panels are usually hooked up to saved searches orpivots. They can display the results of completed searches aswell as data from backgrounded real-time searches.
Download the Splunk Enterprise Quick Reference Guide
The Splunk Enterprise Quick Reference Guide (updated for version 6.1), isavailable only as a PDF file. It is a six-page reference card that providesinformation about Splunk Enterprise features, concepts, search commands, andsearch examples.
About Splunk Enterprise users
Splunk Enterprise serves different types of users. There are five main personasthat use Splunk Enterprise:
Persona Industry Role Activities
3
Administrator
networkengineer,systemadministrator
Configures, administers, optimizes, andsecures the Splunk Enterprisedeployment.
•
Sets up user accounts and permissions.• Gets data into Splunk Enterprise.•
KnowledgeManager
data analyst,systemadministrator
Oversees knowledge object creation,normalization, and usage across teams,departments, and deployments.
•
Gets the data into Splunk, or works withthe administrator to do so.
•
Creates and shares data models.•
Search User
data analyst,ITprofessional,networkengineer,securityanalyst,systemadministrator
Uses Search to investigate serverproblems, understand configurations,monitor user activities, and troubleshootescalated problems.
•
Builds reports and dashboards tomonitor the health, performance, activity,and capacity of their IT infrastructure.
•
Identifies patterns and trends that areindicators of routine problems.
•
Pivot User
businessprofessional,data analyst,executive, ITprofessional,manager,systemadministrator
Uses Pivot to build reports based ondata models created by the KnowledgeManager.
•
Creates reports and dashboards tomonitor their businesses.
•
Identifies trends in the health andperformance of their businesses.
•
Developer
systemintegrator,professionaldeveloper
Integrates data and functionality ofapplications with Splunk Enterprise.
•
Builds Splunk Apps and add-ons withcustom dashboards and datavisualizations.
•
About Splunk Enterprise deployments
4
Splunk Enterprise and your IT infrastructure
Splunk Enterprise indexes data from the servers, applications, databases,network devices, virtual machines, and so on, that make up your ITinfrastructure. As long as the machine that generates the data is a part of yournetwork, Splunk Enterprise can collect the data from machines locatedanywhere, whether it is local (on-the-premises in a server room), remote(off-the-premises in a datacenter), entirely in the cloud, or a hybrid (such ason-premise and in the cloud).
Most users connect to Splunk Enterprise with a web browser and use SplunkWeb to administer their deployment, manage and create knowledge objects, runsearches, create pivots and reports, and so on. You can also use thecommand-line interface to administer your Splunk Enterprise deployment.
Splunk Enterprise supports a multi-user and distributed product architecture. Thismeans that you can search and report on data spanning multiple SplunkEnterprise deployments within a single datacenter or globally across multipledatacenters and cloud infrastructures.
Splunk Enterprise Components
Component Description
Apps
Apps are a collection of configurations, knowledge objects, andcustomer designed views and dashboards that extend theSplunk Enterprise environment to fit the specific needs oforganizational teams such as Unix or Windows systemadministrators, network security specialists, website managers,business analysts, and so on. A single Splunk Enterpriseinstallation can run multiple apps simultaneously.
ForwarderA forwarder is a Splunk Enterprise instance that forwards datato another Splunk Enterprise instance (an indexer or anotherforwarder) or to a third-party system.
Indexer
An indexer is the Splunk Enterprise instance that indexes data.The indexer transforms the raw data into events and stores theevents into an index. The indexer also searches the indexeddata in response to search requests.
ReceiverA receiver is a Splunk Enterprise instance configured to receivedata from a forwarder. The receiver is either an indexer oranother forwarder.
5
Search head
In a distributed search environment, the search head is theSplunk Enterprise instance that handles search managementfunctions, directing search requests to a set of search peersand then merging the results back to the user. If this instancedoes only searching and not indexing, it is usually referred to asa dedicated search head.
Search peerIn a distributed search environment, the search peer is theSplunk Enterprise instance that performs indexing and fulfillssearch requests originating from the search head.
For more information about these components and their roles in a distributeddeployment, see "Components and roles" in the Distributed Deployment Manual.
6
Splunk Enterprise Resources andDocumentation
Product resources
This topic is an overview of the documentation, education, community resourcesto help you find the information you want about Splunk Enterprise and otherSplunk products.
Documentation
What are you lookingfor? Where should you look?
Splunk Enterprise
Everything you need to know about Splunk Enterpriseconfiguration and usage is in the Splunk Enterprisedocumentation. The following topics will help you findinformation in the Splunk Enterprise documentation.
Splunk Enterprise Administration• Searching and Reporting• Managing Knowledge• Customize and Extend Splunk Enterprise• Troubleshooting•
Splunk products
Splunk products include Splunk Enterprise, Hunk,Splunk Cloud, and Splunk Storm. Each Splunk producthas its own set of documentation which can be foundon the Splunk.com documentation site.
Splunkbase
Each app should have its own documentation.Typically, an app's documentation will be linked fromthe app's download page or included in the app'sdownload package. An app's documentation will onlybe found on Splunk's documentation site if the app issupported by Splunk.
Splunk SDKs
Splunk SDKs are documented on the Splunk forDevelopers site. There you will find information,tutorials, and examples for each of the Splunk SDKs.Find module libraries and other reference materials onthe Splunk documentation site for SDKs.
7
Education
What are you lookingfor? Where should you look?
Splunk Education Splunk Classes and Certification Tracks
How-to video tutorials Splunk Education Videos
Community
What are you lookingfor? Where should you look?
Splunk AnswersIf you cannot find what you are looking for in thedocumentation, search Splunk Answers to see what thecommunity has to say or ask your question there.
#splunkLog in to an IRC server on efnet and chat with Splunkdevelopers, Splunk Support, and other Splunkcommunity members.
Splunk Enterprise Administration
This topic lists tasks that administrators might want to do and takes you to themanuals and topics to learn how to do them.
Install and upgrade Splunk Enterprise
The Installation Manual describes how to install and upgrade Splunk Enterprise.
Task: Look here:
Understand installation requirements Plan your installation
Estimate hardware capacity needs Estimate hardware requirements
Install SplunkInstall Splunk on WindowsInstall Splunk on Unix, Linux, orMacOS
Upgrade Splunk Upgrade from an earlier version
Perform backupsBack up configuration informationBack up indexed dataSet a retirement and archiving policy
8
Get data into Splunk Enterprise
Getting Data In is the place to go for information about Splunk data inputs,including how to consume data from external sources and how to enhance thevalue of your data.
Task: Look here:
Learn how to consume external data How to get data into Splunk
Configure file and directory inputs Get data from files and directories
Configure network inputs Get network events
Configure Windows inputs Get Windows data
Configure miscellaneous inputs Other ways to get stuff in
Enhance the value of your data
Configure event processingConfigure timestampsConfigure indexed field extractionConfigure host valuesConfigure source typesManage event segmentation
See how your data will look afterindexing Preview your data
Improve the process Improve the data input process
Understand the data pipeline How data moves through SplunkEnterprise: the data pipeline
Manage indexes and indexers
Managing Indexers and Clusters tells you how to configure indexes. It alsoexplains how to manage the components that maintain indexes: indexers andclusters of indexers.
Task: Look here:
Learn about indexing Indexing overview
Manage indexes Manage indexes
Manage index storage How the indexer stores indexes
Back up indexes Back up indexed data
Archive indexes Set a retirement and archiving policy
About clusters and index replication
9
Learn about clusters and indexreplication
Deploy clusters Deploy clusters
Configure clusters Configure clusters
Manage clusters Manage clusters
Learn about cluster architecture How clusters work
Scale Splunk Enterprise
The Distributed Deployment Manual describes how to distribute SplunkEnterprise functionality across multiple components, such as forwarders,indexers, and search heads. Associated manuals cover distributed componentsin detail:
The Forwarding Data Manual describes forwarders.• The Distributed Search Manual describes search heads.• The Updating Splunk Components Manual explains how to use thedeployment server and forwarder management to manage yourdeployment.
•
Task: Look here:
Learn about distributed Splunk Distributed Splunk overview
Perform capacity planning for Splunkdeployments Estimate hardware requirements
Learn how to forward data Forward data
Distribute searches across multipleindexers Search across multiple indexers
Update the deployment Deploy configuration updates acrossyour environment
Secure Splunk Enterprise
Securing Splunk discusses how to secure your Splunk Enterprise deployment.
Task: Look here:
Authenticate users and edit roles User and role-based access control
Secure Splunk data with SSL Secure authentication and encryption
Audit Splunk Audit Splunk activity
10
Use Single Sign-on (SSO) with Splunk Configure Single Sign-on
Use Splunk with LDAP Set up user authentication with LDAP
Searching and Reporting
The Searching and Reporting app lets you search your data, create data modelsand pivots, save your searches and pivots as reports, configure alerts, andcreate dashboards.
Searching
The Search Manual discusses how to search and use the Search ProcessingLanguage (SPL). See the Search Reference Manual for a catalog of the searchcommands with syntax, descriptions, and examples for each command.
Task: Look here:
You are new to Splunk Enterprise andwant to learn how to search and usethe search processing language
Start with the Search Tutorial
Learn more about the searchprocessing language
About search
About the search language
The search processing languagesyntax
About transforming commands andsearches
About real-time searches and reports
Find a specific search command orfunction
List of search commands
List of search commands by category
List of functions for eval and where
List of functions for stats, chart, andtimechart
Manage search jobs About jobs and jobs management
11
View search job properties with theSearch Jobs Inspector
Creating Pivots
The Knowledge Manager Manual includes a section that discusses how todesign and build data models using the data model editor. The Pivot Manualdiscusses how to build pivots tables and charts.
Task: Look here:
You are new to Splunk Enterprise andwant to learn about data model andpivot
Pivot Tutorial
Learn about data models and how tobuild them About data models
Learn more about Pivot and how to usethe Pivot Editor to design tables andcharts.
Pivot Manual
Reporting
See more about reports and report management in the Reporting manual.
Task: Look here:
Use search commands to generatereports
About transforming commands andsearches
Learn about the different kinds ofvisualizations (tables, charts, eventlistings, and so on)
Visualization Reference
Data structure requirements forvisualizations
Save a search or pivot as a report Create and edit reports
Accelerate a report
Understand requirements for reportacceleration
Accelerate reports
Schedule a report Schedule reports
Generate a PDF of your report Generate PDFs of your reports anddashboards
12
Alerting
See how to create and dispatch alerts in the Alerting Manual.
Task: Look here:
Learn about alerts About alerts
Set up email notifications, RSSnotifications, or alert scripts Set up alert actions
See alerting examples Alert Examples
See recently triggered alerts Review triggered alerts using the AlertManager
Set up alerts using the configurationfiles Configure alerts in savedsearches.conf
Creating dashboards and visualizations
Task: Look here:
Learn about dashboards Overview of dashboards
Learn how to create and editdashboards
Create and edit dashboards via SplunkWeb
Edit dashboard panel visualizations
Build and edit dashboards with simpleXML
Learn about the different kinds ofvisualizations (tables, charts, eventlistings, and so on)
Visualization Reference
Data structure requirements forvisualizations
Learn about the default activity andsummary dashboards Splunk default dashboards
Learn about the Splunk WebFramework Splunk Web Framework Overview
Managing Knowledge
These tables direct you to topics for understanding and managing knowledgeobjects such as events, fields, lookups, and data models.
13
Splunk Enterprise Knowledge
Task: Look here:
Understand Splunk Enterpriseknowledge
What is Splunk Enterprise Knowledge?
Understand and use the CommonInformation Model
Manage knowledge objects
Monitor and organize knowledgeobjects
Disable or delete knowledge objects
Events and event processing
Task: Look here:
Configure event processing Configure event processing
Manage event segmentation Manage event segmentation
Understand events and event typesAbout event types
Classify and group similar events
Fields and field extractions
Task: Look here:
Understand fields
About fields
Use default fields
Configure multivalue fields
Define calculated fields
Understand and manage fieldextractions
About fields
When Splunk Enterprise extracts fields
Manage search-time field extractions
About Splunk Enterprise regularexpressions
14
Build Data models
Task: Look here:
Learn about data models and objects About data models
Manage data models and objects Manage data models
Use the Data Model Editor Design data models and objects
Customize and Extend Splunk Enterprise
Developers can build Splunk Apps and integrate Splunk Enterprise with othertools and applications. Follow these links to help you get started.
Develop Splunk Apps
Task: Look here:
Use the Splunk Web Framework Splunk Web Framework Overview
See Splunk Web Framework examples Splunk Web Framework codeexamples
See Splunk Web Frameworkcomponents
Splunk Web Framework ComponentReference
Use the Splunk REST API
Using the Splunk REST API, developers can programmatically index, search,and visualize data in Splunk Enterprise from any application.
Task: Look here:
Get started with the Splunk REST API Splunk REST API Overview
Learn how to use the Splunk RESTAPI Rest API Tutorials
Understand how to improve your logsto work with Splunk
Logging overview
Logging best practices
See the REST API Reference REST API Reference
15
Download and install the Splunk SDKs
Find information about Splunk SDKs on the Splunk for Developers Site and theSplunk Documentation site for SDKs.
Task: Look here:
Learn more about the Splunk SDKs Overview of the Splunk SDKs
See the code library and examples fora Splunk SDK Splunk SDK Reference
Extend Splunk Enterprise Functionality
Developers can expand the search language to perform custom processing orcalculations and customize data inputs programmatically.
Task: Look here:
Expand the search language
Write custom search commands
Create and use search macros
Configure scripted alerts
Manage custom data inputsScripted inputs overview
Modular inputs overview
Troubleshooting
The Troubleshooting Manual discusses how to analyze activity and diagnoseproblems with Splunk Enterprise. You can also look in other manuals to findspecific information. For example, you can find topics on how to improve searchperformance in the Search Manual.
Task: Look here:
Learn about new features, knownissues, and fixed problems
What's new in this version
Known issues for this release
Learn about Splunk Enterprisetroubleshooting tools
Introduction to troubleshooting SplunkEnterprise
16
Use btool to troubleshootconfigurations
Use the Splunk on Splunk App
Use the Platform informationFramework
About the platform instrumentationframework
Understand Splunk Enterprise log files
What Splunk Enterprise logs aboutitself
About metrics.log
Troubleshoot search performance
Write better searches
View search properties with the SearchJob Inspector
Troubleshoot license violationsAbout license violations
Use the License Usage Report View
17