Recommended by 0 users
This Splunk Tutorial gives you an overview and talks about the fundamentals of Splunk.
What is Splunk ?
Splunk is a powerful, yet simple analytical tool fast gaining traction in the fields of big data and operational intelligence. Using Splunk, you can monitor data in real time, or mine your data after the fact. Splunk’s stunning visualizations aid in locating the needle of value in a haystack of a data. Geolocation support spreads your data across a map, allowing you to drill down to geographic areas of interest. Alerts can run in the background and trigger to warn you of shifts or events as they are taking place.
With Splunk you can immediately recognize and react to changing trends and shifting public opinion as expressed through social media, and to new patterns of eCommerce and customer behavior. The ability to immediately recognize and react to changing trends provides a tremendous advantage in today’s fast-paced world of Internet business. Big Data Analytics Using Splunk opens the door to an exciting world of real-time operational intelligence.
Splunk Core Components
- Splunk is a powerful platform for analyzing machine data, data that machines emit in great volumes but which is seldom used effectively. Machine data is already important in the world of technology and is becoming increasingly important in the world of business.
- The first place that Splunk took hold, naturally, was the datacenter, which is awash in machine data. Splunk became popular with system administrators, network engineers, and application developers as an engine to quickly understand (and increase the usefulness of) machine data.
- In most computing environments, many different systems depend on each other. Monitoring systems send alerts after something goes wrong. For example, the key web pages of a site may depend on web servers, application servers, database servers, file systems, load balancers, routers, application accelerators, caching systems, and so on. When something goes wrong in one of these systems, say a database, alarms may start sounding at all levels, seemingly at once. When this happens, a system administrator or application specialist must find the root cause and fix it.
- Because almost everything we do is assisted in some way by technology, the information collected about each of us has grown dramatically. Many of the events recorded by servers actually represent behavior of customers or partners. Splunk customers figured out early on that web server access logs could be used not only to diagnose systems but also to better understand the behavior of the people browsing a website.
- Splunk does something that no other product can: efficiently capture and analyze massive amounts of unstructured, time-series textual machine data. Although IT departments generally start out using Splunk to solve technically esoteric problems, they quickly gain insights valuable elsewhere in their business.
- One of the common characteristics of machine data is that it almost always contains some indication of when the data was created or when an event described by the data occurred. Given this characteristic, Splunk’s indexes are optimized to retrieve events in time-series order. If the raw data does not have an explicit timestamp, Splunk assigns the time at which the event was indexed by Splunk to the events in the data or uses other approximations, such as the time the file was last modified or the timestamp of previous events. The only other requirement is that the machine data be textual, not binary, data. All these features will be covered in Splunk Training in detail.
Deployment Options for Splunk
For a multiserver deployment, you need to add your indexers as search peers on the Splunk Enterprise instance that you designate as a search head.
Downloading and installing Splunk Enterprise
What you need for this tutorial
Before you can start this tutorial, you need to download, install, and start Splunk version 6.0beta. This topic discusses the requirements you need to run Splunk on your system and what you need to know about Splunk licenses.
If you already have access to a running Splunk server instance, you can skip this chapter and start with Part 2: Getting started with Splunk.
Splunk is a high-performance application that runs on most computing platforms:
Linux, Unix, Windows, and Mac OS. For this tutorial, you need a Windows or Mac OS X computer or laptop that meets at least the following specifications:
Once you install Splunk on your machine, you access it using a web browser. Splunk 6.0+ supports the latest versions of Firefox, Chrome, and Safari browsers.
This is just a snapshot of Splunk’s system requirements; for the complete list of specifications, see the “System Requirements” topic in the Installation manual.
Splunk licenses, briefly
Splunk licenses limit the volume of data that your Splunk installation is entitled to index in a single day. Splunk runs with either an Enterprise license or a Free license. When you download Splunk for the first time, you get an Enterprise trial license that expires after 60 days. This trial license entitles the server to 500 MB/day indexing and all of the Enterprise features.
Note: If the Enterprise trial license expires, you can switch to the perpetual Free license – It’s included! – or purchase an Enterprise license. Read more about “Types of Splunk licenses” in the Admin Manual.
Now that you know what you need to run Splunk on your system, continue to the next topic to read about downloading Splunk.
Where and which Splunk to download
Splunk supports installation of most operating systems. This tutorial focuses mainly on Linux, Windows, and Mac OS X. When necessary, the differences between OS-specific functionality will be mentioned throughout this tutorial.
Which Splunk to download
Splunk provides three install options for Linux: an RPM download for RedHat, a DEB package for Debian Linux, and a tar file installer. For this tutorial, you can use any of these installers.
Splunk provides two Windows installers, an MSI file and a compressed zip file. For this tutorial, use the MSI file graphical installer.
Splunk provides two Mac OS X installers, a DMG package and a tar file installer. For this tutorial, use the DMG packaged graphical installer.
Where to download Splunk
Download the latest version of Splunk from the download page.
Note: If you’re not logged into Splunk.com, clicking the download package will redirect you to a registration form. If you don’t already have a Splunk.com account, sign up for one.
Now that you’ve downloaded Splunk, continue to the next topic to install the software on your machine.
Install Splunk on Linux, Windows, or Mac OS X
The previous topic told you where to download Splunk for Linux, Windows, or Mac OS X. This topic provides brief install instructions for each of these platforms.
If you want to complete this tutorial on another supported OS, refer to the “Step-by-step” installation instructions” for that platform and continue to Part 2: Getting started with Splunk.
Linux install instructions
Splunk provides 3 Linux installer options: an RPM, a DEB, and a compressed .tar file. Below are brief installation instructions for each of these installers.
Note: You need to have access to a command line interface (CLI). By default, Splunk installs into the /opt/splunk directory on Linux.
To install the Splunk RPM, type the following into the CLI. Use the optional –prefix flag if you want to install Splunk into a different directory.
rpm -i –prefix=/opt/new_directory splunk_package_name.rpm
To install the Splunk DEB package, type the following into the CLI. You can only install the Splunk DEB into the default /opt/splunk directory.
dpkg -i splunk_package_name.deb
To install Splunk using the compressed tar file, expand the file into the appropriate directory using the tar command. The default install directory is /splunk in the current working directory. To install into a specific directory, such as /opt/splunk, use the -C option:
tar xvzf splunk_package_name.tgz -C /opt
For more detailed instructions for installing Splunk on Linux, refer to the Step-by-step Linux installation instructions in the Installation manual.
Windows install instructions
Follow these instructions to install Splunk using the MSI graphical installer.
- To start the installer, double-click the splunk.msi file.
- In the Welcome panel, click Next.
- Read the licensing agreement and check the box next to “I accept the terms in the license agreement”. Click Next to continue installing.
- In the Customer Information, enter the requested details and click Next.
- In the Destination Folder panel, click Change… to specify a different location to install Splunk, or click Next to accept the default value.
Splunk is installed by default into the \Program Files\Splunk directory.
The Logon Information panel is displayed.
- In the Logon Information panel, select Local system user and click Next.
If you want to learn about the other user option, refer to the detailed instructions for installing Splunk on Windows.
- After you specify a user, the pre-installation summary panel is displayed. Click Install to proceed.
- In the Installation Complete panel, check the boxes to Launch browser with Splunk and
Create Start Menu Shortcut now.
- Click Finish.
The installation completes, Splunk starts, and Splunk Web launches in a supported browser.
Mac OS X install instructions
Follow these instructions to install Splunk using the DMG graphical installer.
- Navigate to the folder or directory where the installer is located.
- Double-click on the DMG file.
A Finder window containing splunk.pkg opens.
- In the Finder window, double-click on splunk.pkg.
The Splunk installer opens and displays the Introduction, which lists version and copyright information.
- Click Continue.
The Select a Destination window opens.
- Choose a location to install Splunk.
To install in the default directory, /Applications/splunk, click on the harddrive icon.
To select a different location, click Choose Folder…
- Click Continue.
The pre-installation summary displays. If you need to make changes,
- Click Change Install Location to choose a new folder, or
- Click Back to go back a step.
- Click Install.
Your installation will begin. It might take a few minutes.
- When your install completes, click Finish.
The installer places a shortcut on the Desktop.
After the install completes, continue to the next topic to start Splunk.
Start Splunk and launch Splunk Web
You’ve just downloaded and installed Splunk. This topic explains how to start Splunk and launch Splunk Web.
About starting Splunk
When you start Splunk, you are starting two processes, splunkd and splunkweb. splunkd is a distributed C/C++ server that accesses, processes, and indexes streaming machine data and handles search requests.
splunkweb is a Python-based application server that provides the Splunk Web interface that you use to search and navigate your machine data and manage your Splunk deployment.
After you start Splunk, accept the license agreement and use a supported web browser to access Splunk Web.
Start Splunk on Windows
After the Windows installation of Splunk completes, Splunk starts and launches Splunk Web in a supported browsers. If this didn’t happen, you have three options to start Splunk:
Start Splunk from the Start menu.
Use the Windows Services Manager to start and stop splunkd and splunkweb. Open a cmd window and go to \Program Files\Splunk\bin and type > splunk start
Start Splunk on Linux
After installing Splunk, use the Splunk CLI to start Splunk. You can simplify the CLI access by adding a SPLUNK_HOME environment variable for the top level installation directory and $SPLUNK_HOME/bin to your shell’s path.
If you installed in the default location for Linux, your export path should look something like this:
# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH
For more information on how to access the CLI, see “About the CLI” in the Admin
manual. Now, to start Splunk, type:
Accept the Splunk License
After you run the start command, Splunk displays the license agreement and prompts you to accept the license before the startup sequence continues.
If you run into any problems starting up Splunk, see “Start Splunk for the first time” in the Installation manual.
Other commands you might need
If you need to stop, restart, or check the status of your Splunk server, use these
$ splunk stop
$ splunk restart
$ splunk status
Start Splunk on Mac OS X
In Mac OS X, you can start Splunk from the Finder. Double-click the Splunk icon on the Desktop to launch the Splunk helper application, entitled “Splunk’s Little Helper”.
Note: The first time you run the helper application, it notifies you that it needs to perform a brief initialization. Click OK to allow Splunk to initialize and set up the trial license.
Once the helper application loads, it displays a dialog that offers several choices:
Start and Show Splunk: This option starts Splunk and directs your web browser to open a page to Splunk Web.
Only Start Splunk: This choice starts Splunk, but does not open Splunk Web in a browser.
Cancel: Tells the helper application to quit. This does not affect the Splunk instance itself, only the helper application.
Once you make your choice, the Splunk helper application performs the requested application and terminates. You can run the helper application again to either show Splunk Web or stop Splunk.
The Splunk helper application can also be used to stop Splunk if it is already running.
Launch Splunk Web
At the very end of the startup sequence, Splunk tells you where to access Splunk Web:
The Splunk Web interface is at http://localhost:8000
Splunk Web runs by default on port 8000 of the host on which it’s installed. If you are using Splunk on your local machine, the URL to access Splunk Web is http://localhost:8000.
If you are using an Enterprise license, launching Splunk for the first time takes you to this login screen. Follow the message to authenticate with the default credentials.
If you are using a Free license, you do not need to authenticate to use Splunk. In this case, when you start up Splunk you won’t see this login screen. Instead, you will be taken directly to Splunk Home or whatever is set as the default app for your account.
When you sign in with your default password, Splunk asks you to create a new password. You can either Skip this or change your password to continue.
The first page you should see is Splunk Home.
This completes Part 1 of the Search Tutorial. Continue to Part 2: Getting started with Splunk.
Getting started with Splunk Enterprise
About Splunk Home
Splunk Home is your interactive portal to the apps and data accessible from this Splunk instance. The main parts of Home include a search bar and three panels: Apps, Data, and Help.
Finding Splunk Home
If this is a new install of Splunk, Splunk Home will be the first page that you see when you log into Splunk for the first time. Otherwise, your account may be configured to start in another view such as Search or Pivot in the Search & Reporting app.
You can return to Splunk Home from any other view by clicking on the Splunk logo at the top left in Splunk Web.