Splunk Web using your web browser
Recommended by 0 users
The first time you log into Splunk, you will be greeted with the Splunk Home website:
The home screen consists of the following components:
- Navigation bar – includes links to the user profile and messages, settings and help pages.
- Apps menu – lists the apps installed on your Splunk instance, that you have permission to view. In our example, only the Search & Reporting app is displayed.
- Explore Splunk Enterprise – the panel that helps you to get started with Splunk. You can take a tour of the product, add data to Splunk, access Splunk apps and Splunk documentation.
- Home Dashboard – a panel where you can later add your own custom dashboard.
Types of data sources
Splunk provides tools to configure many kinds of data inputs, including those that are specific to particular application needs. Splunk also provides the tools to configure any arbitrary data input types. In general, you can categorize Splunk inputs as follows:
- Files and directories
- Network events
- Windows sources
- Other sources
Files and directories
A lot of the data comes directly from files and directories. You can use the Splunk Enterprise files and directories monitor input processor to get data from files and directories.
Splunk Enterprise can index data from any network port. For example, Splunk can index remote data from
syslog-ng or any other application that transmits over the TCP protocol. It can also index UDP data, but you should use TCP instead whenever possible for enhanced reliability.
Splunk Enterprise can also receive and index SNMP events, alerts fired off by remote devices.
The Windows version of Splunk Enterprise includes a wide range of Windows-specific inputs. It also provides pages in the Splunk System for defining the following Windows-specific input types:
- Windows Event Log data
- Windows Registry data
- WMI data
- Active Directory data
- Performance monitoring data
Note: To index and search Windows data on a non-Windows instance of Splunk Enterprise, you must first use a Windows instance to gather the data.
Other data sources
Splunk Enterprise also supports other kinds of data sources. For example:
- First-in, first-out (FIFO) queues
- Scripted inputs:
Get data from APIs and other remote data interfaces and message queues.
- Modular inputs:
Define a custom input capability to extend the Splunk Enterprise framework.
What is an index?
An index in Splunk is simply a repository for the data. It is stored on an indexer, which is a Splunk instance configured to index local and remote data. The indexed data can then be searched through a search app.
As the indexer indexes the data, it creates a bunch of files in sets of directories (called buckets). The files are organized by age. Each index occupies its own directory under $SPLUNK_HOME/var/lib/splunk. For example, here are the files for the index called testindex:
Indexes can be created with Splunk Web, the command-line interface (CLI), or by manually editing the indexes.conf file.
NOTE – By default, Splunk puts all user data into a single, preconfigured index called main. Of course, you can create your own indexes for security and performance reasons.
Create an index
Like we’ve already mentioned, indexes can be created with Splunk Web, the command line interface (CLI), or by manually editing the indexes.conf file. Of course, the easiest way to do it is to use the Splunk Web. Here are the steps:
- Log in to Splunk Web with an administrative account and go to Settings > Indexes:
- The Indexes page should open. Click New Index:
The New Index page should open. You need to provide the following information:
- Index name – the name for the index. It can contain only digits, lowercase letters, underscores, and hyphens and cannot start with an underscore or a hyphen.
- Home Path – specifies the path that contains the hot and warm buckets.
- Cold Path – specifies the path for indexes rolled off from hot.
- Thawed Path – specifies the path for unzipped or archived for reuse indexes.
- Max Size of Entire Index – the maximum size of the index is 500,000 MB by default.
- Max Size of Hot/Warm/Cold Bucket – specifies the maximum target size of buckets.
- Frozen Path – an optional parameter. Set this field if you want to archive frozen buckets.
- App – the app for the index.
You should see the new index in the list of indexes.
Add data to Splunk
There are three ways to add data to Splunk:
- Upload – you can upload a file or archive of files into Splunk Enterprise for indexing. Note that Splunk consumes the uploaded file(s) only once and it does not monitor it continuously.
- Monitor – you can use this option to monitor files, directories, network streams, scripts, and other type of machine data that Splunk can index. This is the option you would most likely use for your production environment.
- Forward – you can use this option to receive data from forwarders.
The easiest way to add data to Splunk is to use the first option (Upload). Here is how we would upload a file to Splunk:
From the home screen, click on the Add Data icon:
Click on the Upload icon:
Next, you will need to select the file source. To do this, click on the Select File button:
Browse to the file you would like to include:
NOTE – if you need test log files, you can download them from here: http://docs.splunk.com/images/Tutorial/tutorialdata.zip
After the file upload finishes, click the Next button:
You should get the Set Source Type page, where you can make adjustments to how Splunk indexes your data. This page allows you to preview how Splunk will index your data. One of the options you can adjust is the source type. This field determines how Splunk will format the data during indexing. Splunk comes with a large number of predefined source types and attempts to assign the correct source type to your data based on its format.
If you are not satisfied with the default source type that was assigned by Splunk, you can choose other source types or use other options (Event Breaks, Timestamp, and Advanced) to manually adjust how Splunk will format data. In our case, Splunk has formatted the data correctly, so we will press Next:
Next, we can configure Input Settings. We can configure the hostname (or IP address) of the host from which the log originates. We can also choose the index in which we would like to store the events. Select your options and click the Review button:
Review the settings and click Submit to finish the process:
And that’s it! You can verify that the data was added successfully by clicking on the Start Searching button: