Book Image

Mastering Splunk

By : James D. Miller
Book Image

Mastering Splunk

By: James D. Miller

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Mastering Splunk
James D. Miller
Dec, 2014 | 344 pages
No titles found
Table of Contents (18 chapters)
Mastering Splunk
Mastering Splunk
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
The Application of Splunk
The Application of Splunk
The definition of Splunk
Universal file handling
Confidentiality and security
Conventional use cases
Splunk – outside the box
Splunk in action
Summary
2
Advanced Searching
Advanced Searching
Searching in Splunk
Knowledge management
Subsearching
Searching with parameters
Splunk macros
Search results
Summary
3
Mastering Tables, Charts, and Fields
Mastering Tables, Charts, and Fields
Tables, charts, and fields
Splunk bucketing
Drilldowns
Pivot
Split
Column values
Pivot table formatting
A quick example
Sparklines
Summary
4
Lookups
Lookups
Introduction
Configuring a simple field lookup
Command roundup
Summary
5
Progressive Dashboards
Progressive Dashboards
Creating effective dashboards
Form searching
Going back to dashboards
More on searching
Dynamic drilldowns
Real-world, real-time solutions
Summary
6
Indexes and Indexing
Indexes and Indexing
The importance of indexing
What is a Splunk index?
Indexes, indexers, and clusters
Managing Splunk indexes
Dealing with multiple indexes
Deleting your indexes and indexed data
Configuring indexes
Moving your index database
Spreading out your Splunk index
Size matters
Hitting the limits
Summary
7
Evolving your Apps
Evolving your Apps
Basic applications
BYO or build your own apps
App FAQs
The end-to-end customization of Splunk
Preparation for app development
Summary
8
Monitoring and Alerting
Monitoring and Alerting
What to monitor
Advanced monitoring
Location, location, location
Leveraging your forwarders
Can I use apps?
Windows inputs in Splunk
Getting started with monitoring
What does Splunk do with the data it monitors?
Splunk
Viewing the Splunk Deployment Monitor app
All about alerts
Editing alerts
Scheduled or real time
Extended functionalities
Summary
9
Transactional Splunk
Transactional Splunk
Transactions and transaction types
Transaction search
Advanced use of transactions
Summary
10
Splunk – Meet the Enterprise
Splunk – Meet the Enterprise
General concepts
Best practices
Definition of Splunk knowledge
Strategic knowledge management
Splunk object management with knowledge management
Naming conventions for documentation
Testing
Retrofitting
The enterprise vision
Summary
Quick Start
Quick Start
Topics
Where and how to learn Splunk
Certifications
The Splunk documentation
www.splunk.com
Splunk answers
Splunkbase
The support portal
The Splexicon
The "How-to" tutorials
User conferences, blogs, and news groups
Professional services
Obtaining the Splunk software
An environment to learn in
Summary
Index
Index

Configuring indexes

Splunk will allow you to set the location (path) to your nonclustered indexes using Splunk Web, but the majority of the configurations must be done by editing the indexes.conf file (for this discussion, we will stick to nonclustered indexes).

The indexes.conf file should be saved at $SPLUNK_HOME/etc/system/local/ or in a custom app directory, in $SPLUNK_HOME/etc/apps/.

The following are the most interesting index configuration attributes (you can use the product documentation to review the full list):

  • homePath, coldPath, and thawedPath: These attributes are all required settings. These indicate where Splunk will place the index buckets (hot/warm are stored in home, cold in cold, and thawed in thawed). The ColdToFrozenDir attribute is optional and indicates where Splunk will archive data before deleting it from an index.

  • maxHotBuckets: This attribute is the limit of hot or live index buckets, and maxDataSize is the attribute to limit how big a hot or live bucket can grow...

Previous Section
End of Section 8
Next Section