Book Image

Splunk Best Practices

Book Image

Splunk Best Practices

Overview of this book

This book will give you an edge over others through insights that will help you in day-to-day instances. When you're working with data from various sources in Splunk and performing analysis on this data, it can be a bit tricky. With this book, you will learn the best practices of working with Splunk. You'll learn about tools and techniques that will ease your life with Splunk, and will ultimately save you time. In some cases, it will adjust your thinking of what Splunk is, and what it can and cannot do. To start with, you'll get to know the best practices to get data into Splunk, analyze data, and package apps for distribution. Next, you'll discover the best practices in logging, operations, knowledge management, searching, and reporting. To finish off, we will teach you how to troubleshoot Splunk searches, as well as deployment, testing, and development with Splunk.

Related Content you might be interested in

Current Title:

Small book image
Splunk Best Practices
Sep, 2016 | 244 pages
No titles found
Table of Contents (16 chapters)
Splunk Best Practices
Splunk Best Practices
Credits
Credits
About the Author
About the Author
About the Reviewer
About the Reviewer
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Application Logging
Application Logging
Loggers
Data types
Unstructured data
Summary
2
Data Inputs
Data Inputs
Agents
Data inputs
Deployment server
Summary
3
Data Scrubbing
Data Scrubbing
Heavy Forwarder management
Even data distribution
Manipulating raw data (pre-indexing)
Summary
4
Knowledge Management
Knowledge Management
Anatomy of a Splunk search
Best practices with search anatomy
Knowledge objects
Summary
5
Alerting
Alerting
Setting expectations
Anatomy of an alert
Custom commands/automated self-healing
Summary
6
Searching and Reporting
Searching and Reporting
General practices
Search modes
Advanced charting
Summary
7
Form-Based Dashboards
Form-Based Dashboards
Dashboards versus reports
Modules
Tokens
Building a form-based dashboard
Summary
8
Search Optimization
Search Optimization
Types of dashboard search panel
Raw data search
Shared searching using a base search
Report referenced panels
Data model/pivot referenced panels
Special notes
Summary
9
App Creation and Consolidation
App Creation and Consolidation
Types of apps
Consolidating search apps
Consolidating indexing/forwarding apps
Summary
10
Advanced Data Routing
Advanced Data Routing
Splunk architecture
Network segments
The data router
Summary

Data inputs

Knowing all of the applications and methods we can use to get data into Splunk, let's talk about the types of data inputs from data sources, and how they get to the indexer. There are six general types of data inputs in Splunk:

  • API inputs

  • Database inputs

  • Monitoring inputs

  • Scripted inputs

  • Modular inputs

  • Windows inputs

API inputs

There are two ways to get REST API data into Splunk:

  • Download the REST API modular input, and install it into your Heavy Forwarder

  • Write a REST API poller using cURL or some other method to query the API, and scrub the output for the data you need

If at all possible, use the REST API modular input from Splunk, as it is very easy to set up and use. Just figure out your URL, and set up the API input and it's interval that you want it to be polled at.

Tip

Q: When would you ever use a custom API input if Splunk already has a REST API input available? A: When one doesn't already exist, and it's the only way to get data from your system.

An example of this is MapR's newest...

Previous Section
End of Section 3
Next Section