Advanced Splunk

Advanced Splunk

By : Ashish Kumar Tulsiram Yadav

Buy this Book

Advanced Splunk

By: Ashish Kumar Tulsiram Yadav

Buy this Book

Overview of this book

Master the power of Splunk and learn the advanced strategies to get the most out of your machine data with this practical advanced guide. Make sense of the hidden data of your organization – the insight of your servers, devices, logs, traffic and clouds. Advanced Splunk shows you how. Dive deep into Splunk to find the most efficient solution to your data problems. Create the robust Splunk solutions you need to make informed decisions in big data machine analytics. From visualizations to enterprise integration, this well-organized high level guide has everything you need for Splunk mastery. Start with a complete overview of all the new features and advantages of the latest version of Splunk and the Splunk Environment. Go hands on with uploading data, search commands for basic and advanced analytics, advanced visualization techniques, and dashboard customizing. Discover how to tweak Splunk to your needs, and get a complete on Enterprise Integration of Splunk with various analytics and visualization tools. Finally, discover how to set up and use all the new features of the latest version of Splunk.

Advanced Splunk

Credits

About the Author

Acknowledgements

About the Reviewer

www.PacktPub.com

Preface

Free Chapter

What's New in Splunk 6.3?

Splunk's architecture

Search parallelization

Data integrity control

Intelligent job scheduling

The app key-value store

Splunk Enterprise Security

Authentication using SAML

Summary

Developing an Application on Splunk

Splunk apps and technology add-ons

Developing a Splunk app

Developing a Splunk add-on

Managing Splunk apps and add-ons

Splunk apps from the app store

Summary

On-boarding Data in Splunk

Deep diving into various input methods and sources

Adding data to Splunk – new interfaces

Data processing

Managing event segmentation

Improving the data input process

Summary

Data Analytics

Data and indexes

Subsearch

Time

Fields

Results

Summary

Advanced Data Analytics

Reports

Geography and location

Anomalies

Predicting and trending

Correlation

Machine learning

Summary

Visualization

Prerequisites – configuration settings

Tables

Single value

Charts

Drilldown

Summary

Advanced Visualization

Sunburst sequence

Geospatial visualization

Punchcard visualization

Calendar heatmap visualization

The Sankey diagram

Parallel coordinates

The force directed graph

Custom chart overlay

Custom decorations

Summary

Dashboard Customization

Dashboard controls

Multi-search management

Tokens

Null search swapper

Switcher

Summary

Advanced Dashboard Customization

Layout customization

Custom look and feel

The custom alert action

Summary

Tweaking Splunk

Index replication

Indexer auto-discovery

Sourcetype manager

Field extractor

Search history

Event pattern detection

Summary

Enterprise Integration with Splunk

The Splunk SDK

Installing the Splunk SDK

The Splunk SDK for Python

Splunk with R for analytics

Splunk with Tableau for visualization

Summary

What Next? Splunk 6.4

Storage optimization

Machine learning

Management and admin

Indexer and search head enhancement

Visualizations

Multi-search management

Enhanced alert actions

Summary

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Authentication using SAML

SAML is an XML standard that allows secure web domains to exchange user authentication and authorization data. It allows one online service provider to contact an identity service provider in order to authenticate users who are trying to access the secure content.

Splunk Enterprise supports the use of SAML authentication and authorization for Single Sign-On (SSO). SSO can be enabled in Splunk with the configuration settings provided by the Identity Provider (IdP).

SSO can be configured by Splunk Web or by modifying authentication.conf located at $SPLUNK_HOME\etc\system\default directly. At present, Splunk Enterprise supports the Ping Identity product from PingFederate® for SSO.

To configure SSO with SAML, the following is the requirement list:

An identity provider (at present, PingIdentity) is a tested identity provider, and others can also be integrated on similar lines.
Configuration that uses an on-premise search head.
A user with an admin role and change_authentication Splunk capability. This permission allows us to enable SAML and edit authentication settings on the Splunk search head.
Note
SSO must be configured on all the search heads in the Splunk deployment for it to function properly.

We'll now learn how to set up SSO using SAML. Let's get acquainted with the steps of setting up SSO:

The following information will be required from IdP to configure Splunk in order to authenticate the user:
- role
- realName
- mail
The groups returned by IdP are mapped to Splunk roles. A single Splunk role can be assigned to multiple groups.

Let's configure SSO using SAML via Splunk Web. The following are the steps to configure SSO on Splunk Web:

Access Splunk Web by going to localhost:8000 from the deployment server machine or via IPAaddress:PortNo from a machine in the same network.
Go to Settings | Access Controls | Authentication Method.
Choose SAML as the External Authentication Method and click on Configure Splunk to use SAML.
In the SAML Groups page, click on SAML Configuration.
Browse and select the XML file provided by the IdP provider and fill in all the details and click on Save.

If all the settings are correct, the SAML Groups page will be populated with all the users and groups where specific groups and Splunk roles can be assigned.

Advanced Splunk

By : Ashish Kumar Tulsiram Yadav

Advanced Splunk

By: Ashish Kumar Tulsiram Yadav

Overview of this book

Related Content you might be interested in

Current Title:

Advanced Splunk

Authentication using SAML

Note