Book Image

Splunk Operational Intelligence Cookbook

Book Image

Splunk Operational Intelligence Cookbook

Overview of this book

Related Content you might be interested in

Current Title:

Small book image
Splunk Operational Intelligence Cookbook
Oct, 2014 | 414 pages
No titles found
Table of Contents (17 chapters)
Splunk Operational Intelligence Cookbook
Splunk Operational Intelligence Cookbook
Credits
Credits
About the Authors
About the Authors
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Preface
Preface
Free Chapter
1
Play Time – Getting Data In
Play Time – Getting Data In
Introduction
Indexing files and directories
Getting data through network ports
Using scripted inputs
Using modular inputs
Using the Universal Forwarder to gather data
Loading the sample data for this book
Defining field extractions
Defining event types and tags
Summary
2
Diving into Data – Search and Report
Diving into Data – Search and Report
Introduction
Making raw event data readable
Finding the most accessed web pages
Finding the most used web browsers
Identifying the top-referring websites
Charting web page response codes
Displaying web page response time statistics
Listing the top viewed products
Charting the application's functional performance
Charting the application's memory usage
Counting the total number of database connections
Summary
3
Dashboards and Visualizations – Make Data Shine
Dashboards and Visualizations – Make Data Shine
Introduction
Creating an Operational Intelligence dashboard
Using a pie chart to show the most accessed web pages
Displaying the unique number of visitors
Using a gauge to display the number of errors
Charting the number of method requests by type and host
Creating a timechart of method requests, views, and response times
Using a scatter chart to identify discrete requests by size and response time
Creating an area chart of the application's functional statistics
Using a bar chart to show the average amount spent by category
Creating a line chart of item views and purchases over time
Summary
4
Building an Operational Intelligence Application
Building an Operational Intelligence Application
Introduction
Creating an Operational Intelligence application
Adding dashboards and reports
Organizing the dashboards more efficiently
Dynamically drilling down on activity reports
Creating a form to search web activities
Linking web page activity reports to the form
Displaying a geographical map of visitors
Scheduling the PDF delivery of a dashboard
Summary
5
Extending Intelligence – Data Models and Pivoting
Extending Intelligence – Data Models and Pivoting
Introduction
Creating a data model for web access logs
Creating a data model for application logs
Accelerating data models
Pivoting total sales transactions
Pivoting purchases by geographical location
Pivoting slowest responding web pages
Pivot charting top error codes
Summary
6
Diving Deeper – Advanced Searching
Diving Deeper – Advanced Searching
Introduction
Calculating the average session time on a website
Calculating the average execution time for multi-tier web requests
Displaying the maximum concurrent checkouts
Analyzing the relationship of web requests
Predicting website-traffic volumes
Finding abnormally sized web requests
Identifying potential session spoofing
Summary
7
Enriching Data – Lookups and Workflows
Enriching Data – Lookups and Workflows
Introduction
Looking up product code descriptions
Flagging suspicious IP addresses
Creating a session state table
Adding hostnames to IP addresses
Searching ARIN for a given IP address
Triggering a Google search for a given error
Creating a ticket for application errors
Looking up inventory from an external database
Summary
8
Being Proactive – Creating Alerts
Being Proactive – Creating Alerts
Introduction
Alerting on abnormal web page response times
Alerting on errors during checkout in real time
Alerting on abnormal user behavior
Alerting on failure and triggering a scripted response
Alerting when predicted sales exceed inventory
Summary
9
Speed Up Intelligence – Data Summarization
Speed Up Intelligence – Data Summarization
Introduction
Calculating an hourly count of sessions versus completed transactions
Backfilling the number of purchases by city
Displaying the maximum number of concurrent sessions over time
Summary
10
Above and Beyond – Customization, Web Framework, REST API, and SDKs
Above and Beyond – Customization, Web Framework, REST API, and SDKs
Introduction
Customizing the application's navigation
Adding a force-directed graph of web hits
Adding a calendar heatmap of product purchases
Remotely querying Splunk's REST API for unique page views
Creating a Python application to return unique IP addresses
Creating a custom search command to format product names
Summary
Index
Index

Using the Universal Forwarder to gather data

Most IT environments today range from multiple servers in the closet of your office to hundreds of endpoint servers located in multiple geographically distributed data centers.

When the data we want to collect is not located directly on the server where Splunk is installed, the Splunk Universal Forwarder (UF) can be installed on your remote endpoint servers and used to forward data back to Splunk to be indexed.

The Universal Forwarder is similar to the Splunk server in that it has many of the same features, but it does not contain Splunk web and doesn't come bundled with the Python executable and libraries. Additionally, the Universal Forwarder cannot process data in advance, such as performing line breaking and timestamp extraction.

This recipe will guide you through configuring the Splunk Universal Forwarder to forward data to a Splunk indexer and will show you how to set up the indexer to receive the data.

Getting ready

To step through this recipe, you will need a server with the Splunk Universal Forwarder installed but not configured. You will also need a running Splunk server. There are no other prerequisites.

Tip

To obtain the Universal Forwarder software, you will need to go to www.splunk.com/download and register for an account if you do not already have one. Then, either download the software directly to your server or download it to your laptop or workstation and upload it to your server via a file-transfer process such as SFTP.

How to do it...

Follow the steps in the recipe to configure the Splunk Forwarder to forward data and the Splunk indexer to receive data:

  1. On the server with the Universal Forwarder installed, open a command prompt if you are a Windows user or a terminal window if you are a Unix user.

  2. Change to the $SPLUNK_HOME/bin directory, where $SPLUNK_HOME is the directory in which the Splunk forwarder was installed.

    For Unix, the default installation directory will be /opt/splunkforwarder/bin. For Windows, it will be C:\Program Files\SplunkUniversalForwarder\bin.

    Note

    If using Windows, omit ./ in front of the Splunk command in the upcoming steps.

  3. Start the Splunk forwarder if not already started, using the following command:

    ./splunk start

  4. Accept the license agreement.

  5. Enable the Universal Forwarder to autostart, using the following command:

    ./splunk enable boot-start

  6. Set the indexer that this Universal Forwarder will send its data to. Replace the host value with the value of the indexer as well as the username and password for the Universal Forwarder.

    ./splunk add forward-server <host>:9997 -auth <username>:<password>

    The username and password to log in to the forwarder (default is admin:changeme) is <username>:<password>.

    Tip

    Additional receiving indexers can be added in the same way by repeating the command in the previous step with a different indexer host or IP. Splunk will automatically load balance the forwarded data if more than one receiving indexer is specified in this manner. Port 9997 is the default Splunk TCP port and should only be changed if it cannot be used for some reason.

On the receiving Splunk indexer server(s):

  1. Log in to your receiving Splunk indexer server. From the home launcher, in the top-right corner click on the Settings menu item and then select the Forwarding and receiving link.

  2. Click on the Configure receiving link.

  3. Click on New.

  4. Enter 9997 in the Listen on this port field.

  5. Click on Save and restart Splunk. The Universal Forwarder is installed and configured to send data to your Splunk server, and the Splunk server is configured to receive data on the default Splunk TCP port 9997.

How it works...

When you tell the forwarder which server to send data to, you are basically adding a new configuration stanza into an outputs.conf file behind the scenes. On the Splunk server, an inputs.conf file will contain a [splunktcp] stanza to enable receiving. The outputs.conf file on the Splunk forwarder will be located in $SPLUNK_HOME/etc/system/local, and the inputs.conf file on the Splunk server will be located in the local directory of the app you were in (the launcher app in this case) when configuring receiving.

Using forwarders to collect and forward data has many advantages. The forwarders communicate with the indexers on TCP port 9997 by default, which makes for a very simple set of firewall rules that need to be opened. Forwarders can also be configured to load balance their data across multiple indexers, increasing search speeds and availability. Additionally, forwarders can be configured to queue the data they collect if communication with the indexers is lost. This can be extremely important when collecting data that is not read from logfiles, such as performance counters or syslog streams, as the data cannot be re-read.

There's more...

While configuring the settings of the Universal Forwarder can be performed via the command-line interface of Splunk as outlined in this recipe, there are several other methods to update settings quickly and allow for customization of the many configuration options that Splunk provides.

Add the receiving indexer via outputs.conf

The receiving indexers can be directly added to the outputs.conf configuration file on the Universal Forwarder. Edit $SPLUNK_HOME/etc/system/local/outputs.conf, add your input, and then restart the UF. The following example configuration is provided, where two receiving indexers are specified. The [tcpout-server] stanza can be leveraged to add output configurations specific to an individual receiving indexer.

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = mysplunkindexer1:9997,mysplunkindexer2:9997

[tcpout-server://mysplunkindexer1:9997]
[tcpout-server://mysplunkindexer2:9997]

Tip

If nothing has been configured in inputs.conf on the Universal Forwarder, but outputs.conf is configured with at least one valid receiving indexer, the Splunk forwarder will only send internal log data to the indexer. It is, therefore, possible to configure a forwarder correctly and be detected by the Splunk indexer(s), but not actually send any real data.

Previous Section
End of Section 7
Next Section