Chapter 1, Introduction to Splunk, introduces Splunk to the newcomer, with a high-level overview of Splunk components, features, and capabilities, along with the basics of how Splunk works, so as to serve as a solid foundation when going into further detail in subsequent chapters.
Chapter 2, Architecting Splunk, provides guidance and examples for selecting the appropriate Splunk configuration for a variety of business environments, choosing and sizing the hardware Splunk will run on, and how to calculate the amount of disk space and number of indexers you'll need to accommodate your anticipated data ingestion volume.
Chapter 3, Installing and Configuring Splunk, covers installing Splunk Enterprise and configuring each of the required components to perform their specific functions. This chapter includes a checklist for implementing a complete Splunk environment, working examples of the essential configuration file settings, and guidance for documenting the final Splunk solution.
Chapter 4, Getting Data into Splunk, gets to the heart of managing a Splunk environment. This chapter provides working examples of all of the key parameters and settings used to configure data inputs from Universal Forwarders for various log types, inputs from other data sources, and using the HTTP Event Collector for getting data into Splunk. We also cover parsing and storing the data in the various types of indexes, and how they're configured.
Chapter 5, Administering Splunk Apps and Users, wraps up the administration tasks by discussing how to manage the apps and search capabilities that users will need in order to find and extract the data stored in Splunk. Since Splunk is usually implemented as a distributed/clustered solution for reliability and scalability purposes, the focus will be on managing this more complex type of environment. Threaded throughout this chapter will be tips and strategies to help develop and apply the best standards and practices for managing and supporting a Splunk solution in a typical business environment.
Chapter 6, Searching with Splunk, is perhaps the most important part of the entire book, as this chapter covers all the crucial skills needed to get data out of Splunk indexes, reduce it to its essential elements, and transform and format the results into a dataset and visualizations that provide real value and powerful insights. The important features of the user interface—Splunk web—are leveraged in working examples of the more basic Search Processing Language (SPL) commands, which serve as the foundation for a gentle and logical progression to using the more advanced commands and visualization options.
Chapter 7, Splunk Knowledge Objects, covers the various ways you can powerfully enhance and enrich machine data with user-defined fields and additional data to help harness that information in a smarter and more focused way. Event types, tags, and aliases allow you to classify and normalize similar events; field extractions create fields from otherwise unlabeled segments of an event. Lookups enhance your data with additional information, such as the meaning of HTTP status codes. Data models are pre-prepared representations of one or more datasets created to drive pivot tables and allow business users to create complex reports and visualizations without having to use the SPL. These capabilities help make Splunk a much more useful and valuable business analysis tool, and you will want to know how it all works.
Chapter 8, Splunk Reports, Dashboards, and Alerts, builds on the search skills developed in the previous chapter to help you quickly and easily create effective reports and dashboards from saved searches that provide status indicators, charts, graphs, tables, and complex visualizations that can be viewed directly or scheduled for delivery by email with embedded PDFs. You'll also learn how to configure alerts to let support and business line personnel know when something isn't right.
Chapter 9, Splunk Applications, explains how to combine the knowledge objects, saved searches, and reports/dashboards/alerts you built from previous chapters into a Splunk app—a packaged solution that makes Splunk more useful and relevant to specific technologies or use cases. It also covers in detail how to install and configure several of the more useful (and free!) apps and add-ons available from Splunkbase – one that collects OS-level data from all your Linux and Windows servers, and another very popular app that allows you to query relational databases and ingest that data into Splunk. Finally, we'll install and review the Splunk Machine Learning Toolkit, as well as introduce Splunks' premium apps – ITSI, ES, and UBA—and see how they fit into comprehensive monitoring and situational detection solutions.
Chapter 10, Advanced Splunk, is an overview and reference for several important topics and skills that any Splunk administrator will want to include in their tool chest. While Splunk is inherently stable and reliable, there will be times when you have to troubleshoot problems; this chapter covers the most useful Splunk logs and tools for determining what's working and what isn't. Then, we segway into using the Monitoring Console to keep tabs on overall Splunk health, as well as providing working examples of searches that can be built for monitoring disk and index sizes versus configured capacity, search concurrency and performance, and other factors than an administrator will be interested in. As a finale for this chapter and book, the reader is introduced to the essential concepts and references for taking Splunk to the next level – using API endpoints and the Splunk SDKs and frameworks for developing powerful customized solutions on top of the Splunk platform.
The coverage of functionality and the examples provided in this book are based on Splunk 7.1.1, which was current at the time of writing. Splunk is aggressively expanding and improving its product, so there will inevitably be new features and capabilities released in the future that are not covered, but the functions and configurations that are covered in this book are central to the Splunk platform, meaning that the information should remain relevant and useful for quite some time.