To get the most out of this book, you will need to install the free version of Splunk Enterprise on your desktop or laptop so that you can investigate Splunk's directory structure and configuration files and options, and follow along in each chapter by experimenting with the configurations, searches, apps, and report/dashboard/alert examples provided.

If you want to develop your architect and administration skills with Splunk and don't have admin-level access to a Splunk sandbox environment at your workplace, you may want to consider building a small Splunk environment on cloud-based servers; the cost is not too great if you manage your up-time carefully, and you can configure and run a clustered solution using the free Splunk Enterprise trial license for up to 30 days.

Downloading the extra material

You can download a file that contains the data collection forms and indexer disk space calculator spreadsheets featured in Chapter 2, Architecting Splunk, clickable links to all the URLs providing additional information, and the search strings from each chapter, which you can copy/paste and alter to meet your requirements by logging into your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/ support and register to have the file emailed to you.

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

1. Log in or register at www.packt.com.
2. Select the SUPPORT tab.
3. Click on Code Downloads and Errata.
4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

• WinRAR/7-Zip for Windows
• Zipeg/iZip/UnRarX for Mac
• 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Splunk-7.x-Quick-Start-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789531091_ColorImages.pdf.

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The rpm will install Splunk in the /opt/splunk directory"

A block of code is set as follows:

index=<index> <filter> <"text string to match"> 
| command1 <arguments> 
| command2 <arguments> 
| visualization commands & arguments

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

hot bucket (files being written to)
/opt/splunk/var/lib/splunk/myindex/db/hot_v1_41
warm bucket (closed for writing, searchable)
/opt/splunk/var/lib/splunk/myindex/db/db_1530043376_1529957920_40/
cold bucket (searchable, may reside on different storage)
/opt/splunk/var/lib/splunk/myindex/colddb/db_1508276979_1508276438_0/

Any command-line input or output is written as follows:

$ sudo su - splunk                don't forget this step! 
$ cd $SPLUNK_HOME/bin 
$ ./splunk start --accept-license 

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "You can now click Settings | Fields | Field extractions and view the list of all the field extractions, including the one you just created."