Book Image

Splunk 7.x Quick Start Guide

By : James H. Baxter
Book Image

Splunk 7.x Quick Start Guide

By: James H. Baxter

Overview of this book

Splunk is a leading platform and solution for collecting, searching, and extracting value from ever increasing amounts of big data - and big data is eating the world! This book covers all the crucial Splunk topics and gives you the information and examples to get the immediate job done. You will find enough insights to support further research and use Splunk to suit any business environment or situation. Splunk 7.x Quick Start Guide gives you a thorough understanding of how Splunk works. You will learn about all the critical tasks for architecting, implementing, administering, and utilizing Splunk Enterprise to collect, store, retrieve, format, analyze, and visualize machine data. You will find step-by-step examples based on real-world experience and practical use cases that are applicable to all Splunk environments. There is a careful balance between adequate coverage of all the critical topics with short but relevant deep-dives into the configuration options and steps to carry out the day-to-day tasks that matter. By the end of the book, you will be a confident and proficient Splunk architect and administrator.
Table of Contents (12 chapters)

To get the most out of this book

To get the most out of this book, you will need to install the free version of Splunk Enterprise on your desktop or laptop so that you can investigate Splunk's directory structure and configuration files and options, and follow along in each chapter by experimenting with the configurations, searches, apps, and report/dashboard/alert examples provided.

If you want to develop your architect and administration skills with Splunk and don't have admin-level access to a Splunk sandbox environment at your workplace, you may want to consider building a small Splunk environment on cloud-based servers; the cost is not too great if you manage your up-time carefully, and you can configure and run a clustered solution using the free Splunk Enterprise trial license for up to 30 days.

Downloading the extra material

You can download a file that contains the data collection forms and indexer disk space calculator spreadsheets featured in Chapter 2, Architecting Splunk, clickable links to all the URLs providing additional information, and the search strings from each chapter, which you can copy/paste and alter to meet your requirements by logging into your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/ support and register to have the file emailed to you.

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

  1. Log in or register at www.packt.com.
  2. Select the SUPPORT tab.
  3. Click on Code Downloads and Errata.
  4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

  • WinRAR/7-Zip for Windows
  • Zipeg/iZip/UnRarX for Mac
  • 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Splunk-7.x-Quick-Start-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The rpm will install Splunk in the /opt/splunk directory"

A block of code is set as follows:

index=<index> <filter> <"text string to match"> 
| command1 <arguments>
| command2 <arguments>
| visualization commands & arguments

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

hot bucket (files being written to)
/opt/splunk/var/lib/splunk/myindex/db/hot_v1_41
warm bucket (closed for writing, searchable)
/opt/splunk/var/lib/splunk/myindex/db/db_1530043376_1529957920_40/
cold bucket (searchable, may reside on different storage)
/opt/splunk/var/lib/splunk/myindex/colddb/db_1508276979_1508276438_0/

Any command-line input or output is written as follows:

$ sudo su - splunk                don't forget this step! 
$ cd $SPLUNK_HOME/bin
$ ./splunk start --accept-license

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "You can now click Settings | Fields | Field extractions and view the list of all the field extractions, including the one you just created."

Warnings or important notes appear like this.
Tips and tricks appear like this.