HI All,

As you all know the necessity of monitoring the IT Infrastructure environment is growing day-by-day and sometime it will be very difficult to analyze the security/application/performance issues if we have huge amount of data, so it is always advisable to have a centralized platform to handle all your logs and configure interesting knowledge objects for better visualization, Alerting and Reporting mechanism, so in this article i would like to give a high level overview of “SPLUNK”

Splunk is a software product that enables you to search, analyze, and visualize the data gathered from the components of your IT infrastructure or business. It takes in data from websites, applications, sensors, devices, and so on. After you define the data source, it indexes the data stream and parses it into a series of individual events that you can view and search.

Features of Splunk
1.Indexing
Splunk Enterprise indexes the data that makes up your IT infrastructure. You can source data from websites, applications, servers, databases, operating systems, and more.
2.Search
Search is the primary way users navigate their data in Splunk Enterprise. You can save a search as a report and use it to power dashboard panels. Searches provide insight from your data.
3.Alerts
Alerts notify you when search results for both historical and real-time searches meet configured conditions.
4.Dashboards
Dashboards contain panels of modules like search boxes, fields, charts, and so on. Dashboard panels are usually connected to saved searches or pivots.
5.Pivot
Pivot refers to the table, chart, or data visualization you create using the Pivot Editor. The Pivot Editor lets users map attributes defined by data model objects to a table, chart, or data visualization without having to write the searches in the Search Processing Language (SPL)
6.Reports
Splunk Enterprise allows you to save searches and pivots as reports, and then add reports to dashboards as dashboard panels.

Splunk components
1.Indexer
Splunk indexers provide data processing and storage for local and remote data and host the primary Splunk data store.
2.Search head
A search head is a Splunk Enterprise instance that distributes searches to indexers.
3.Forwarder
Forwarders are Splunk instances that forward data to remote indexers for data processing and storage.
4.Deployment server
The deployment server is a tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.

Splunk Architecture

Splunk Installation
Splunk Installation requires downloadable libraries which are available in splunk official portal, user need to register for splunk with his/her gmail ID and select the required product like Splunk Enterprise version or Universal forwarder. Once user got the downloadable url we can switch to command line and execute the command to get the binary.

Splunk Enterprise version wget URL
wget -O splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.3.2&product=splunk&filename=splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz&wget=true’

Splunk Universal forwarder Download URL
wget -O splunkforwarder-7.3.2-c60db69f8e32-Linux-x86_64.tgz ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.3.2&product=universalforwarder&filename=splunkforwarder-7.3.2-c60db69f8e32-Linux-x86_64.tgz&wget=true’

NOTE:These urls might expire so please register with your mail ID for complete features of Splunk enterprise version.

USER Management
1. Add User using Splunk CLI
splunk add user sarath -role Admin -password xxxxxxxx -full-name “Sarath”
2.List All Users using Splunk CLI
splunk list user
3.Edit an Existing User using Splunk CLI
splunk edit user Sarath -full-name “Sarath”
4.Add & Delete User using Splunk CLI
splunk add user test -role Power -password testpassword -full-name “Test Bourne”
splunk remove user test
5.Assign a different Role to an User
splunk edit user ramesh -role Power
splunk list user
splunk list role

admin — Full administrator access
power — One level down from admin. You can edit shared objects, alerts, tag events, etc.
user — Assign this for typical splunk user who can run searches, edit own saved searches, etc.
can_delete — Allows user to delete by keyword.

Single instance Deployment
1.Install the splunk enterprise
wget -O splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.3.2&product=splunk&filename=splunk-7.3.2-c60db69f8e32-Linux-x86_64.tgz&wget=true’
2.Unzip it and go to bin directory
3.Start the splunk from bin directory by accepting the license
./splunk start — accept-license
4.Add logs for monitoring
./splunk add monitor /var/log
5.Login to the splunk web and check whether Events are available or not.

Two Instance Model Deployment( Machine 1 as Indexer and Machine 2 as Forwarder )
1.Install Splunk Enterprise version on Machine 1
2.Start the splunk from bin directory by accepting the license
./splunk start — accept-license
3.Install splunk forwarder and start it on Machine 2
4.Enable the receiving port in splunk indexer/search head instance
./splunk enable listen <PORT>
ex:./splunk enable listen 3089
5.Configure the forward server in Universal forwarder.
ex:./splunk add forward-server 54.159.147.66:3089
IP and PORT are the details of Splunk Enterprise version
If it prompts for the password you need to provide the details of that instance.(Ex in this case the forwarder authorization)
6.Enable monitoring in splunk forwarder
./splunk add moniitor /var/log
7.Login to Splunk Web and check if Indexed evets are already available or not on it.

Delete the indexed events
./splunk remove monitor /var/log
./splunk stop
./splunk clean eventdata
./splunk start

Splunk Console

Splunk Dashboard

Splunk is so successful because of the benefits it offers for big data analytics and features that clearly makes Splunk one of the most powerful tools among others.