SPLUNK FUNDAMENTALS

WHAT IS SPLUNK ?

• Spunk tool is used to get statistics, reports,

dashboards, lookups and logs.
• It is used to search the logs which helps the
developer to debug and to resolve the issue in
easy manner.
• To check whether the integrated systems are
getting triggered or not.
 Any type of IT streaming, Machine and historical data can be used.
In our case we were using Window events logs, live application
logs, network feeds.
WHAT TYPE OF
From the data source, we can get data into our Splunk
DATA CAN BE development. Then Splunk Enterprise indexes the data stream and
USED AND FROM transforms it into a series of events.

WHERE IT CAN BE If the data is on the same machine as an indexer (local data) or on
another machine (remote data)
INSERTED?
We can get remote data into your Splunk deployment using network
feeds or installing Splunk forwarders on the hosts where the data
originates.
 Go to Splunk Enterprise software and then to “Search & Reporting”
app. Search head will appear on the screen where we need to specify
the criteria regarding which we want the result. We have to be particular
HOW DOES SPLUNK
about the Time Range which we are specifying. The reason of providing
WORK? the correct time range is to get the exact logs which we are expecting.
Once we search, then its related events will be seen as mentioned
below.
HOW IS SPLUNK DEPLOYED?

• Splunk Enterprise: Splunk components installed and administered on-premises. It can be used for simple
and small deployments

• Splunk Cloud: It is used when we manage and maintain data in cloud infrastructure. It is a service of
Splunk Enterprise.

• Splunk Light: It delivers log search and analysis for individuals, small businesses and work groups within
larger organization.
USERS AND ROLES

Splunk users are assigned roles which determines their capabilities and data access.
There are 3 main roles:
 Admin: Most capabilities will be assigned to it. It can also create additional roles based on the requirements.

 Power: Can edit all shared objects, alerts and tag events.

 User: Can create and edit its own saved searches, run searches, create and edit event types.

 can_delete: Allows the user to delete by keyword. It is required when user is deleting the search operator.
 Splunk has 1000+ ready made apps which are available on Splunkbase. An app might include
any or all of the following configurations:
• Dashboards and supporting searches that integrate knowledge of the data source and
structure.
WHAT ARE SPLUNK • Authentication management and other data source management interfaces.

APPS? • An app might require the use one or more add-ons to facilitate the collection or configuration
of data
Some apps are free and few are paid. Splunk App for Microsoft Exchange, Splunk App for AWS,
and Splunk DB Connect are the example of free apps.
WHAT ARE ADD-ON?

An add-on provide specific capabilities to assist in gathering, normalizing and enriching data sources.
An add-on might include any or all of the following configurations:
• Data source input configuration
• Data parsing and transformation configurations to structure the data for Splunk Enterprise.
• Lookup files for data enrichment.
• Supporting knowledge objects.
Examples: AWS Web Application Firewall Add-on, Microsoft Teams messages publication add-on
CHOOSING YOUR APP

App allows different workspaces for specific use cases or user roles to
co-exist on single Splunk instance. In the mentioned screenshot,
Search & Reporting, SplunkAdmins and SplunkVersionControl are
some of the Apps which are included for a user. More Apps can be
added by “Find More Apps” based on the requirement of the
organization. Each and every Apps have a different uses.