Splunk is a monitoring tool. Displays logs as query results in a very easy to read manner. It arranges and clubs data like no other, through indexing.
It identifies fields and values in the logs. These fields can be used in the queries which can be saved — to display on dashboards as graphs/charts or as simple search results , and also to set up alerts and reports.
3 core components:
- Index : will receive log files. And index them.
- Search head: graphical interface, write queries to run on the data
- Forwarder: agent that runs on devices to forward the required data to splunk.
Access is role based:
- User
- Power
- Admin
Data goes into buckets:
- Hot/warm
- Cold
- Frozen
When you add new data, at that time you define the index name.
When you create a new index you can decide the name, the path of the buckets (you may keep the default values) and their size.
3 search modes:
- Fast mode : field discovery is off. No event or field data for stats searches
- Smart mode : field discovery is on. No event or field data for stats searches.
- Verbose mode : all events and field data are available.
Search main points:
- Fields are case sensitive.
- Values are not case sensitive.
- If you get no results, check the time window selected and conditions in the search.
- You can use: NOT , OR , AND , =, <=, >=, != and such comparison operators
- Wildcards are also allowed: *
Points to remember while setting up a Search:
- Choose the narrowest possible criteria
- Use indexes and plan for scale, be ready to diversify to new indexes as the data grows
- Time window should be decided as per need, as that will determine the amount of data combed through for the search result (smaller the window, quicker is the result)
SPL : Splunk Processing Language. It is a free-form when compared to SQL. It is used to construct searches.
Remember:
Search and filtering commands come first | other commands that help to manipulate , generate or sort the data come after
Explore.
