Awesome, I was able to move from those 2 slides that took a lot of content and energy our of my brain! - The slides I’m referring to are the ones you get when you assist Splunk’s class for System Administration, basically the posts are my notes (This blog) which is an extraction of the most important content.
The next post will be about few things that I consider very important, like the settings, the directory structure and so on, so lets get at it
Splunk can be installed in Windows and Linux for Production environments, there are some tweaks that you can configure to make your environment run better and with no issues, this class makes few recommendations that are very new to me so I will list them here to keep adding to my notes.
Linux Settings Recommendations Ulimit The class recommends the use of ulimit -ato view settings, and then increase the parameters on indexers and search heads. This one seems a bit off, but here is a quick informational link about the ulimit command
Getting back from where we left over from yesterday. Here is a quick and interesting view of the components, processes and the Installation planning of the solution. I know, these post maybe repetitive in nature, but its the foundation of a well implemented solution
Core Components and Processes This section is dedicated to describe all the components and processes and a brief explanation of Splunk
Search Heads Allow users to submit search request using SPL (Search Processing Language) Distribute search requests to the indexers Consolidate results and render visualizations of results Store search-time knowledge objects (Field extractions, alerts and dashboards) Indexers Receive incoming data from forwarders Index and store data in Splunk indexes search data in response to requests from Search Heads Forwarders Monitor configured inputs and forward data to the indexers (best practice data collection method) Requires minimal resources and typically installed on the machines that produce the data Deployment Server Acts as a centralized configuration manager for any number of deployment clients Requires running on an enterprise instance Installation Overview As with any installation, preparation and planning are key!
As I continue being exposed to Splunk in the wild as well as in class :) - I decided to write a bit on the class that I just took.
The System Administrator Class This class is one of the many requirements to become a Splunk Certified Architect, which is what I’m going for in the next couple of months. This class along with the Data Administration one are required in order to take the Administration exam.
Introduction to Transactions A transaction is a group of related events that span time. Events can come from multiple applications or hots. For example, One email message can create multiple events as it travels through various queues, also visiting a single website normally generates multiple HTTP requests
Transaction field-list can be one list field or a list of field names. Events are grouped into transactions based on the values of these fields. If multiple fields are specified and a relationship exists between those fields, events with a related field value are grouped into a single transaction.
Introduction to Eval Commands The eval commands are great to perform calculations, convert values, road values, format values and even use conditional statements. It is recommended to use search and were commands to filter calculated results.
Eval commands allow you to calculate and manipulate field values in your report Supports a variety of functions Results of Eval written to either new or existing fields you specify
If the destination field exists, the values of the field are replaced by the results of eval
SO we got to this point, looking at the Fundamentals 2 section of my training. This training builds on the Fundamentals 1 course. Which is pretty much all tools you can use for searching and understanding data in Splunk
What is part fo Fundamentals 2: Transforming commands and Visualizations Filter/Format results of a Search Correlate Events into Transactions Knowledge Objects Extracted Fields, Fields Aliases and Calculated Fields Tags and Event Types Macros and WorkFlow Objects Manage Data Models Splunk Common Information Model
Introduction to Knowledge objects These are tools you use to discover and analyze various aspects of your data
Data Interpretation - Fields and field extractions Data Classification - Event types Data Enrichment - Lookups and Workflow Actions Normalization - Tasks and Field Aliases Datasets - Data models Knowledge objects can be shared between users, they are reusable, are made of persistent objects that can be used by multiple people or apps, such as macros and reports. They are also searchable since the objects are persistent, they can be used in a search
Visualizations When a search returns statistical values, the results can be viewed with different visualization types, some of the Visualization types: Statistical Values Charts: Line, column, pie Single Value Visualizations Maps
Charts - Line Chart (Time Series) Chart - Bubble Cluster Map Choropleth Map What is next? Filtering/Formatting Data
About the Author: Andres Sarmiento, CCIE # 53520 (Collaboration) With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.
Basic search The search assistant provides a nice way to begin looking up for something in particular. At this stage, you can determine a few different search criteria, such as a term in particular or search directly into a specific Index. The search assistant lets you be flexible and presents you with different options. Before the first pipe 9|), it will look at any matching term.
After the (|) sign you have the ability to start using a list of commands to help you search data, once you hover your mouse over the commands the Assistant will provide you with high-level information on how to use the command.
