1 Discussion on different Splunk Certification Paths 1
2 Splunk Basic : Architecture of Splunk 1
3 Splunk Basic : install splunk 2
4 Splunk Enterprise: How to get free developer license 2
5 Splunk UF : How to Install Universal Forwarder In Google Cloud Ubuntu Instance 2
6 Splunk Admin : How to install full stack Splunk in Google Cloud Ubuntu Instance 3
7 Splunk Basic: How to install Splunk in Google Cloud Windows instance 3
8 Creating our first app : "The Movie database(TMDB)" 3
9 Splunk Getting the data In : Adding scripted input(Simple Streaming) to "TMDB" app 3
10 Adding custom checkpointing to "TMDB" app scripted input 3
11 Splunk Getting the data In : How HTTP Event Collector works 4
12 Splunk Basic: Know Your Search Interface 4
13 Splunk Basic: Configuration Files Basics 5
14 Splunk Configuration files : Fundamentals about props.conf and transforms.conf 7
15 Splunk Configuration Files : Event line breaking using props.conf 7
16 Splunk Configuration Files : Timestamp extraction using props.conf 10
Discussion on different Splunk Certification Paths
https://github.com/siddharthajuprod07/youtube/tree/master/splunk_certification_path
Splunk Basic : Architecture of Splunk
4 Stages of splunk
Input
Parse the data into events
Store events in Indexs
Searches and reports
SPL = Splunk Processing Language
Components
Forwarder
Indexer
Search Head
Deployment Server
All APP level configuration and code in one place
Search Prompt
Index=main
Splunk Basic : install splunk
Splunkd and Universal Forwarder– port 8089
Splunk web 8000
Splunk home = splunk installed directory
Splunk Enterprise: How to get free developer license
Valid for 6 months then we can extend
10 GB data
Search splunk dev license and request by submitting the agreement
Splunk UF : How to Install Universal Forwarder In Google Cloud Ubuntu Instance
Cloud.google.com
Create a project in Google Cloud
Compute Engine – VM Instances - US East is the most cheaper one
Download splunk in VM – Install – start Splunk (Default it will not start)
Provide admin credentials
Splunk Admin : How to install full stack Splunk in Google Cloud Ubuntu Instance
breadcrumb menu or trail
Splunk Basic: How to install Splunk in Google Cloud Windows instance
Mstsc – remote desktop connection command
Creating our first app : "The Movie database(TMDB)"
https://www.themoviedb.org/ site provide API to get data from their site
Creating New App
Creating new Index for the new TMDB app
Setting > Click Indexes – “New Index”
Index Datatypes > Events or Metrics
Each app folder contains conf files (here app.conf, indexes.conf)
Splunk Getting the data In : Adding scripted input(Simple Streaming) to "TMDB" app
Tmdb site api (if we registered then we can go here) – GET Upcoming
Create script in python to get the data from TMDP
Check Pointing concept
Simple python code provided and loaded in splunk bin folder – we can define the index where to be indexed
Once added the source by code, inputs.conf file created
Source=”C:\Program Files\Splunk\etc\apps\tmdb\bin\tmdb_upcoming.py”
sourcetype=_json
In search results. Fields > Selected fields, Interesting fields
Checkpoint – to avoid the same data indexing again – this will give duplicate
Adding custom checkpointing to "TMDB" app scripted input
Index=”tmdb_index“
Create checpoint folder in bin, Keep one empty text file name as “checkpoint.txt”
Splunk Getting the data In : How HTTP Event Collector works
https://github.com/siddharthajuprod07/youtube/tree/master/http_event_collector
https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
https://www.guidgenerator.com/online-guid-generator.aspx
We are exposing data to the outside world for indexing the data
Settings > Data Inputs > HTTP Event Collector > Click Global Settings --All Tokens = Enabled, Data Source Type = _json, Default index , HTTP Port 8088 (we can change the port)
Create a Token
Authentication -= basic and tokenized
Index=main | delete – this will delete the indexed data
Debugging: splunk/var/log/introspection folder contains all log file
Splunk Basic: Know Your Search Interface
SPL= Splunk Processing Language
Time Picker
Documentation Link
Tutorial Link
Data Summary
Search History
Search a query index=main – click job – inspect job – It shows Execution Costs, Search Job Properties – This will be useful for performance improvement of query / search
We can export the result in csv or json or xml
Mode
Fast mode (default)
Smart
Verbose
Selected Fields
Host – which server
Source – the data file
Sourcetype = what type of files csv or json or etc
Interesting Fields
Splunk creates these fields based on the mode
Punct = overview of data structure
We can move the interesting fields to selected fields by clicking “YES”
Coverage = if the particular fields appears in all the events that means 100%
Extract new fields –
Verbos mode is iom,portant to run statistyics
Index=main | stats count – we can not see the events except verbose mode
Patterns, statistics, visualization save as dashboard, report, alert
Index=main | table columns
Splunk Basic: Configuration Files Basics
Search config files
Commands.conf
Contains all the configuration files details
Important folders are > System, users, apps
All configuration stored in either default folder or local folder
Folders
System
All the configuration related to system level – comes from splunk
Users
All the different user level configurations
Users
All apps listed here – configurations files will be available in apps folder
Users folder will have only local folder – not default folder
Configuration
Global
Search Time Context / User Context
Same configuration under system and user folder – based on the task this will be consider
Index is global – but search is user context
Localhost:8000/en-US/debug/refresh – to refresh all the configuration files
https://docs.splunk.com/Documentation/Splunk/9.1.2/Admin/Listofconfigurationfiles
Splunk Configuration files : Fundamentals about props.conf and transforms.conf
props.conf
Data processing stage
Parsing pace we can mask the data like PHI or PI
Props.conf we can place based on our settings generally
SPLUNK_HOME\etc\system\default\props.conf
SPLUNK_HOME\etc\apps\appname\default\props.conf
Stanza = group name
The last occurrence will take preference in props.conf stanza
Stanza based on (we can use regex also) – we can set priority in Stanza
sourcetype, [sourcetype]
source, [source :: <sourcename>]
host [host :: <>]
[rule :: <>]
transforms.conf
Splunk Configuration Files : Event line breaking using props.conf
When we add a new file we can set event breakers
Event line breaking happens in Parsing phase
Event Breaks
If we want to use the event breaking we can save it – that info will save it in props.conf
Splunk Configuration Files : Timestamp extraction using props.conf
_TIME is important
All date time logics handled by splunk store din datetime.xml available in etc folder
Splunk Configuration Files : Search time field extraction
Field extraction in indexing time or searching time
Splunk recommend search time extraction
This available in props.conf or transform.conf
Report extraction
https://github.com/siddharthajuprod07/youtube/tree/master/search_time_field_extraction
FieldAlias
search_time_operation_sequence.PNG
Splunk Configuration Files : Index time field extraction
Code and data https://github.com/siddharthajuprod07/youtube/tree/master/index_time_field_extraction
Splunk recommends search time field extraction
If our expression ex company_id=1, the value is less (less than 2 %) then we glo for index time field extraction
Mv_field
Props.conf have TRANSFORM_Stanza > transforms.conf will have the xmlExtraction. ??? we can get sql server userid by using this
Seems we need to get the windowslogevent file index set in props.conf and transforms.conf
Mv_extraction + REPEAT_MATCH = multivalue key field we can use this to add multiple values to one
SEDCMS-<class> – for data masking
Splunk Lookups : Lookups fundamentals & detail discussion on KV Store Lookups
https://github.com/siddharthajuprod07/youtube/tree/master/kv_store_lookups
1. Lookups Intro
2. Different types of lookup
3. What is KV store lookup
4. Comparison with CSV lookup
5. How to create KV store lookup from Splunk UI
6. How to populate KV store lookups using query and rest API
7. How to update KV store lookups
8. Talk about background conf files
9. How to create Automatic KV store lookups
A
A
No comments:
Post a Comment