0:00:00.000,0:00:01.190


0:00:01.190,0:00:02.580
Welcome to SDN TechForum.

0:00:02.580,0:00:08.400
So let's continue from our[br]earlier video, ASA Essential.

0:00:08.400,0:00:12.830
And in ASA Essential, we[br]did essential configuration,

0:00:12.830,0:00:16.830
like SSH, SNMP, NetFlow, SPAN,[br]syslog, and packet tracer.

0:00:16.830,0:00:21.380
So now, what happened, this[br]ASA is sending all the logs

0:00:21.380,0:00:23.160
to a syslog server.

0:00:23.160,0:00:26.430
And in this video, we are[br]going to start a new topic.

0:00:26.430,0:00:29.770
And that topic is[br]Fun with Splunk.

0:00:29.770,0:00:32.220
So you may be thinking like,[br]am I watching old video?

0:00:32.220,0:00:34.580
No, we'll continue[br]from there and continue

0:00:34.580,0:00:37.800
building up what we did so far.

0:00:37.800,0:00:38.340
OK.

0:00:38.340,0:00:42.140
Fun with Splunk, as you can see.

0:00:42.140,0:00:44.430
What we are going to[br]do, as a side note,

0:00:44.430,0:00:46.940
I'm going to show[br]you how to configure

0:00:46.940,0:00:52.580
a syslog-ng server on Ubuntu,[br]with a Raspberry Pi on laptop.

0:00:52.580,0:00:55.963
And then we will[br]start with Splunk.

0:00:55.963,0:00:57.380
So what I'm going[br]to do, I'm going

0:00:57.380,0:00:59.400
to install the Splunk server.

0:00:59.400,0:01:02.250
I'm going to use a[br]free trial version.

0:01:02.250,0:01:05.590
I'll install it on[br]a Windows machine.

0:01:05.590,0:01:06.220
All right.

0:01:06.220,0:01:11.920
Then we will have a Splunk[br]universal forwarder,

0:01:11.920,0:01:16.180
which is a small CPU.

0:01:16.180,0:01:18.520
I mean, it's not very[br]resource-intensive.

0:01:18.520,0:01:23.730
It's a lightweight agent[br]setting on the places

0:01:23.730,0:01:26.460
where you have the[br]data, the data which

0:01:26.460,0:01:28.620
you want to input[br]to the Splunk server

0:01:28.620,0:01:32.280
so that you can index it,[br]crunch it, and visualize it.

0:01:32.280,0:01:35.010
So this universal[br]forwarders, they

0:01:35.010,0:01:40.170
will be sitting on the sources[br]where we have our data storage,

0:01:40.170,0:01:44.550
and which is generally a[br]Linux machine or Windows.

0:01:44.550,0:01:50.910
Then I'll show you how to input[br]data from forwarder-- so what

0:01:50.910,0:01:52.150
rules you need to create.

0:01:52.150,0:01:54.840
And then, finally, we'll come[br]back to the Splunk Dashboard

0:01:54.840,0:01:58.860
again and see if we can[br]manage the forwarder status.

0:01:58.860,0:02:02.270
And also, we can crunch[br]that data, index that data,

0:02:02.270,0:02:03.840
search that data,[br]all those things.

0:02:03.840,0:02:08.039
So this is not going to be[br]very Splunk-intensive video,

0:02:08.039,0:02:11.830
but a lightweight good[br]for you to get started.

0:02:11.830,0:02:13.490
And at the same[br]time, finally, I'll

0:02:13.490,0:02:16.340
give you some forwarder[br]troubleshooting tips

0:02:16.340,0:02:19.970
because, many times,[br]forwarders, once you set up

0:02:19.970,0:02:21.920
the channel, after[br]some time, you

0:02:21.920,0:02:23.910
may see that forwarder[br]is not sending data.

0:02:23.910,0:02:26.960
So how to troubleshoot[br]that, I'll show you that.

0:02:26.960,0:02:27.860
OK.

0:02:27.860,0:02:32.540
So quickly, let's first[br]review the syslog-ng server

0:02:32.540,0:02:34.782
configuration requirement.

0:02:34.782,0:02:38.040
So this is for a[br]Linux Ubuntu machine.

0:02:38.040,0:02:40.820
So what you have to[br]do, you have to get

0:02:40.820,0:02:43.130
apt-get install syslog-ng.

0:02:43.130,0:02:48.170
And then, basically, that will[br]install the syslog-ng server

0:02:48.170,0:02:54.300
and then validate if it is[br]listening to port number 514.

0:02:54.300,0:02:58.910
You can also watch[br]validate the status

0:02:58.910,0:03:01.080
by using sudo services[br]status syslog-ng.

0:03:01.080,0:03:03.700
So syslog-ng is started.

0:03:03.700,0:03:06.490
It's listening on[br]port number 514.

0:03:06.490,0:03:07.810
Now what we have to do?

0:03:07.810,0:03:09.190
We already did that.

0:03:09.190,0:03:15.150
Actually, ASA is sending[br]syslogs to port number 514

0:03:15.150,0:03:17.020
or to this server, all right?

0:03:17.020,0:03:18.720
So I'll show you that.

0:03:18.720,0:03:21.810
And then we will talk about how[br]to do in universal forwarder

0:03:21.810,0:03:22.390
config.

0:03:22.390,0:03:27.600
But let's first validate[br]syslog-ng server.

0:03:27.600,0:03:31.440
So this is our ASA.

0:03:31.440,0:03:35.020
Mind it, this is going to be[br]a little demo-intensive video.

0:03:35.020,0:03:37.805
So please try to[br]follow along with me.

0:03:37.805,0:03:41.250


0:03:41.250,0:03:46.260
So as you can see, ASA[br]is sending this logs

0:03:46.260,0:03:48.760
to 192.168.1.22.

0:03:48.760,0:03:50.790
And that is our Ubuntu server.

0:03:50.790,0:03:55.860
All right, I'm going to[br]show you that IP address.

0:03:55.860,0:03:58.500
IP address is 192.1 in this.

0:03:58.500,0:04:12.040
And let's do netstat grep 514.

0:04:12.040,0:04:15.880
So you can see, this is already[br]listening on port number 514

0:04:15.880,0:04:21.750
for TCP/UDP and receiving[br]all the syslog details, OK?

0:04:21.750,0:04:27.974


0:04:27.974,0:04:36.460
Now, it is our turn to[br]install Splunk forwarder.

0:04:36.460,0:04:42.260
Before we do Splunk forwarding,[br]let's go to the Splunk website,

0:04:42.260,0:04:42.760
all right?

0:04:42.760,0:04:47.390
So here I am on Splunk website,[br]and I want free Splunk.

0:04:47.390,0:04:53.140
So I created an account here and[br]downloaded the Splunk Enterprise

0:04:53.140,0:04:56.260
software, OK?

0:04:56.260,0:04:59.360
Not the cloud one,[br]the Splunk 8.5,

0:04:59.360,0:05:02.270
which is the current software.

0:05:02.270,0:05:04.920
You can say Free Splunk,[br]and you can download.

0:05:04.920,0:05:08.330
I already downloaded it, so I'm[br]not going to download it again.

0:05:08.330,0:05:11.570
As you can see, this is a[br]60-day free trial for Splunk

0:05:11.570,0:05:12.300
Enterprise.

0:05:12.300,0:05:15.890
This is what I downloaded and[br]installed on a Windows machine,

0:05:15.890,0:05:18.320
OK?

0:05:18.320,0:05:21.810
So here is your main[br]Splunk dashboard.

0:05:21.810,0:05:25.070
What we are going to do, we are[br]going to do a couple of things.

0:05:25.070,0:05:30.530
First is we are going to[br]make this server listen

0:05:30.530,0:05:34.430
for data stream, right?

0:05:34.430,0:05:36.470
Multiple ways, you can add data.

0:05:36.470,0:05:39.590
Like here, if you[br]click on Add Data,

0:05:39.590,0:05:41.540
there are multiple options.

0:05:41.540,0:05:43.080
I'm going to skip the tour.

0:05:43.080,0:05:47.400
You can do networking,[br]you can do OS, and upload.

0:05:47.400,0:05:48.840
You can actually[br]upload the data.

0:05:48.840,0:05:51.530
So if you have a[br]compressed file,

0:05:51.530,0:05:53.270
CSV file, you can[br]actually upload it.

0:05:53.270,0:05:55.520
But that's not[br]very scalable way.

0:05:55.520,0:06:00.010
We want our data to be[br]continuously sent as a stream,

0:06:00.010,0:06:03.250
and then Splunk to do[br]all those indexing so

0:06:03.250,0:06:04.610
that we can run our searches.

0:06:04.610,0:06:06.040
So for that, what[br]you have to do,

0:06:06.040,0:06:10.070
you have to prepare your Splunk[br]to listen on certain ports.

0:06:10.070,0:06:14.180
And that is called[br]receiving here, OK?

0:06:14.180,0:06:20.440
Forwarding and receiving--[br]configure receiving, OK?

0:06:20.440,0:06:22.420
We don't want to[br]configure forwarding here

0:06:22.420,0:06:25.150
because we will be[br]using forwarding agents.

0:06:25.150,0:06:27.820
Only thing is, I want[br]this Splunk server

0:06:27.820,0:06:29.390
to listen on certain port.

0:06:29.390,0:06:33.195
And that is port[br]number triple 97, 9997.

0:06:33.195,0:06:34.820
And that's the default[br]port for Splunk.

0:06:34.820,0:06:38.170
So I kept it default. OK,[br]that's all you want to do here.

0:06:38.170,0:06:43.960
Now, since this server is[br]listening on the designated

0:06:43.960,0:06:46.150
port, so now it is[br]our turn to configure

0:06:46.150,0:06:47.500
the universal forwarder.

0:06:47.500,0:06:49.390
And for that, what[br]do you have to do?

0:06:49.390,0:06:53.300
You have to download[br]the forwarder, OK?

0:06:53.300,0:06:55.670
And I'll show you from where[br]to download the forwarder.

0:06:55.670,0:07:01.550
So you can do sudo wget and[br]the wget IP on this part

0:07:01.550,0:07:04.530
so that it will get[br]downloaded to your machine.

0:07:04.530,0:07:07.850
And then what you can do is[br]you can copy that forwarder,

0:07:07.850,0:07:11.520
what you downloaded, to[br]a third-party directory

0:07:11.520,0:07:13.290
or a third-party[br]software directory,

0:07:13.290,0:07:16.560
which is /opt cd plus cp.

0:07:16.560,0:07:21.080
And then whatever you[br]downloaded, copy it to /opt.

0:07:21.080,0:07:23.840
Then go to that[br]directory, sudo/opt,

0:07:23.840,0:07:28.640
and do a sudo D package,[br]which is like a package

0:07:28.640,0:07:29.700
manager for Ubuntu.

0:07:29.700,0:07:32.670
And this is what you have to do.

0:07:32.670,0:07:37.400
You may need ins curl[br]because it is running

0:07:37.400,0:07:38.580
some background curl checks.

0:07:38.580,0:07:42.290
So make sure you have the[br]curl utility installed.

0:07:42.290,0:07:46.830
And if not, then you have to[br]do dpkg-reconfigure again, OK?

0:07:46.830,0:07:50.070
Once you do that, it will[br]install the software.

0:07:50.070,0:07:53.180
Now, finally, what[br]you can do, when

0:07:53.180,0:07:57.050
you do a list of[br]directories, you

0:07:57.050,0:08:01.170
can see there is a directory[br]created called splunkforwarder.

0:08:01.170,0:08:02.760
Go to splunkforwarder there.

0:08:02.760,0:08:05.380
Under that, go to bin directory.

0:08:05.380,0:08:09.840
And that is the directory where[br]you can start, stop, or restart

0:08:09.840,0:08:13.030
your Splunk instance,[br]universal forwarder instance.

0:08:13.030,0:08:17.740
So we are going to go to cd[br]bin and say sudo splunk start.

0:08:17.740,0:08:21.810
And make sure you accept the[br]license from command line,

0:08:21.810,0:08:22.450
like this.

0:08:22.450,0:08:26.820
Otherwise, you will have to read[br]the entire license by pressing

0:08:26.820,0:08:29.130
Page Up and Page Down.

0:08:29.130,0:08:31.549
And, finally, you can validate[br]the Splunk status check.

0:08:31.549,0:08:32.049
All right.

0:08:32.049,0:08:35.480
So I'm going to show you all[br]this on the forwarder itself.

0:08:35.480,0:08:38.159


0:08:38.159,0:08:39.659
So let's go.

0:08:39.659,0:08:42.870
As you can see, I downloaded[br]this forwarder here

0:08:42.870,0:08:46.950
and then parked it to opt.

0:08:46.950,0:08:52.200
And here you can see[br]Splunk forwarder is there.

0:08:52.200,0:08:57.150
Under Splunk forwarder, we[br]have lot of directories, right?

0:08:57.150,0:09:00.980
All the local[br]configuration-related things

0:09:00.980,0:09:05.970
are stored in etc, just like[br]any Ubuntu Linux system.

0:09:05.970,0:09:09.450
But this is only for[br]Splunk-related files, all right?

0:09:09.450,0:09:12.960
But right now, we are interested[br]in checking the status.

0:09:12.960,0:09:18.050
So what you can do, you can[br]just go to bin directory

0:09:18.050,0:09:20.830
and then do a sudo.

0:09:20.830,0:09:27.140


0:09:27.140,0:09:32.600
So Splunk status.

0:09:32.600,0:09:35.300


0:09:35.300,0:09:37.880
When you install, it will[br]ask you to create a username

0:09:37.880,0:09:38.670
and password.

0:09:38.670,0:09:42.650
And that's the-- but this is[br]the sudo username, password.

0:09:42.650,0:09:45.710
OK, Splunk command not found.

0:09:45.710,0:09:47.090
OK, pwd/bin.

0:09:47.090,0:09:49.850


0:09:49.850,0:09:52.320
I am not in the[br]correct file, OK?

0:09:52.320,0:09:53.310
That is the reason.

0:09:53.310,0:09:55.650
So let me start over.

0:09:55.650,0:10:02.130
I'm going to say[br]cd/opt/splunkforwarder bin.

0:10:02.130,0:10:03.330
That's it.

0:10:03.330,0:10:11.272
And then Splunk status.

0:10:11.272,0:10:13.500
That's it, Splunk is running.

0:10:13.500,0:10:17.352
So my universal forwarder[br]is properly installed.

0:10:17.352,0:10:20.880
As I was telling you that[br]all the configuration files

0:10:20.880,0:10:22.050
are stored in etc.

0:10:22.050,0:10:26.765
So let's quickly revisit[br]the st. Go to system.

0:10:26.765,0:10:30.390


0:10:30.390,0:10:34.910
Or maybe just list everything[br]here and see all the--

0:10:34.910,0:10:49.110


0:10:49.110,0:10:51.870
OK.

0:10:51.870,0:10:54.580
All Splunk configuration[br]related files are here.

0:10:54.580,0:11:00.130
And you can read instance[br]config, licenses.

0:11:00.130,0:11:05.020
And even you can go[br]to system, 3D system.

0:11:05.020,0:11:10.215
And you can look at[br]the local, cd local.

0:11:10.215,0:11:13.270


0:11:13.270,0:11:15.280
And here is your output config.

0:11:15.280,0:11:18.920
Where this universal forwarder[br]will send the config?

0:11:18.920,0:11:20.510
What is the server[br]config look like?

0:11:20.510,0:11:21.950
All those information are here.

0:11:21.950,0:11:23.470
But again, as I[br]mentioned, I'm not

0:11:23.470,0:11:25.992
going to go deep into this, OK?

0:11:25.992,0:11:27.940
So this is up to you.

0:11:27.940,0:11:29.440
Now, what we are[br]going to do, we are

0:11:29.440,0:11:32.320
going to configure[br]the forwarding rules.

0:11:32.320,0:11:38.170
So again, we are going to go to[br]splunk dot forwarder/bin here.

0:11:38.170,0:11:42.910
And let's go back and look[br]at the configuration again.

0:11:42.910,0:11:44.930
So this is for installation.

0:11:44.930,0:11:47.282
Now, the rule setting, right?

0:11:47.282,0:11:48.490
So what you are going to say?

0:11:48.490,0:11:53.330
You are going to say[br]sudo/splunk add forward-server.

0:11:53.330,0:11:56.990
And this is the Splunk[br]Enterprise IP address, slash

0:11:56.990,0:11:59.610
or colon add port.

0:11:59.610,0:12:04.600
If you remember, we created[br]a receiving port 9997.

0:12:04.600,0:12:09.430
So put your Splunk Enterprise[br]IP address colon port number.

0:12:09.430,0:12:11.640
Make sure you have[br]the networking

0:12:11.640,0:12:16.780
or reachability between[br]forwarder and Enterprise server.

0:12:16.780,0:12:19.030
And there is no firewall[br]blocking and other things.

0:12:19.030,0:12:24.270
So this is how you will point[br]your universal forwarder

0:12:24.270,0:12:25.957
to the Splunk Enterprise server.

0:12:25.957,0:12:27.040
Next, what you want to do?

0:12:27.040,0:12:30.490
You want to monitor[br]the data, right?

0:12:30.490,0:12:33.880
The data thing, what you[br]want to send to the server.

0:12:33.880,0:12:37.500
And for that, we have to do[br]splunk add monitor and then

0:12:37.500,0:12:39.040
the file and location.

0:12:39.040,0:12:45.420
So here, what I'm doing, I'm[br]sending my ASA logs, which

0:12:45.420,0:12:47.370
is coming to the syslog server.

0:12:47.370,0:12:52.960
At this folder, I'm going to[br]send this to Splunk Enterprise.

0:12:52.960,0:12:55.140
And when you[br]configure these rules,

0:12:55.140,0:12:57.400
you may have to[br]restart the Splunk.

0:12:57.400,0:13:00.200
And to do that, you can[br]just say splunk restart.

0:13:00.200,0:13:00.980
That's it.

0:13:00.980,0:13:04.630
You can come back always and[br]check if your forwarder is

0:13:04.630,0:13:05.780
active or no.

0:13:05.780,0:13:09.667
And if something is wrong,[br]by using this command, OK?

0:13:09.667,0:13:12.649


0:13:12.649,0:13:15.620
So now let's go back[br]and check our forwarder.

0:13:15.620,0:13:26.900


0:13:26.900,0:13:27.400
Splunk.

0:13:27.400,0:13:30.220


0:13:30.220,0:13:33.370
Let's look at the[br]command list forwarder.

0:13:33.370,0:13:35.590
You can always do help.

0:13:35.590,0:13:37.095
So we are going to say list--

0:13:37.095,0:13:41.620


0:13:41.620,0:13:48.010
too bad it doesn't do[br]a tab complete, but--

0:13:48.010,0:13:50.050
your session is[br]invalid, so you have

0:13:50.050,0:13:53.040
to log in to your[br]universal forwarder, OK?

0:13:53.040,0:13:54.700
So this is the log-in.

0:13:54.700,0:13:56.200
Your username and[br]password, you will

0:13:56.200,0:13:59.930
create, while installing[br]the universal forwarder, not

0:13:59.930,0:14:03.710
your Enterprise Splunk[br]username and password.

0:14:03.710,0:14:07.640
But, for me, both are same.

0:14:07.640,0:14:09.780
I re-use the username[br]and password.

0:14:09.780,0:14:12.860
And here you can see, after[br]putting the credentials,

0:14:12.860,0:14:15.380
I can see this is my[br]active forwarder, what

0:14:15.380,0:14:18.690
I configured using port number.

0:14:18.690,0:14:22.230
And is there any[br]inactive forwarder?

0:14:22.230,0:14:23.240
No.

0:14:23.240,0:14:25.010
So we are good.

0:14:25.010,0:14:27.570
So this is how you are going[br]to create the forwarder.

0:14:27.570,0:14:31.490
And now let's validate if[br]this data is showing up

0:14:31.490,0:14:36.390
or if this forwarder is showing[br]up in Splunk Enterprise or not.

0:14:36.390,0:14:39.240
And for that, what you can[br]do, you can go to Dashboard.

0:14:39.240,0:14:42.980
Your dashboard may be empty, OK?

0:14:42.980,0:14:46.186
So what you can do, you[br]can create a dashboard.

0:14:46.186,0:14:48.860


0:14:48.860,0:14:51.080
OK.

0:14:51.080,0:14:54.160
Let's go back to Search first.

0:14:54.160,0:14:57.950
And here you can come[br]and say Data Summary.

0:14:57.950,0:15:00.780
A quick way to test[br]your data inputs

0:15:00.780,0:15:04.350
are by setting--[br]click on Data Summary.

0:15:04.350,0:15:06.390
Once you click on[br]Data Summary, it

0:15:06.390,0:15:08.580
is going to look[br]how many hosts--

0:15:08.580,0:15:12.900
that means forwarder-- is[br]talking to this Enterprise

0:15:12.900,0:15:13.780
server.

0:15:13.780,0:15:16.530
And if you click on[br]that, I have two.

0:15:16.530,0:15:22.690
One, which is sending the 121,[br]which is sending [INAUDIBLE].

0:15:22.690,0:15:27.550
And that is defined by[br]this naming convention.

0:15:27.550,0:15:29.470
And then another is Ubuntu Pi.

0:15:29.470,0:15:34.500
So these two data are being[br]sent to Enterprise server.

0:15:34.500,0:15:37.450
Sources, what source[br]we are monitoring?

0:15:37.450,0:15:40.110
All those things[br]are listed here.

0:15:40.110,0:15:43.270
And source type,[br]it automatically

0:15:43.270,0:15:47.190
tries to classify by reading[br]the files by some existing rules

0:15:47.190,0:15:49.000
and say these are[br]the source type.

0:15:49.000,0:15:53.170
There are various pre-built[br]source type, like ASS.

0:15:53.170,0:15:55.450
Not all those pre-built[br]source type is there.

0:15:55.450,0:15:59.990
You can also build a[br]custom-built source type.

0:15:59.990,0:16:04.320
So let's look at the host[br]and try to load this.

0:16:04.320,0:16:10.100
So here, you can see[br]all my var/log/firewall,

0:16:10.100,0:16:15.800
the place which we are[br]monitoring on syslog-ng server.

0:16:15.800,0:16:18.500
All these logs[br]started showing here.

0:16:18.500,0:16:22.280


0:16:22.280,0:16:26.490
And based on these logs here, it[br]has created some selected field.

0:16:26.490,0:16:30.360
You can select those field[br]and create a new search query.

0:16:30.360,0:16:33.080
Right now, it is just[br]searching on the host name.

0:16:33.080,0:16:37.550
And you can see all those events[br]nicely getting populated here.

0:16:37.550,0:16:39.420
You can go back in timeline--

0:16:39.420,0:16:42.800
24 hour, 30 minute, five minute.

0:16:42.800,0:16:47.270
Everything you can see.

0:16:47.270,0:16:49.620
You can create your[br]own search pattern,

0:16:49.620,0:16:52.580
and you can also do[br]some visualization.

0:16:52.580,0:17:00.030
And at the same time, you[br]can create a table view.

0:17:00.030,0:17:05.530
So different ways of[br]visualization, table format,

0:17:05.530,0:17:07.359
bar chart format,[br]and all those things.

0:17:07.359,0:17:09.839
But the nice, cool[br]thing about Splunk,

0:17:09.839,0:17:13.530
which need a little[br]bit of education

0:17:13.530,0:17:16.810
about Splunk Processing[br]Language, SPL,

0:17:16.810,0:17:19.589
so that you can[br]actually use these

0:17:19.589,0:17:23.380
logs to create your search[br]query or create a pattern,

0:17:23.380,0:17:26.890
so that you can present these[br]logs in a meaningful way.

0:17:26.890,0:17:28.560
And that's the end goal, right?

0:17:28.560,0:17:30.210
Right now, in today's[br]video, I'm just

0:17:30.210,0:17:35.680
going to making you familiar[br]with Splunk distributed model.

0:17:35.680,0:17:36.850
What is universal forwarder?

0:17:36.850,0:17:37.980
What is the Enterprise?

0:17:37.980,0:17:41.020
And how you can[br]bring your logs here.

0:17:41.020,0:17:46.050
But you can do much more[br]by learning a few tricks

0:17:46.050,0:17:47.680
in SPL language.

0:17:47.680,0:17:49.260
OK.

0:17:49.260,0:17:50.650
What else I want to show you?

0:17:50.650,0:17:52.920
I want to show you--

0:17:52.920,0:17:57.480
if you go to the home[br]page, Splunk, here I

0:17:57.480,0:17:59.660
created the forwarder instance.

0:17:59.660,0:18:01.460
So it's a snapshot.

0:18:01.460,0:18:04.270
When I come to the[br]home page, it quickly

0:18:04.270,0:18:08.621
gives me a snapshot[br]of my forwarders,

0:18:08.621,0:18:10.450
which are the[br]forwarders available,

0:18:10.450,0:18:13.280
and how their data[br]pattern looks like.

0:18:13.280,0:18:15.730
So, as I mentioned,[br]I have two of them.

0:18:15.730,0:18:18.140
And I can load them here.

0:18:18.140,0:18:21.170
I can watch their data patterns.

0:18:21.170,0:18:24.820
And I can also click[br]on any of these

0:18:24.820,0:18:27.890
and see who is my receiver.

0:18:27.890,0:18:31.870
So this Windows machine[br]itself is a receiver.

0:18:31.870,0:18:34.390
So this is a cool thing[br]to monitor your forwarder,

0:18:34.390,0:18:37.960
if they are sending your[br]data in the real-time or not.

0:18:37.960,0:18:42.610
Finally, if you want to know[br]something about the Splunk

0:18:42.610,0:18:46.430
utilization or the Enterprise[br]utilization itself,

0:18:46.430,0:18:49.300
so what you can do, you can[br]always go to Monitoring Console

0:18:49.300,0:18:53.500
and see here how your[br]Enterprise server is

0:18:53.500,0:18:56.330
doing resource-wise right now.

0:18:56.330,0:19:00.100
So basically, these are the[br]license usage, disk usage,

0:19:00.100,0:19:03.880
CPU usage, and all those[br]things for Enterprise server.

0:19:03.880,0:19:07.290
That means how the server[br]instance installation

0:19:07.290,0:19:08.770
is doing health-wise.

0:19:08.770,0:19:10.510
Is there any memory pressure?

0:19:10.510,0:19:12.480
Is there any CPU pressure?

0:19:12.480,0:19:17.970
Are we hitting any license or[br]disk or throughput indexing rate

0:19:17.970,0:19:18.880
threshold?

0:19:18.880,0:19:21.870
All those things, you[br]can manage from here.

0:19:21.870,0:19:22.450
All right.

0:19:22.450,0:19:25.890
But mostly, why you come[br]here, if you are not a Splunk

0:19:25.890,0:19:27.300
administrator,[br]you will come here

0:19:27.300,0:19:29.980
to parse log for[br]your application.

0:19:29.980,0:19:33.990
And for that, mostly, you[br]want to create some search

0:19:33.990,0:19:37.830
and reporting, create[br]some cool search indexes,

0:19:37.830,0:19:44.262
so that you can find a[br]needle in a haystack.

0:19:44.262,0:19:48.120
So with that, I'm going[br]to stop this video.

0:19:48.120,0:19:51.360
And I'll continue[br]learning Splunk.

0:19:51.360,0:19:53.830
And I hope you will find[br]it interesting also.

0:19:53.830,0:19:55.390
So let's continue this journey.

0:19:55.390,0:19:57.200
Thank you.

0:19:57.200,0:19:59.000