1 00:00:00,000 --> 00:00:01,190 2 00:00:01,190 --> 00:00:02,580 Welcome to SDN TechForum. 3 00:00:02,580 --> 00:00:08,400 So let's continue from our earlier video, ASA Essential. 4 00:00:08,400 --> 00:00:12,830 And in ASA Essential, we did essential configuration, 5 00:00:12,830 --> 00:00:16,830 like SSH, SNMP, NetFlow, SPAN, syslog, and packet tracer. 6 00:00:16,830 --> 00:00:21,380 So now, what happened, this ASA is sending all the logs 7 00:00:21,380 --> 00:00:23,160 to a syslog server. 8 00:00:23,160 --> 00:00:26,430 And in this video, we are going to start a new topic. 9 00:00:26,430 --> 00:00:29,770 And that topic is Fun with Splunk. 10 00:00:29,770 --> 00:00:32,220 So you may be thinking like, am I watching old video? 11 00:00:32,220 --> 00:00:34,580 No, we'll continue from there and continue 12 00:00:34,580 --> 00:00:37,800 building up what we did so far. 13 00:00:37,800 --> 00:00:38,340 OK. 14 00:00:38,340 --> 00:00:42,140 Fun with Splunk, as you can see. 15 00:00:42,140 --> 00:00:44,430 What we are going to do, as a side note, 16 00:00:44,430 --> 00:00:46,940 I'm going to show you how to configure 17 00:00:46,940 --> 00:00:52,580 a syslog-ng server on Ubuntu, with a Raspberry Pi on laptop. 18 00:00:52,580 --> 00:00:55,963 And then we will start with Splunk. 19 00:00:55,963 --> 00:00:57,380 So what I'm going to do, I'm going 20 00:00:57,380 --> 00:00:59,400 to install the Splunk server. 21 00:00:59,400 --> 00:01:02,250 I'm going to use a free trial version. 22 00:01:02,250 --> 00:01:05,590 I'll install it on a Windows machine. 23 00:01:05,590 --> 00:01:06,220 All right. 24 00:01:06,220 --> 00:01:11,920 Then we will have a Splunk universal forwarder, 25 00:01:11,920 --> 00:01:16,180 which is a small CPU. 26 00:01:16,180 --> 00:01:18,520 I mean, it's not very resource-intensive. 27 00:01:18,520 --> 00:01:23,730 It's a lightweight agent setting on the places 28 00:01:23,730 --> 00:01:26,460 where you have the data, the data which 29 00:01:26,460 --> 00:01:28,620 you want to input to the Splunk server 30 00:01:28,620 --> 00:01:32,280 so that you can index it, crunch it, and visualize it. 31 00:01:32,280 --> 00:01:35,010 So this universal forwarders, they 32 00:01:35,010 --> 00:01:40,170 will be sitting on the sources where we have our data storage, 33 00:01:40,170 --> 00:01:44,550 and which is generally a Linux machine or Windows. 34 00:01:44,550 --> 00:01:50,910 Then I'll show you how to input data from forwarder-- so what 35 00:01:50,910 --> 00:01:52,150 rules you need to create. 36 00:01:52,150 --> 00:01:54,840 And then, finally, we'll come back to the Splunk Dashboard 37 00:01:54,840 --> 00:01:58,860 again and see if we can manage the forwarder status. 38 00:01:58,860 --> 00:02:02,270 And also, we can crunch that data, index that data, 39 00:02:02,270 --> 00:02:03,840 search that data, all those things. 40 00:02:03,840 --> 00:02:08,039 So this is not going to be very Splunk-intensive video, 41 00:02:08,039 --> 00:02:11,830 but a lightweight good for you to get started. 42 00:02:11,830 --> 00:02:13,490 And at the same time, finally, I'll 43 00:02:13,490 --> 00:02:16,340 give you some forwarder troubleshooting tips 44 00:02:16,340 --> 00:02:19,970 because, many times, forwarders, once you set up 45 00:02:19,970 --> 00:02:21,920 the channel, after some time, you 46 00:02:21,920 --> 00:02:23,910 may see that forwarder is not sending data. 47 00:02:23,910 --> 00:02:26,960 So how to troubleshoot that, I'll show you that. 48 00:02:26,960 --> 00:02:27,860 OK. 49 00:02:27,860 --> 00:02:32,540 So quickly, let's first review the syslog-ng server 50 00:02:32,540 --> 00:02:34,782 configuration requirement. 51 00:02:34,782 --> 00:02:38,040 So this is for a Linux Ubuntu machine. 52 00:02:38,040 --> 00:02:40,820 So what you have to do, you have to get 53 00:02:40,820 --> 00:02:43,130 apt-get install syslog-ng. 54 00:02:43,130 --> 00:02:48,170 And then, basically, that will install the syslog-ng server 55 00:02:48,170 --> 00:02:54,300 and then validate if it is listening to port number 514. 56 00:02:54,300 --> 00:02:58,910 You can also watch validate the status 57 00:02:58,910 --> 00:03:01,080 by using sudo services status syslog-ng. 58 00:03:01,080 --> 00:03:03,700 So syslog-ng is started. 59 00:03:03,700 --> 00:03:06,490 It's listening on port number 514. 60 00:03:06,490 --> 00:03:07,810 Now what we have to do? 61 00:03:07,810 --> 00:03:09,190 We already did that. 62 00:03:09,190 --> 00:03:15,150 Actually, ASA is sending syslogs to port number 514 63 00:03:15,150 --> 00:03:17,020 or to this server, all right? 64 00:03:17,020 --> 00:03:18,720 So I'll show you that. 65 00:03:18,720 --> 00:03:21,810 And then we will talk about how to do in universal forwarder 66 00:03:21,810 --> 00:03:22,390 config. 67 00:03:22,390 --> 00:03:27,600 But let's first validate syslog-ng server. 68 00:03:27,600 --> 00:03:31,440 So this is our ASA. 69 00:03:31,440 --> 00:03:35,020 Mind it, this is going to be a little demo-intensive video. 70 00:03:35,020 --> 00:03:37,805 So please try to follow along with me. 71 00:03:37,805 --> 00:03:41,250 72 00:03:41,250 --> 00:03:46,260 So as you can see, ASA is sending this logs 73 00:03:46,260 --> 00:03:48,760 to 192.168.1.22. 74 00:03:48,760 --> 00:03:50,790 And that is our Ubuntu server. 75 00:03:50,790 --> 00:03:55,860 All right, I'm going to show you that IP address. 76 00:03:55,860 --> 00:03:58,500 IP address is 192.1 in this. 77 00:03:58,500 --> 00:04:12,040 And let's do netstat grep 514. 78 00:04:12,040 --> 00:04:15,880 So you can see, this is already listening on port number 514 79 00:04:15,880 --> 00:04:21,750 for TCP/UDP and receiving all the syslog details, OK? 80 00:04:21,750 --> 00:04:27,974 81 00:04:27,974 --> 00:04:36,460 Now, it is our turn to install Splunk forwarder. 82 00:04:36,460 --> 00:04:42,260 Before we do Splunk forwarding, let's go to the Splunk website, 83 00:04:42,260 --> 00:04:42,760 all right? 84 00:04:42,760 --> 00:04:47,390 So here I am on Splunk website, and I want free Splunk. 85 00:04:47,390 --> 00:04:53,140 So I created an account here and downloaded the Splunk Enterprise 86 00:04:53,140 --> 00:04:56,260 software, OK? 87 00:04:56,260 --> 00:04:59,360 Not the cloud one, the Splunk 8.5, 88 00:04:59,360 --> 00:05:02,270 which is the current software. 89 00:05:02,270 --> 00:05:04,920 You can say Free Splunk, and you can download. 90 00:05:04,920 --> 00:05:08,330 I already downloaded it, so I'm not going to download it again. 91 00:05:08,330 --> 00:05:11,570 As you can see, this is a 60-day free trial for Splunk 92 00:05:11,570 --> 00:05:12,300 Enterprise. 93 00:05:12,300 --> 00:05:15,890 This is what I downloaded and installed on a Windows machine, 94 00:05:15,890 --> 00:05:18,320 OK? 95 00:05:18,320 --> 00:05:21,810 So here is your main Splunk dashboard. 96 00:05:21,810 --> 00:05:25,070 What we are going to do, we are going to do a couple of things. 97 00:05:25,070 --> 00:05:30,530 First is we are going to make this server listen 98 00:05:30,530 --> 00:05:34,430 for data stream, right? 99 00:05:34,430 --> 00:05:36,470 Multiple ways, you can add data. 100 00:05:36,470 --> 00:05:39,590 Like here, if you click on Add Data, 101 00:05:39,590 --> 00:05:41,540 there are multiple options. 102 00:05:41,540 --> 00:05:43,080 I'm going to skip the tour. 103 00:05:43,080 --> 00:05:47,400 You can do networking, you can do OS, and upload. 104 00:05:47,400 --> 00:05:48,840 You can actually upload the data. 105 00:05:48,840 --> 00:05:51,530 So if you have a compressed file, 106 00:05:51,530 --> 00:05:53,270 CSV file, you can actually upload it. 107 00:05:53,270 --> 00:05:55,520 But that's not very scalable way. 108 00:05:55,520 --> 00:06:00,010 We want our data to be continuously sent as a stream, 109 00:06:00,010 --> 00:06:03,250 and then Splunk to do all those indexing so 110 00:06:03,250 --> 00:06:04,610 that we can run our searches. 111 00:06:04,610 --> 00:06:06,040 So for that, what you have to do, 112 00:06:06,040 --> 00:06:10,070 you have to prepare your Splunk to listen on certain ports. 113 00:06:10,070 --> 00:06:14,180 And that is called receiving here, OK? 114 00:06:14,180 --> 00:06:20,440 Forwarding and receiving-- configure receiving, OK? 115 00:06:20,440 --> 00:06:22,420 We don't want to configure forwarding here 116 00:06:22,420 --> 00:06:25,150 because we will be using forwarding agents. 117 00:06:25,150 --> 00:06:27,820 Only thing is, I want this Splunk server 118 00:06:27,820 --> 00:06:29,390 to listen on certain port. 119 00:06:29,390 --> 00:06:33,195 And that is port number triple 97, 9997. 120 00:06:33,195 --> 00:06:34,820 And that's the default port for Splunk. 121 00:06:34,820 --> 00:06:38,170 So I kept it default. OK, that's all you want to do here. 122 00:06:38,170 --> 00:06:43,960 Now, since this server is listening on the designated 123 00:06:43,960 --> 00:06:46,150 port, so now it is our turn to configure 124 00:06:46,150 --> 00:06:47,500 the universal forwarder. 125 00:06:47,500 --> 00:06:49,390 And for that, what do you have to do? 126 00:06:49,390 --> 00:06:53,300 You have to download the forwarder, OK? 127 00:06:53,300 --> 00:06:55,670 And I'll show you from where to download the forwarder. 128 00:06:55,670 --> 00:07:01,550 So you can do sudo wget and the wget IP on this part 129 00:07:01,550 --> 00:07:04,530 so that it will get downloaded to your machine. 130 00:07:04,530 --> 00:07:07,850 And then what you can do is you can copy that forwarder, 131 00:07:07,850 --> 00:07:11,520 what you downloaded, to a third-party directory 132 00:07:11,520 --> 00:07:13,290 or a third-party software directory, 133 00:07:13,290 --> 00:07:16,560 which is /opt cd plus cp. 134 00:07:16,560 --> 00:07:21,080 And then whatever you downloaded, copy it to /opt. 135 00:07:21,080 --> 00:07:23,840 Then go to that directory, sudo/opt, 136 00:07:23,840 --> 00:07:28,640 and do a sudo D package, which is like a package 137 00:07:28,640 --> 00:07:29,700 manager for Ubuntu. 138 00:07:29,700 --> 00:07:32,670 And this is what you have to do. 139 00:07:32,670 --> 00:07:37,400 You may need ins curl because it is running 140 00:07:37,400 --> 00:07:38,580 some background curl checks. 141 00:07:38,580 --> 00:07:42,290 So make sure you have the curl utility installed. 142 00:07:42,290 --> 00:07:46,830 And if not, then you have to do dpkg-reconfigure again, OK? 143 00:07:46,830 --> 00:07:50,070 Once you do that, it will install the software. 144 00:07:50,070 --> 00:07:53,180 Now, finally, what you can do, when 145 00:07:53,180 --> 00:07:57,050 you do a list of directories, you 146 00:07:57,050 --> 00:08:01,170 can see there is a directory created called splunkforwarder. 147 00:08:01,170 --> 00:08:02,760 Go to splunkforwarder there. 148 00:08:02,760 --> 00:08:05,380 Under that, go to bin directory. 149 00:08:05,380 --> 00:08:09,840 And that is the directory where you can start, stop, or restart 150 00:08:09,840 --> 00:08:13,030 your Splunk instance, universal forwarder instance. 151 00:08:13,030 --> 00:08:17,740 So we are going to go to cd bin and say sudo splunk start. 152 00:08:17,740 --> 00:08:21,810 And make sure you accept the license from command line, 153 00:08:21,810 --> 00:08:22,450 like this. 154 00:08:22,450 --> 00:08:26,820 Otherwise, you will have to read the entire license by pressing 155 00:08:26,820 --> 00:08:29,130 Page Up and Page Down. 156 00:08:29,130 --> 00:08:31,549 And, finally, you can validate the Splunk status check. 157 00:08:31,549 --> 00:08:32,049 All right. 158 00:08:32,049 --> 00:08:35,480 So I'm going to show you all this on the forwarder itself. 159 00:08:35,480 --> 00:08:38,159 160 00:08:38,159 --> 00:08:39,659 So let's go. 161 00:08:39,659 --> 00:08:42,870 As you can see, I downloaded this forwarder here 162 00:08:42,870 --> 00:08:46,950 and then parked it to opt. 163 00:08:46,950 --> 00:08:52,200 And here you can see Splunk forwarder is there. 164 00:08:52,200 --> 00:08:57,150 Under Splunk forwarder, we have lot of directories, right? 165 00:08:57,150 --> 00:09:00,980 All the local configuration-related things 166 00:09:00,980 --> 00:09:05,970 are stored in etc, just like any Ubuntu Linux system. 167 00:09:05,970 --> 00:09:09,450 But this is only for Splunk-related files, all right? 168 00:09:09,450 --> 00:09:12,960 But right now, we are interested in checking the status. 169 00:09:12,960 --> 00:09:18,050 So what you can do, you can just go to bin directory 170 00:09:18,050 --> 00:09:20,830 and then do a sudo. 171 00:09:20,830 --> 00:09:27,140 172 00:09:27,140 --> 00:09:32,600 So Splunk status. 173 00:09:32,600 --> 00:09:35,300 174 00:09:35,300 --> 00:09:37,880 When you install, it will ask you to create a username 175 00:09:37,880 --> 00:09:38,670 and password. 176 00:09:38,670 --> 00:09:42,650 And that's the-- but this is the sudo username, password. 177 00:09:42,650 --> 00:09:45,710 OK, Splunk command not found. 178 00:09:45,710 --> 00:09:47,090 OK, pwd/bin. 179 00:09:47,090 --> 00:09:49,850 180 00:09:49,850 --> 00:09:52,320 I am not in the correct file, OK? 181 00:09:52,320 --> 00:09:53,310 That is the reason. 182 00:09:53,310 --> 00:09:55,650 So let me start over. 183 00:09:55,650 --> 00:10:02,130 I'm going to say cd/opt/splunkforwarder bin. 184 00:10:02,130 --> 00:10:03,330 That's it. 185 00:10:03,330 --> 00:10:11,272 And then Splunk status. 186 00:10:11,272 --> 00:10:13,500 That's it, Splunk is running. 187 00:10:13,500 --> 00:10:17,352 So my universal forwarder is properly installed. 188 00:10:17,352 --> 00:10:20,880 As I was telling you that all the configuration files 189 00:10:20,880 --> 00:10:22,050 are stored in etc. 190 00:10:22,050 --> 00:10:26,765 So let's quickly revisit the st. Go to system. 191 00:10:26,765 --> 00:10:30,390 192 00:10:30,390 --> 00:10:34,910 Or maybe just list everything here and see all the-- 193 00:10:34,910 --> 00:10:49,110 194 00:10:49,110 --> 00:10:51,870 OK. 195 00:10:51,870 --> 00:10:54,580 All Splunk configuration related files are here. 196 00:10:54,580 --> 00:11:00,130 And you can read instance config, licenses. 197 00:11:00,130 --> 00:11:05,020 And even you can go to system, 3D system. 198 00:11:05,020 --> 00:11:10,215 And you can look at the local, cd local. 199 00:11:10,215 --> 00:11:13,270 200 00:11:13,270 --> 00:11:15,280 And here is your output config. 201 00:11:15,280 --> 00:11:18,920 Where this universal forwarder will send the config? 202 00:11:18,920 --> 00:11:20,510 What is the server config look like? 203 00:11:20,510 --> 00:11:21,950 All those information are here. 204 00:11:21,950 --> 00:11:23,470 But again, as I mentioned, I'm not 205 00:11:23,470 --> 00:11:25,992 going to go deep into this, OK? 206 00:11:25,992 --> 00:11:27,940 So this is up to you. 207 00:11:27,940 --> 00:11:29,440 Now, what we are going to do, we are 208 00:11:29,440 --> 00:11:32,320 going to configure the forwarding rules. 209 00:11:32,320 --> 00:11:38,170 So again, we are going to go to splunk dot forwarder/bin here. 210 00:11:38,170 --> 00:11:42,910 And let's go back and look at the configuration again. 211 00:11:42,910 --> 00:11:44,930 So this is for installation. 212 00:11:44,930 --> 00:11:47,282 Now, the rule setting, right? 213 00:11:47,282 --> 00:11:48,490 So what you are going to say? 214 00:11:48,490 --> 00:11:53,330 You are going to say sudo/splunk add forward-server. 215 00:11:53,330 --> 00:11:56,990 And this is the Splunk Enterprise IP address, slash 216 00:11:56,990 --> 00:11:59,610 or colon add port. 217 00:11:59,610 --> 00:12:04,600 If you remember, we created a receiving port 9997. 218 00:12:04,600 --> 00:12:09,430 So put your Splunk Enterprise IP address colon port number. 219 00:12:09,430 --> 00:12:11,640 Make sure you have the networking 220 00:12:11,640 --> 00:12:16,780 or reachability between forwarder and Enterprise server. 221 00:12:16,780 --> 00:12:19,030 And there is no firewall blocking and other things. 222 00:12:19,030 --> 00:12:24,270 So this is how you will point your universal forwarder 223 00:12:24,270 --> 00:12:25,957 to the Splunk Enterprise server. 224 00:12:25,957 --> 00:12:27,040 Next, what you want to do? 225 00:12:27,040 --> 00:12:30,490 You want to monitor the data, right? 226 00:12:30,490 --> 00:12:33,880 The data thing, what you want to send to the server. 227 00:12:33,880 --> 00:12:37,500 And for that, we have to do splunk add monitor and then 228 00:12:37,500 --> 00:12:39,040 the file and location. 229 00:12:39,040 --> 00:12:45,420 So here, what I'm doing, I'm sending my ASA logs, which 230 00:12:45,420 --> 00:12:47,370 is coming to the syslog server. 231 00:12:47,370 --> 00:12:52,960 At this folder, I'm going to send this to Splunk Enterprise. 232 00:12:52,960 --> 00:12:55,140 And when you configure these rules, 233 00:12:55,140 --> 00:12:57,400 you may have to restart the Splunk. 234 00:12:57,400 --> 00:13:00,200 And to do that, you can just say splunk restart. 235 00:13:00,200 --> 00:13:00,980 That's it. 236 00:13:00,980 --> 00:13:04,630 You can come back always and check if your forwarder is 237 00:13:04,630 --> 00:13:05,780 active or no. 238 00:13:05,780 --> 00:13:09,667 And if something is wrong, by using this command, OK? 239 00:13:09,667 --> 00:13:12,649 240 00:13:12,649 --> 00:13:15,620 So now let's go back and check our forwarder. 241 00:13:15,620 --> 00:13:26,900 242 00:13:26,900 --> 00:13:27,400 Splunk. 243 00:13:27,400 --> 00:13:30,220 244 00:13:30,220 --> 00:13:33,370 Let's look at the command list forwarder. 245 00:13:33,370 --> 00:13:35,590 You can always do help. 246 00:13:35,590 --> 00:13:37,095 So we are going to say list-- 247 00:13:37,095 --> 00:13:41,620 248 00:13:41,620 --> 00:13:48,010 too bad it doesn't do a tab complete, but-- 249 00:13:48,010 --> 00:13:50,050 your session is invalid, so you have 250 00:13:50,050 --> 00:13:53,040 to log in to your universal forwarder, OK? 251 00:13:53,040 --> 00:13:54,700 So this is the log-in. 252 00:13:54,700 --> 00:13:56,200 Your username and password, you will 253 00:13:56,200 --> 00:13:59,930 create, while installing the universal forwarder, not 254 00:13:59,930 --> 00:14:03,710 your Enterprise Splunk username and password. 255 00:14:03,710 --> 00:14:07,640 But, for me, both are same. 256 00:14:07,640 --> 00:14:09,780 I re-use the username and password. 257 00:14:09,780 --> 00:14:12,860 And here you can see, after putting the credentials, 258 00:14:12,860 --> 00:14:15,380 I can see this is my active forwarder, what 259 00:14:15,380 --> 00:14:18,690 I configured using port number. 260 00:14:18,690 --> 00:14:22,230 And is there any inactive forwarder? 261 00:14:22,230 --> 00:14:23,240 No. 262 00:14:23,240 --> 00:14:25,010 So we are good. 263 00:14:25,010 --> 00:14:27,570 So this is how you are going to create the forwarder. 264 00:14:27,570 --> 00:14:31,490 And now let's validate if this data is showing up 265 00:14:31,490 --> 00:14:36,390 or if this forwarder is showing up in Splunk Enterprise or not. 266 00:14:36,390 --> 00:14:39,240 And for that, what you can do, you can go to Dashboard. 267 00:14:39,240 --> 00:14:42,980 Your dashboard may be empty, OK? 268 00:14:42,980 --> 00:14:46,186 So what you can do, you can create a dashboard. 269 00:14:46,186 --> 00:14:48,860 270 00:14:48,860 --> 00:14:51,080 OK. 271 00:14:51,080 --> 00:14:54,160 Let's go back to Search first. 272 00:14:54,160 --> 00:14:57,950 And here you can come and say Data Summary. 273 00:14:57,950 --> 00:15:00,780 A quick way to test your data inputs 274 00:15:00,780 --> 00:15:04,350 are by setting-- click on Data Summary. 275 00:15:04,350 --> 00:15:06,390 Once you click on Data Summary, it 276 00:15:06,390 --> 00:15:08,580 is going to look how many hosts-- 277 00:15:08,580 --> 00:15:12,900 that means forwarder-- is talking to this Enterprise 278 00:15:12,900 --> 00:15:13,780 server. 279 00:15:13,780 --> 00:15:16,530 And if you click on that, I have two. 280 00:15:16,530 --> 00:15:22,690 One, which is sending the 121, which is sending [INAUDIBLE]. 281 00:15:22,690 --> 00:15:27,550 And that is defined by this naming convention. 282 00:15:27,550 --> 00:15:29,470 And then another is Ubuntu Pi. 283 00:15:29,470 --> 00:15:34,500 So these two data are being sent to Enterprise server. 284 00:15:34,500 --> 00:15:37,450 Sources, what source we are monitoring? 285 00:15:37,450 --> 00:15:40,110 All those things are listed here. 286 00:15:40,110 --> 00:15:43,270 And source type, it automatically 287 00:15:43,270 --> 00:15:47,190 tries to classify by reading the files by some existing rules 288 00:15:47,190 --> 00:15:49,000 and say these are the source type. 289 00:15:49,000 --> 00:15:53,170 There are various pre-built source type, like ASS. 290 00:15:53,170 --> 00:15:55,450 Not all those pre-built source type is there. 291 00:15:55,450 --> 00:15:59,990 You can also build a custom-built source type. 292 00:15:59,990 --> 00:16:04,320 So let's look at the host and try to load this. 293 00:16:04,320 --> 00:16:10,100 So here, you can see all my var/log/firewall, 294 00:16:10,100 --> 00:16:15,800 the place which we are monitoring on syslog-ng server. 295 00:16:15,800 --> 00:16:18,500 All these logs started showing here. 296 00:16:18,500 --> 00:16:22,280 297 00:16:22,280 --> 00:16:26,490 And based on these logs here, it has created some selected field. 298 00:16:26,490 --> 00:16:30,360 You can select those field and create a new search query. 299 00:16:30,360 --> 00:16:33,080 Right now, it is just searching on the host name. 300 00:16:33,080 --> 00:16:37,550 And you can see all those events nicely getting populated here. 301 00:16:37,550 --> 00:16:39,420 You can go back in timeline-- 302 00:16:39,420 --> 00:16:42,800 24 hour, 30 minute, five minute. 303 00:16:42,800 --> 00:16:47,270 Everything you can see. 304 00:16:47,270 --> 00:16:49,620 You can create your own search pattern, 305 00:16:49,620 --> 00:16:52,580 and you can also do some visualization. 306 00:16:52,580 --> 00:17:00,030 And at the same time, you can create a table view. 307 00:17:00,030 --> 00:17:05,530 So different ways of visualization, table format, 308 00:17:05,530 --> 00:17:07,359 bar chart format, and all those things. 309 00:17:07,359 --> 00:17:09,839 But the nice, cool thing about Splunk, 310 00:17:09,839 --> 00:17:13,530 which need a little bit of education 311 00:17:13,530 --> 00:17:16,810 about Splunk Processing Language, SPL, 312 00:17:16,810 --> 00:17:19,589 so that you can actually use these 313 00:17:19,589 --> 00:17:23,380 logs to create your search query or create a pattern, 314 00:17:23,380 --> 00:17:26,890 so that you can present these logs in a meaningful way. 315 00:17:26,890 --> 00:17:28,560 And that's the end goal, right? 316 00:17:28,560 --> 00:17:30,210 Right now, in today's video, I'm just 317 00:17:30,210 --> 00:17:35,680 going to making you familiar with Splunk distributed model. 318 00:17:35,680 --> 00:17:36,850 What is universal forwarder? 319 00:17:36,850 --> 00:17:37,980 What is the Enterprise? 320 00:17:37,980 --> 00:17:41,020 And how you can bring your logs here. 321 00:17:41,020 --> 00:17:46,050 But you can do much more by learning a few tricks 322 00:17:46,050 --> 00:17:47,680 in SPL language. 323 00:17:47,680 --> 00:17:49,260 OK. 324 00:17:49,260 --> 00:17:50,650 What else I want to show you? 325 00:17:50,650 --> 00:17:52,920 I want to show you-- 326 00:17:52,920 --> 00:17:57,480 if you go to the home page, Splunk, here I 327 00:17:57,480 --> 00:17:59,660 created the forwarder instance. 328 00:17:59,660 --> 00:18:01,460 So it's a snapshot. 329 00:18:01,460 --> 00:18:04,270 When I come to the home page, it quickly 330 00:18:04,270 --> 00:18:08,621 gives me a snapshot of my forwarders, 331 00:18:08,621 --> 00:18:10,450 which are the forwarders available, 332 00:18:10,450 --> 00:18:13,280 and how their data pattern looks like. 333 00:18:13,280 --> 00:18:15,730 So, as I mentioned, I have two of them. 334 00:18:15,730 --> 00:18:18,140 And I can load them here. 335 00:18:18,140 --> 00:18:21,170 I can watch their data patterns. 336 00:18:21,170 --> 00:18:24,820 And I can also click on any of these 337 00:18:24,820 --> 00:18:27,890 and see who is my receiver. 338 00:18:27,890 --> 00:18:31,870 So this Windows machine itself is a receiver. 339 00:18:31,870 --> 00:18:34,390 So this is a cool thing to monitor your forwarder, 340 00:18:34,390 --> 00:18:37,960 if they are sending your data in the real-time or not. 341 00:18:37,960 --> 00:18:42,610 Finally, if you want to know something about the Splunk 342 00:18:42,610 --> 00:18:46,430 utilization or the Enterprise utilization itself, 343 00:18:46,430 --> 00:18:49,300 so what you can do, you can always go to Monitoring Console 344 00:18:49,300 --> 00:18:53,500 and see here how your Enterprise server is 345 00:18:53,500 --> 00:18:56,330 doing resource-wise right now. 346 00:18:56,330 --> 00:19:00,100 So basically, these are the license usage, disk usage, 347 00:19:00,100 --> 00:19:03,880 CPU usage, and all those things for Enterprise server. 348 00:19:03,880 --> 00:19:07,290 That means how the server instance installation 349 00:19:07,290 --> 00:19:08,770 is doing health-wise. 350 00:19:08,770 --> 00:19:10,510 Is there any memory pressure? 351 00:19:10,510 --> 00:19:12,480 Is there any CPU pressure? 352 00:19:12,480 --> 00:19:17,970 Are we hitting any license or disk or throughput indexing rate 353 00:19:17,970 --> 00:19:18,880 threshold? 354 00:19:18,880 --> 00:19:21,870 All those things, you can manage from here. 355 00:19:21,870 --> 00:19:22,450 All right. 356 00:19:22,450 --> 00:19:25,890 But mostly, why you come here, if you are not a Splunk 357 00:19:25,890 --> 00:19:27,300 administrator, you will come here 358 00:19:27,300 --> 00:19:29,980 to parse log for your application. 359 00:19:29,980 --> 00:19:33,990 And for that, mostly, you want to create some search 360 00:19:33,990 --> 00:19:37,830 and reporting, create some cool search indexes, 361 00:19:37,830 --> 00:19:44,262 so that you can find a needle in a haystack. 362 00:19:44,262 --> 00:19:48,120 So with that, I'm going to stop this video. 363 00:19:48,120 --> 00:19:51,360 And I'll continue learning Splunk. 364 00:19:51,360 --> 00:19:53,830 And I hope you will find it interesting also. 365 00:19:53,830 --> 00:19:55,390 So let's continue this journey. 366 00:19:55,390 --> 00:19:57,200 Thank you. 367 00:19:57,200 --> 00:19:59,000