WEBVTT

00:00:00.000 --> 00:00:01.190


00:00:01.190 --> 00:00:02.580
Welcome to SDN TechForum.

00:00:02.580 --> 00:00:08.400
So let's continue from our
earlier video, ASA Essential.

00:00:08.400 --> 00:00:12.830
And in ASA Essential, we
did essential configuration,

00:00:12.830 --> 00:00:16.830
like SSH, SNMP, NetFlow, SPAN,
syslog, and packet tracer.

00:00:16.830 --> 00:00:21.380
So now, what happened, this
ASA is sending all the logs

00:00:21.380 --> 00:00:23.160
to a syslog server.

00:00:23.160 --> 00:00:26.430
And in this video, we are
going to start a new topic.

00:00:26.430 --> 00:00:29.770
And that topic is
Fun with Splunk.

00:00:29.770 --> 00:00:32.220
So you may be thinking like,
am I watching old video?

00:00:32.220 --> 00:00:34.580
No, we'll continue
from there and continue

00:00:34.580 --> 00:00:37.800
building up what we did so far.

00:00:37.800 --> 00:00:38.340
OK.

00:00:38.340 --> 00:00:42.140
Fun with Splunk, as you can see.

00:00:42.140 --> 00:00:44.430
What we are going to
do, as a side note,

00:00:44.430 --> 00:00:46.940
I'm going to show
you how to configure

00:00:46.940 --> 00:00:52.580
a syslog-ng server on Ubuntu,
with a Raspberry Pi on laptop.

00:00:52.580 --> 00:00:55.963
And then we will
start with Splunk.

00:00:55.963 --> 00:00:57.380
So what I'm going
to do, I'm going

00:00:57.380 --> 00:00:59.400
to install the Splunk server.

00:00:59.400 --> 00:01:02.250
I'm going to use a
free trial version.

00:01:02.250 --> 00:01:05.590
I'll install it on
a Windows machine.

00:01:05.590 --> 00:01:06.220
All right.

00:01:06.220 --> 00:01:11.920
Then we will have a Splunk
universal forwarder,

00:01:11.920 --> 00:01:16.180
which is a small CPU.

00:01:16.180 --> 00:01:18.520
I mean, it's not very
resource-intensive.

00:01:18.520 --> 00:01:23.730
It's a lightweight agent
setting on the places

00:01:23.730 --> 00:01:26.460
where you have the
data, the data which

00:01:26.460 --> 00:01:28.620
you want to input
to the Splunk server

00:01:28.620 --> 00:01:32.280
so that you can index it,
crunch it, and visualize it.

00:01:32.280 --> 00:01:35.010
So this universal
forwarders, they

00:01:35.010 --> 00:01:40.170
will be sitting on the sources
where we have our data storage,

00:01:40.170 --> 00:01:44.550
and which is generally a
Linux machine or Windows.

00:01:44.550 --> 00:01:50.910
Then I'll show you how to input
data from forwarder-- so what

00:01:50.910 --> 00:01:52.150
rules you need to create.

00:01:52.150 --> 00:01:54.840
And then, finally, we'll come
back to the Splunk Dashboard

00:01:54.840 --> 00:01:58.860
again and see if we can
manage the forwarder status.

00:01:58.860 --> 00:02:02.270
And also, we can crunch
that data, index that data,

00:02:02.270 --> 00:02:03.840
search that data,
all those things.

00:02:03.840 --> 00:02:08.039
So this is not going to be
very Splunk-intensive video,

00:02:08.039 --> 00:02:11.830
but a lightweight good
for you to get started.

00:02:11.830 --> 00:02:13.490
And at the same
time, finally, I'll

00:02:13.490 --> 00:02:16.340
give you some forwarder
troubleshooting tips

00:02:16.340 --> 00:02:19.970
because, many times,
forwarders, once you set up

00:02:19.970 --> 00:02:21.920
the channel, after
some time, you

00:02:21.920 --> 00:02:23.910
may see that forwarder
is not sending data.

00:02:23.910 --> 00:02:26.960
So how to troubleshoot
that, I'll show you that.

00:02:26.960 --> 00:02:27.860
OK.

00:02:27.860 --> 00:02:32.540
So quickly, let's first
review the syslog-ng server

00:02:32.540 --> 00:02:34.782
configuration requirement.

00:02:34.782 --> 00:02:38.040
So this is for a
Linux Ubuntu machine.

00:02:38.040 --> 00:02:40.820
So what you have to
do, you have to get

00:02:40.820 --> 00:02:43.130
apt-get install syslog-ng.

00:02:43.130 --> 00:02:48.170
And then, basically, that will
install the syslog-ng server

00:02:48.170 --> 00:02:54.300
and then validate if it is
listening to port number 514.

00:02:54.300 --> 00:02:58.910
You can also watch
validate the status

00:02:58.910 --> 00:03:01.080
by using sudo services
status syslog-ng.

00:03:01.080 --> 00:03:03.700
So syslog-ng is started.

00:03:03.700 --> 00:03:06.490
It's listening on
port number 514.

00:03:06.490 --> 00:03:07.810
Now what we have to do?

00:03:07.810 --> 00:03:09.190
We already did that.

00:03:09.190 --> 00:03:15.150
Actually, ASA is sending
syslogs to port number 514

00:03:15.150 --> 00:03:17.020
or to this server, all right?

00:03:17.020 --> 00:03:18.720
So I'll show you that.

00:03:18.720 --> 00:03:21.810
And then we will talk about how
to do in universal forwarder

00:03:21.810 --> 00:03:22.390
config.

00:03:22.390 --> 00:03:27.600
But let's first validate
syslog-ng server.

00:03:27.600 --> 00:03:31.440
So this is our ASA.

00:03:31.440 --> 00:03:35.020
Mind it, this is going to be
a little demo-intensive video.

00:03:35.020 --> 00:03:37.805
So please try to
follow along with me.

00:03:37.805 --> 00:03:41.250


00:03:41.250 --> 00:03:46.260
So as you can see, ASA
is sending this logs

00:03:46.260 --> 00:03:48.760
to 192.168.1.22.

00:03:48.760 --> 00:03:50.790
And that is our Ubuntu server.

00:03:50.790 --> 00:03:55.860
All right, I'm going to
show you that IP address.

00:03:55.860 --> 00:03:58.500
IP address is 192.1 in this.

00:03:58.500 --> 00:04:12.040
And let's do netstat grep 514.

00:04:12.040 --> 00:04:15.880
So you can see, this is already
listening on port number 514

00:04:15.880 --> 00:04:21.750
for TCP/UDP and receiving
all the syslog details, OK?

00:04:21.750 --> 00:04:27.974


00:04:27.974 --> 00:04:36.460
Now, it is our turn to
install Splunk forwarder.

00:04:36.460 --> 00:04:42.260
Before we do Splunk forwarding,
let's go to the Splunk website,

00:04:42.260 --> 00:04:42.760
all right?

00:04:42.760 --> 00:04:47.390
So here I am on Splunk website,
and I want free Splunk.

00:04:47.390 --> 00:04:53.140
So I created an account here and
downloaded the Splunk Enterprise

00:04:53.140 --> 00:04:56.260
software, OK?

00:04:56.260 --> 00:04:59.360
Not the cloud one,
the Splunk 8.5,

00:04:59.360 --> 00:05:02.270
which is the current software.

00:05:02.270 --> 00:05:04.920
You can say Free Splunk,
and you can download.

00:05:04.920 --> 00:05:08.330
I already downloaded it, so I'm
not going to download it again.

00:05:08.330 --> 00:05:11.570
As you can see, this is a
60-day free trial for Splunk

00:05:11.570 --> 00:05:12.300
Enterprise.

00:05:12.300 --> 00:05:15.890
This is what I downloaded and
installed on a Windows machine,

00:05:15.890 --> 00:05:18.320
OK?

00:05:18.320 --> 00:05:21.810
So here is your main
Splunk dashboard.

00:05:21.810 --> 00:05:25.070
What we are going to do, we are
going to do a couple of things.

00:05:25.070 --> 00:05:30.530
First is we are going to
make this server listen

00:05:30.530 --> 00:05:34.430
for data stream, right?

00:05:34.430 --> 00:05:36.470
Multiple ways, you can add data.

00:05:36.470 --> 00:05:39.590
Like here, if you
click on Add Data,

00:05:39.590 --> 00:05:41.540
there are multiple options.

00:05:41.540 --> 00:05:43.080
I'm going to skip the tour.

00:05:43.080 --> 00:05:47.400
You can do networking,
you can do OS, and upload.

00:05:47.400 --> 00:05:48.840
You can actually
upload the data.

00:05:48.840 --> 00:05:51.530
So if you have a
compressed file,

00:05:51.530 --> 00:05:53.270
CSV file, you can
actually upload it.

00:05:53.270 --> 00:05:55.520
But that's not
very scalable way.

00:05:55.520 --> 00:06:00.010
We want our data to be
continuously sent as a stream,

00:06:00.010 --> 00:06:03.250
and then Splunk to do
all those indexing so

00:06:03.250 --> 00:06:04.610
that we can run our searches.

00:06:04.610 --> 00:06:06.040
So for that, what
you have to do,

00:06:06.040 --> 00:06:10.070
you have to prepare your Splunk
to listen on certain ports.

00:06:10.070 --> 00:06:14.180
And that is called
receiving here, OK?

00:06:14.180 --> 00:06:20.440
Forwarding and receiving--
configure receiving, OK?

00:06:20.440 --> 00:06:22.420
We don't want to
configure forwarding here

00:06:22.420 --> 00:06:25.150
because we will be
using forwarding agents.

00:06:25.150 --> 00:06:27.820
Only thing is, I want
this Splunk server

00:06:27.820 --> 00:06:29.390
to listen on certain port.

00:06:29.390 --> 00:06:33.195
And that is port
number triple 97, 9997.

00:06:33.195 --> 00:06:34.820
And that's the default
port for Splunk.

00:06:34.820 --> 00:06:38.170
So I kept it default. OK,
that's all you want to do here.

00:06:38.170 --> 00:06:43.960
Now, since this server is
listening on the designated

00:06:43.960 --> 00:06:46.150
port, so now it is
our turn to configure

00:06:46.150 --> 00:06:47.500
the universal forwarder.

00:06:47.500 --> 00:06:49.390
And for that, what
do you have to do?

00:06:49.390 --> 00:06:53.300
You have to download
the forwarder, OK?

00:06:53.300 --> 00:06:55.670
And I'll show you from where
to download the forwarder.

00:06:55.670 --> 00:07:01.550
So you can do sudo wget and
the wget IP on this part

00:07:01.550 --> 00:07:04.530
so that it will get
downloaded to your machine.

00:07:04.530 --> 00:07:07.850
And then what you can do is
you can copy that forwarder,

00:07:07.850 --> 00:07:11.520
what you downloaded, to
a third-party directory

00:07:11.520 --> 00:07:13.290
or a third-party
software directory,

00:07:13.290 --> 00:07:16.560
which is /opt cd plus cp.

00:07:16.560 --> 00:07:21.080
And then whatever you
downloaded, copy it to /opt.

00:07:21.080 --> 00:07:23.840
Then go to that
directory, sudo/opt,

00:07:23.840 --> 00:07:28.640
and do a sudo D package,
which is like a package

00:07:28.640 --> 00:07:29.700
manager for Ubuntu.

00:07:29.700 --> 00:07:32.670
And this is what you have to do.

00:07:32.670 --> 00:07:37.400
You may need ins curl
because it is running

00:07:37.400 --> 00:07:38.580
some background curl checks.

00:07:38.580 --> 00:07:42.290
So make sure you have the
curl utility installed.

00:07:42.290 --> 00:07:46.830
And if not, then you have to
do dpkg-reconfigure again, OK?

00:07:46.830 --> 00:07:50.070
Once you do that, it will
install the software.

00:07:50.070 --> 00:07:53.180
Now, finally, what
you can do, when

00:07:53.180 --> 00:07:57.050
you do a list of
directories, you

00:07:57.050 --> 00:08:01.170
can see there is a directory
created called splunkforwarder.

00:08:01.170 --> 00:08:02.760
Go to splunkforwarder there.

00:08:02.760 --> 00:08:05.380
Under that, go to bin directory.

00:08:05.380 --> 00:08:09.840
And that is the directory where
you can start, stop, or restart

00:08:09.840 --> 00:08:13.030
your Splunk instance,
universal forwarder instance.

00:08:13.030 --> 00:08:17.740
So we are going to go to cd
bin and say sudo splunk start.

00:08:17.740 --> 00:08:21.810
And make sure you accept the
license from command line,

00:08:21.810 --> 00:08:22.450
like this.

00:08:22.450 --> 00:08:26.820
Otherwise, you will have to read
the entire license by pressing

00:08:26.820 --> 00:08:29.130
Page Up and Page Down.

00:08:29.130 --> 00:08:31.549
And, finally, you can validate
the Splunk status check.

00:08:31.549 --> 00:08:32.049
All right.

00:08:32.049 --> 00:08:35.480
So I'm going to show you all
this on the forwarder itself.

00:08:35.480 --> 00:08:38.159


00:08:38.159 --> 00:08:39.659
So let's go.

00:08:39.659 --> 00:08:42.870
As you can see, I downloaded
this forwarder here

00:08:42.870 --> 00:08:46.950
and then parked it to opt.

00:08:46.950 --> 00:08:52.200
And here you can see
Splunk forwarder is there.

00:08:52.200 --> 00:08:57.150
Under Splunk forwarder, we
have lot of directories, right?

00:08:57.150 --> 00:09:00.980
All the local
configuration-related things

00:09:00.980 --> 00:09:05.970
are stored in etc, just like
any Ubuntu Linux system.

00:09:05.970 --> 00:09:09.450
But this is only for
Splunk-related files, all right?

00:09:09.450 --> 00:09:12.960
But right now, we are interested
in checking the status.

00:09:12.960 --> 00:09:18.050
So what you can do, you can
just go to bin directory

00:09:18.050 --> 00:09:20.830
and then do a sudo.

00:09:20.830 --> 00:09:27.140


00:09:27.140 --> 00:09:32.600
So Splunk status.

00:09:32.600 --> 00:09:35.300


00:09:35.300 --> 00:09:37.880
When you install, it will
ask you to create a username

00:09:37.880 --> 00:09:38.670
and password.

00:09:38.670 --> 00:09:42.650
And that's the-- but this is
the sudo username, password.

00:09:42.650 --> 00:09:45.710
OK, Splunk command not found.

00:09:45.710 --> 00:09:47.090
OK, pwd/bin.

00:09:47.090 --> 00:09:49.850


00:09:49.850 --> 00:09:52.320
I am not in the
correct file, OK?

00:09:52.320 --> 00:09:53.310
That is the reason.

00:09:53.310 --> 00:09:55.650
So let me start over.

00:09:55.650 --> 00:10:02.130
I'm going to say
cd/opt/splunkforwarder bin.

00:10:02.130 --> 00:10:03.330
That's it.

00:10:03.330 --> 00:10:11.272
And then Splunk status.

00:10:11.272 --> 00:10:13.500
That's it, Splunk is running.

00:10:13.500 --> 00:10:17.352
So my universal forwarder
is properly installed.

00:10:17.352 --> 00:10:20.880
As I was telling you that
all the configuration files

00:10:20.880 --> 00:10:22.050
are stored in etc.

00:10:22.050 --> 00:10:26.765
So let's quickly revisit
the st. Go to system.

00:10:26.765 --> 00:10:30.390


00:10:30.390 --> 00:10:34.910
Or maybe just list everything
here and see all the--

00:10:34.910 --> 00:10:49.110


00:10:49.110 --> 00:10:51.870
OK.

00:10:51.870 --> 00:10:54.580
All Splunk configuration
related files are here.

00:10:54.580 --> 00:11:00.130
And you can read instance
config, licenses.

00:11:00.130 --> 00:11:05.020
And even you can go
to system, 3D system.

00:11:05.020 --> 00:11:10.215
And you can look at
the local, cd local.

00:11:10.215 --> 00:11:13.270


00:11:13.270 --> 00:11:15.280
And here is your output config.

00:11:15.280 --> 00:11:18.920
Where this universal forwarder
will send the config?

00:11:18.920 --> 00:11:20.510
What is the server
config look like?

00:11:20.510 --> 00:11:21.950
All those information are here.

00:11:21.950 --> 00:11:23.470
But again, as I
mentioned, I'm not

00:11:23.470 --> 00:11:25.992
going to go deep into this, OK?

00:11:25.992 --> 00:11:27.940
So this is up to you.

00:11:27.940 --> 00:11:29.440
Now, what we are
going to do, we are

00:11:29.440 --> 00:11:32.320
going to configure
the forwarding rules.

00:11:32.320 --> 00:11:38.170
So again, we are going to go to
splunk dot forwarder/bin here.

00:11:38.170 --> 00:11:42.910
And let's go back and look
at the configuration again.

00:11:42.910 --> 00:11:44.930
So this is for installation.

00:11:44.930 --> 00:11:47.282
Now, the rule setting, right?

00:11:47.282 --> 00:11:48.490
So what you are going to say?

00:11:48.490 --> 00:11:53.330
You are going to say
sudo/splunk add forward-server.

00:11:53.330 --> 00:11:56.990
And this is the Splunk
Enterprise IP address, slash

00:11:56.990 --> 00:11:59.610
or colon add port.

00:11:59.610 --> 00:12:04.600
If you remember, we created
a receiving port 9997.

00:12:04.600 --> 00:12:09.430
So put your Splunk Enterprise
IP address colon port number.

00:12:09.430 --> 00:12:11.640
Make sure you have
the networking

00:12:11.640 --> 00:12:16.780
or reachability between
forwarder and Enterprise server.

00:12:16.780 --> 00:12:19.030
And there is no firewall
blocking and other things.

00:12:19.030 --> 00:12:24.270
So this is how you will point
your universal forwarder

00:12:24.270 --> 00:12:25.957
to the Splunk Enterprise server.

00:12:25.957 --> 00:12:27.040
Next, what you want to do?

00:12:27.040 --> 00:12:30.490
You want to monitor
the data, right?

00:12:30.490 --> 00:12:33.880
The data thing, what you
want to send to the server.

00:12:33.880 --> 00:12:37.500
And for that, we have to do
splunk add monitor and then

00:12:37.500 --> 00:12:39.040
the file and location.

00:12:39.040 --> 00:12:45.420
So here, what I'm doing, I'm
sending my ASA logs, which

00:12:45.420 --> 00:12:47.370
is coming to the syslog server.

00:12:47.370 --> 00:12:52.960
At this folder, I'm going to
send this to Splunk Enterprise.

00:12:52.960 --> 00:12:55.140
And when you
configure these rules,

00:12:55.140 --> 00:12:57.400
you may have to
restart the Splunk.

00:12:57.400 --> 00:13:00.200
And to do that, you can
just say splunk restart.

00:13:00.200 --> 00:13:00.980
That's it.

00:13:00.980 --> 00:13:04.630
You can come back always and
check if your forwarder is

00:13:04.630 --> 00:13:05.780
active or no.

00:13:05.780 --> 00:13:09.667
And if something is wrong,
by using this command, OK?

00:13:09.667 --> 00:13:12.649


00:13:12.649 --> 00:13:15.620
So now let's go back
and check our forwarder.

00:13:15.620 --> 00:13:26.900


00:13:26.900 --> 00:13:27.400
Splunk.

00:13:27.400 --> 00:13:30.220


00:13:30.220 --> 00:13:33.370
Let's look at the
command list forwarder.

00:13:33.370 --> 00:13:35.590
You can always do help.

00:13:35.590 --> 00:13:37.095
So we are going to say list--

00:13:37.095 --> 00:13:41.620


00:13:41.620 --> 00:13:48.010
too bad it doesn't do
a tab complete, but--

00:13:48.010 --> 00:13:50.050
your session is
invalid, so you have

00:13:50.050 --> 00:13:53.040
to log in to your
universal forwarder, OK?

00:13:53.040 --> 00:13:54.700
So this is the log-in.

00:13:54.700 --> 00:13:56.200
Your username and
password, you will

00:13:56.200 --> 00:13:59.930
create, while installing
the universal forwarder, not

00:13:59.930 --> 00:14:03.710
your Enterprise Splunk
username and password.

00:14:03.710 --> 00:14:07.640
But, for me, both are same.

00:14:07.640 --> 00:14:09.780
I re-use the username
and password.

00:14:09.780 --> 00:14:12.860
And here you can see, after
putting the credentials,

00:14:12.860 --> 00:14:15.380
I can see this is my
active forwarder, what

00:14:15.380 --> 00:14:18.690
I configured using port number.

00:14:18.690 --> 00:14:22.230
And is there any
inactive forwarder?

00:14:22.230 --> 00:14:23.240
No.

00:14:23.240 --> 00:14:25.010
So we are good.

00:14:25.010 --> 00:14:27.570
So this is how you are going
to create the forwarder.

00:14:27.570 --> 00:14:31.490
And now let's validate if
this data is showing up

00:14:31.490 --> 00:14:36.390
or if this forwarder is showing
up in Splunk Enterprise or not.

00:14:36.390 --> 00:14:39.240
And for that, what you can
do, you can go to Dashboard.

00:14:39.240 --> 00:14:42.980
Your dashboard may be empty, OK?

00:14:42.980 --> 00:14:46.186
So what you can do, you
can create a dashboard.

00:14:46.186 --> 00:14:48.860


00:14:48.860 --> 00:14:51.080
OK.

00:14:51.080 --> 00:14:54.160
Let's go back to Search first.

00:14:54.160 --> 00:14:57.950
And here you can come
and say Data Summary.

00:14:57.950 --> 00:15:00.780
A quick way to test
your data inputs

00:15:00.780 --> 00:15:04.350
are by setting--
click on Data Summary.

00:15:04.350 --> 00:15:06.390
Once you click on
Data Summary, it

00:15:06.390 --> 00:15:08.580
is going to look
how many hosts--

00:15:08.580 --> 00:15:12.900
that means forwarder-- is
talking to this Enterprise

00:15:12.900 --> 00:15:13.780
server.

00:15:13.780 --> 00:15:16.530
And if you click on
that, I have two.

00:15:16.530 --> 00:15:22.690
One, which is sending the 121,
which is sending [INAUDIBLE].

00:15:22.690 --> 00:15:27.550
And that is defined by
this naming convention.

00:15:27.550 --> 00:15:29.470
And then another is Ubuntu Pi.

00:15:29.470 --> 00:15:34.500
So these two data are being
sent to Enterprise server.

00:15:34.500 --> 00:15:37.450
Sources, what source
we are monitoring?

00:15:37.450 --> 00:15:40.110
All those things
are listed here.

00:15:40.110 --> 00:15:43.270
And source type,
it automatically

00:15:43.270 --> 00:15:47.190
tries to classify by reading
the files by some existing rules

00:15:47.190 --> 00:15:49.000
and say these are
the source type.

00:15:49.000 --> 00:15:53.170
There are various pre-built
source type, like ASS.

00:15:53.170 --> 00:15:55.450
Not all those pre-built
source type is there.

00:15:55.450 --> 00:15:59.990
You can also build a
custom-built source type.

00:15:59.990 --> 00:16:04.320
So let's look at the host
and try to load this.

00:16:04.320 --> 00:16:10.100
So here, you can see
all my var/log/firewall,

00:16:10.100 --> 00:16:15.800
the place which we are
monitoring on syslog-ng server.

00:16:15.800 --> 00:16:18.500
All these logs
started showing here.

00:16:18.500 --> 00:16:22.280


00:16:22.280 --> 00:16:26.490
And based on these logs here, it
has created some selected field.

00:16:26.490 --> 00:16:30.360
You can select those field
and create a new search query.

00:16:30.360 --> 00:16:33.080
Right now, it is just
searching on the host name.

00:16:33.080 --> 00:16:37.550
And you can see all those events
nicely getting populated here.

00:16:37.550 --> 00:16:39.420
You can go back in timeline--

00:16:39.420 --> 00:16:42.800
24 hour, 30 minute, five minute.

00:16:42.800 --> 00:16:47.270
Everything you can see.

00:16:47.270 --> 00:16:49.620
You can create your
own search pattern,

00:16:49.620 --> 00:16:52.580
and you can also do
some visualization.

00:16:52.580 --> 00:17:00.030
And at the same time, you
can create a table view.

00:17:00.030 --> 00:17:05.530
So different ways of
visualization, table format,

00:17:05.530 --> 00:17:07.359
bar chart format,
and all those things.

00:17:07.359 --> 00:17:09.839
But the nice, cool
thing about Splunk,

00:17:09.839 --> 00:17:13.530
which need a little
bit of education

00:17:13.530 --> 00:17:16.810
about Splunk Processing
Language, SPL,

00:17:16.810 --> 00:17:19.589
so that you can
actually use these

00:17:19.589 --> 00:17:23.380
logs to create your search
query or create a pattern,

00:17:23.380 --> 00:17:26.890
so that you can present these
logs in a meaningful way.

00:17:26.890 --> 00:17:28.560
And that's the end goal, right?

00:17:28.560 --> 00:17:30.210
Right now, in today's
video, I'm just

00:17:30.210 --> 00:17:35.680
going to making you familiar
with Splunk distributed model.

00:17:35.680 --> 00:17:36.850
What is universal forwarder?

00:17:36.850 --> 00:17:37.980
What is the Enterprise?

00:17:37.980 --> 00:17:41.020
And how you can
bring your logs here.

00:17:41.020 --> 00:17:46.050
But you can do much more
by learning a few tricks

00:17:46.050 --> 00:17:47.680
in SPL language.

00:17:47.680 --> 00:17:49.260
OK.

00:17:49.260 --> 00:17:50.650
What else I want to show you?

00:17:50.650 --> 00:17:52.920
I want to show you--

00:17:52.920 --> 00:17:57.480
if you go to the home
page, Splunk, here I

00:17:57.480 --> 00:17:59.660
created the forwarder instance.

00:17:59.660 --> 00:18:01.460
So it's a snapshot.

00:18:01.460 --> 00:18:04.270
When I come to the
home page, it quickly

00:18:04.270 --> 00:18:08.621
gives me a snapshot
of my forwarders,

00:18:08.621 --> 00:18:10.450
which are the
forwarders available,

00:18:10.450 --> 00:18:13.280
and how their data
pattern looks like.

00:18:13.280 --> 00:18:15.730
So, as I mentioned,
I have two of them.

00:18:15.730 --> 00:18:18.140
And I can load them here.

00:18:18.140 --> 00:18:21.170
I can watch their data patterns.

00:18:21.170 --> 00:18:24.820
And I can also click
on any of these

00:18:24.820 --> 00:18:27.890
and see who is my receiver.

00:18:27.890 --> 00:18:31.870
So this Windows machine
itself is a receiver.

00:18:31.870 --> 00:18:34.390
So this is a cool thing
to monitor your forwarder,

00:18:34.390 --> 00:18:37.960
if they are sending your
data in the real-time or not.

00:18:37.960 --> 00:18:42.610
Finally, if you want to know
something about the Splunk

00:18:42.610 --> 00:18:46.430
utilization or the Enterprise
utilization itself,

00:18:46.430 --> 00:18:49.300
so what you can do, you can
always go to Monitoring Console

00:18:49.300 --> 00:18:53.500
and see here how your
Enterprise server is

00:18:53.500 --> 00:18:56.330
doing resource-wise right now.

00:18:56.330 --> 00:19:00.100
So basically, these are the
license usage, disk usage,

00:19:00.100 --> 00:19:03.880
CPU usage, and all those
things for Enterprise server.

00:19:03.880 --> 00:19:07.290
That means how the server
instance installation

00:19:07.290 --> 00:19:08.770
is doing health-wise.

00:19:08.770 --> 00:19:10.510
Is there any memory pressure?

00:19:10.510 --> 00:19:12.480
Is there any CPU pressure?

00:19:12.480 --> 00:19:17.970
Are we hitting any license or
disk or throughput indexing rate

00:19:17.970 --> 00:19:18.880
threshold?

00:19:18.880 --> 00:19:21.870
All those things, you
can manage from here.

00:19:21.870 --> 00:19:22.450
All right.

00:19:22.450 --> 00:19:25.890
But mostly, why you come
here, if you are not a Splunk

00:19:25.890 --> 00:19:27.300
administrator,
you will come here

00:19:27.300 --> 00:19:29.980
to parse log for
your application.

00:19:29.980 --> 00:19:33.990
And for that, mostly, you
want to create some search

00:19:33.990 --> 00:19:37.830
and reporting, create
some cool search indexes,

00:19:37.830 --> 00:19:44.262
so that you can find a
needle in a haystack.

00:19:44.262 --> 00:19:48.120
So with that, I'm going
to stop this video.

00:19:48.120 --> 00:19:51.360
And I'll continue
learning Splunk.

00:19:51.360 --> 00:19:53.830
And I hope you will find
it interesting also.

00:19:53.830 --> 00:19:55.390
So let's continue this journey.

00:19:55.390 --> 00:19:57.200
Thank you.

00:19:57.200 --> 00:19:59.000