Mastering Splunk: A Beginner's Guide to Big Data Analysis

Edit subtitles

0:00 - 0:01
0:01 - 0:03

Welcome to SDN TechForum.
0:03 - 0:08

So let's continue from our
earlier video, ASA Essential.
0:08 - 0:13

And in ASA Essential, we
did essential configuration,
0:13 - 0:17

like SSH, SNMP, NetFlow, SPAN,
syslog, and packet tracer.
0:17 - 0:21

So now, what happened, this
ASA is sending all the logs
0:21 - 0:23

to a syslog server.
0:23 - 0:26

And in this video, we are
going to start a new topic.
0:26 - 0:30

And that topic is
Fun with Splunk.
0:30 - 0:32

So you may be thinking like,
am I watching old video?
0:32 - 0:35

No, we'll continue
from there and continue
0:35 - 0:38

building up what we did so far.
0:38 - 0:38

OK.
0:38 - 0:42

Fun with Splunk, as you can see.
0:42 - 0:44

What we are going to
do, as a side note,
0:44 - 0:47

I'm going to show
you how to configure
0:47 - 0:53

a syslog-ng server on Ubuntu,
with a Raspberry Pi on laptop.
0:53 - 0:56

And then we will
start with Splunk.
0:56 - 0:57

So what I'm going
to do, I'm going
0:57 - 0:59

to install the Splunk server.
0:59 - 1:02

I'm going to use a
free trial version.
1:02 - 1:06

I'll install it on
a Windows machine.
1:06 - 1:06

All right.
1:06 - 1:12

Then we will have a Splunk
universal forwarder,
1:12 - 1:16

which is a small CPU.
1:16 - 1:19

I mean, it's not very
resource-intensive.
1:19 - 1:24

It's a lightweight agent
setting on the places
1:24 - 1:26

where you have the
data, the data which
1:26 - 1:29

you want to input
to the Splunk server
1:29 - 1:32

so that you can index it,
crunch it, and visualize it.
1:32 - 1:35

So this universal
forwarders, they
1:35 - 1:40

will be sitting on the sources
where we have our data storage,
1:40 - 1:45

and which is generally a
Linux machine or Windows.
1:45 - 1:51

Then I'll show you how to input
data from forwarder-- so what
1:51 - 1:52

rules you need to create.
1:52 - 1:55

And then, finally, we'll come
back to the Splunk Dashboard
1:55 - 1:59

again and see if we can
manage the forwarder status.
1:59 - 2:02

And also, we can crunch
that data, index that data,
2:02 - 2:04

search that data,
all those things.
2:04 - 2:08

So this is not going to be
very Splunk-intensive video,
2:08 - 2:12

but a lightweight good
for you to get started.
2:12 - 2:13

And at the same
time, finally, I'll
2:13 - 2:16

give you some forwarder
troubleshooting tips
2:16 - 2:20

because, many times,
forwarders, once you set up
2:20 - 2:22

the channel, after
some time, you
2:22 - 2:24

may see that forwarder
is not sending data.
2:24 - 2:27

So how to troubleshoot
that, I'll show you that.
2:27 - 2:28

OK.
2:28 - 2:33

So quickly, let's first
review the syslog-ng server
2:33 - 2:35

configuration requirement.
2:35 - 2:38

So this is for a
Linux Ubuntu machine.
2:38 - 2:41

So what you have to
do, you have to get
2:41 - 2:43

apt-get install syslog-ng.
2:43 - 2:48

And then, basically, that will
install the syslog-ng server
2:48 - 2:54

and then validate if it is
listening to port number 514.
2:54 - 2:59

You can also watch
validate the status
2:59 - 3:01

by using sudo services
status syslog-ng.
3:01 - 3:04

So syslog-ng is started.
3:04 - 3:06

It's listening on
port number 514.
3:06 - 3:08

Now what we have to do?
3:08 - 3:09

We already did that.
3:09 - 3:15

Actually, ASA is sending
syslogs to port number 514
3:15 - 3:17

or to this server, all right?
3:17 - 3:19

So I'll show you that.
3:19 - 3:22

And then we will talk about how
to do in universal forwarder
3:22 - 3:22

config.
3:22 - 3:28

But let's first validate
syslog-ng server.
3:28 - 3:31

So this is our ASA.
3:31 - 3:35

Mind it, this is going to be
a little demo-intensive video.
3:35 - 3:38

So please try to
follow along with me.
3:38 - 3:41
3:41 - 3:46

So as you can see, ASA
is sending this logs
3:46 - 3:49

to 192.168.1.22.
3:49 - 3:51

And that is our Ubuntu server.
3:51 - 3:56

All right, I'm going to
show you that IP address.
3:56 - 3:58

IP address is 192.1 in this.
3:58 - 4:12

And let's do netstat grep 514.
4:12 - 4:16

So you can see, this is already
listening on port number 514
4:16 - 4:22

for TCP/UDP and receiving
all the syslog details, OK?
4:22 - 4:28
4:28 - 4:36

Now, it is our turn to
install Splunk forwarder.
4:36 - 4:42

Before we do Splunk forwarding,
let's go to the Splunk website,
4:42 - 4:43

all right?
4:43 - 4:47

So here I am on Splunk website,
and I want free Splunk.
4:47 - 4:53

So I created an account here and
downloaded the Splunk Enterprise
4:53 - 4:56

software, OK?
4:56 - 4:59

Not the cloud one,
the Splunk 8.5,
4:59 - 5:02

which is the current software.
5:02 - 5:05

You can say Free Splunk,
and you can download.
5:05 - 5:08

I already downloaded it, so I'm
not going to download it again.
5:08 - 5:12

As you can see, this is a
60-day free trial for Splunk
5:12 - 5:12

Enterprise.
5:12 - 5:16

This is what I downloaded and
installed on a Windows machine,
5:16 - 5:18

OK?
5:18 - 5:22

So here is your main
Splunk dashboard.
5:22 - 5:25

What we are going to do, we are
going to do a couple of things.
5:25 - 5:31

First is we are going to
make this server listen
5:31 - 5:34

for data stream, right?
5:34 - 5:36

Multiple ways, you can add data.
5:36 - 5:40

Like here, if you
click on Add Data,
5:40 - 5:42

there are multiple options.
5:42 - 5:43

I'm going to skip the tour.
5:43 - 5:47

You can do networking,
you can do OS, and upload.
5:47 - 5:49

You can actually
upload the data.
5:49 - 5:52

So if you have a
compressed file,
5:52 - 5:53

CSV file, you can
actually upload it.
5:53 - 5:56

But that's not
very scalable way.
5:56 - 6:00

We want our data to be
continuously sent as a stream,
6:00 - 6:03

and then Splunk to do
all those indexing so
6:03 - 6:05

that we can run our searches.
6:05 - 6:06

So for that, what
you have to do,
6:06 - 6:10

you have to prepare your Splunk
to listen on certain ports.
6:10 - 6:14

And that is called
receiving here, OK?
6:14 - 6:20

Forwarding and receiving--
configure receiving, OK?
6:20 - 6:22

We don't want to
configure forwarding here
6:22 - 6:25

because we will be
using forwarding agents.
6:25 - 6:28

Only thing is, I want
this Splunk server
6:28 - 6:29

to listen on certain port.
6:29 - 6:33

And that is port
number triple 97, 9997.
6:33 - 6:35

And that's the default
port for Splunk.
6:35 - 6:38

So I kept it default. OK,
that's all you want to do here.
6:38 - 6:44

Now, since this server is
listening on the designated
6:44 - 6:46

port, so now it is
our turn to configure
6:46 - 6:48

the universal forwarder.
6:48 - 6:49

And for that, what
do you have to do?
6:49 - 6:53

You have to download
the forwarder, OK?
6:53 - 6:56

And I'll show you from where
to download the forwarder.
6:56 - 7:02

So you can do sudo wget and
the wget IP on this part
7:02 - 7:05

so that it will get
downloaded to your machine.
7:05 - 7:08

And then what you can do is
you can copy that forwarder,
7:08 - 7:12

what you downloaded, to
a third-party directory
7:12 - 7:13

or a third-party
software directory,
7:13 - 7:17

which is /opt cd plus cp.
7:17 - 7:21

And then whatever you
downloaded, copy it to /opt.
7:21 - 7:24

Then go to that
directory, sudo/opt,
7:24 - 7:29

and do a sudo D package,
which is like a package
7:29 - 7:30

manager for Ubuntu.
7:30 - 7:33

And this is what you have to do.
7:33 - 7:37

You may need ins curl
because it is running
7:37 - 7:39

some background curl checks.
7:39 - 7:42

So make sure you have the
curl utility installed.
7:42 - 7:47

And if not, then you have to
do dpkg-reconfigure again, OK?
7:47 - 7:50

Once you do that, it will
install the software.
7:50 - 7:53

Now, finally, what
you can do, when
7:53 - 7:57

you do a list of
directories, you
7:57 - 8:01

can see there is a directory
created called splunkforwarder.
8:01 - 8:03

Go to splunkforwarder there.
8:03 - 8:05

Under that, go to bin directory.
8:05 - 8:10

And that is the directory where
you can start, stop, or restart
8:10 - 8:13

your Splunk instance,
universal forwarder instance.
8:13 - 8:18

So we are going to go to cd
bin and say sudo splunk start.
8:18 - 8:22

And make sure you accept the
license from command line,
8:22 - 8:22

like this.
8:22 - 8:27

Otherwise, you will have to read
the entire license by pressing
8:27 - 8:29

Page Up and Page Down.
8:29 - 8:32

And, finally, you can validate
the Splunk status check.
8:32 - 8:32

All right.
8:32 - 8:35

So I'm going to show you all
this on the forwarder itself.
8:35 - 8:38
8:38 - 8:40

So let's go.
8:40 - 8:43

As you can see, I downloaded
this forwarder here
8:43 - 8:47

and then parked it to opt.
8:47 - 8:52

And here you can see
Splunk forwarder is there.
8:52 - 8:57

Under Splunk forwarder, we
have lot of directories, right?
8:57 - 9:01

All the local
configuration-related things
9:01 - 9:06

are stored in etc, just like
any Ubuntu Linux system.
9:06 - 9:09

But this is only for
Splunk-related files, all right?
9:09 - 9:13

But right now, we are interested
in checking the status.
9:13 - 9:18

So what you can do, you can
just go to bin directory
9:18 - 9:21

and then do a sudo.
9:21 - 9:27
9:27 - 9:33

So Splunk status.
9:33 - 9:35
9:35 - 9:38

When you install, it will
ask you to create a username
9:38 - 9:39

and password.
9:39 - 9:43

And that's the-- but this is
the sudo username, password.
9:43 - 9:46

OK, Splunk command not found.
9:46 - 9:47

OK, pwd/bin.
9:47 - 9:50
9:50 - 9:52

I am not in the
correct file, OK?
9:52 - 9:53

That is the reason.
9:53 - 9:56

So let me start over.
9:56 - 10:02

I'm going to say
cd/opt/splunkforwarder bin.
10:02 - 10:03

That's it.
10:03 - 10:11

And then Splunk status.
10:11 - 10:14

That's it, Splunk is running.
10:14 - 10:17

So my universal forwarder
is properly installed.
10:17 - 10:21

As I was telling you that
all the configuration files
10:21 - 10:22

are stored in etc.
10:22 - 10:27

So let's quickly revisit
the st. Go to system.
10:27 - 10:30
10:30 - 10:35

Or maybe just list everything
here and see all the--
10:35 - 10:49
10:49 - 10:52

OK.
10:52 - 10:55

All Splunk configuration
related files are here.
10:55 - 11:00

And you can read instance
config, licenses.
11:00 - 11:05

And even you can go
to system, 3D system.
11:05 - 11:10

And you can look at
the local, cd local.
11:10 - 11:13
11:13 - 11:15

And here is your output config.
11:15 - 11:19

Where this universal forwarder
will send the config?
11:19 - 11:21

What is the server
config look like?
11:21 - 11:22

All those information are here.
11:22 - 11:23

But again, as I
mentioned, I'm not
11:23 - 11:26

going to go deep into this, OK?
11:26 - 11:28

So this is up to you.
11:28 - 11:29

Now, what we are
going to do, we are
11:29 - 11:32

going to configure
the forwarding rules.
11:32 - 11:38

So again, we are going to go to
splunk dot forwarder/bin here.
11:38 - 11:43

And let's go back and look
at the configuration again.
11:43 - 11:45

So this is for installation.
11:45 - 11:47

Now, the rule setting, right?
11:47 - 11:48

So what you are going to say?
11:48 - 11:53

You are going to say
sudo/splunk add forward-server.
11:53 - 11:57

And this is the Splunk
Enterprise IP address, slash
11:57 - 12:00

or colon add port.
12:00 - 12:05

If you remember, we created
a receiving port 9997.
12:05 - 12:09

So put your Splunk Enterprise
IP address colon port number.
12:09 - 12:12

Make sure you have
the networking
12:12 - 12:17

or reachability between
forwarder and Enterprise server.
12:17 - 12:19

And there is no firewall
blocking and other things.
12:19 - 12:24

So this is how you will point
your universal forwarder
12:24 - 12:26

to the Splunk Enterprise server.
12:26 - 12:27

Next, what you want to do?
12:27 - 12:30

You want to monitor
the data, right?
12:30 - 12:34

The data thing, what you
want to send to the server.
12:34 - 12:38

And for that, we have to do
splunk add monitor and then
12:38 - 12:39

the file and location.
12:39 - 12:45

So here, what I'm doing, I'm
sending my ASA logs, which
12:45 - 12:47

is coming to the syslog server.
12:47 - 12:53

At this folder, I'm going to
send this to Splunk Enterprise.
12:53 - 12:55

And when you
configure these rules,
12:55 - 12:57

you may have to
restart the Splunk.
12:57 - 13:00

And to do that, you can
just say splunk restart.
13:00 - 13:01

That's it.
13:01 - 13:05

You can come back always and
check if your forwarder is
13:05 - 13:06

active or no.
13:06 - 13:10

And if something is wrong,
by using this command, OK?
13:10 - 13:13
13:13 - 13:16

So now let's go back
and check our forwarder.
13:16 - 13:27
13:27 - 13:27

Splunk.
13:27 - 13:30
13:30 - 13:33

Let's look at the
command list forwarder.
13:33 - 13:36

You can always do help.
13:36 - 13:37

So we are going to say list--
13:37 - 13:42
13:42 - 13:48

too bad it doesn't do
a tab complete, but--
13:48 - 13:50

your session is
invalid, so you have
13:50 - 13:53

to log in to your
universal forwarder, OK?
13:53 - 13:55

So this is the log-in.
13:55 - 13:56

Your username and
password, you will
13:56 - 14:00

create, while installing
the universal forwarder, not
14:00 - 14:04

your Enterprise Splunk
username and password.
14:04 - 14:08

But, for me, both are same.
14:08 - 14:10

I re-use the username
and password.
14:10 - 14:13

And here you can see, after
putting the credentials,
14:13 - 14:15

I can see this is my
active forwarder, what
14:15 - 14:19

I configured using port number.
14:19 - 14:22

And is there any
inactive forwarder?
14:22 - 14:23

No.
14:23 - 14:25

So we are good.
14:25 - 14:28

So this is how you are going
to create the forwarder.
14:28 - 14:31

And now let's validate if
this data is showing up
14:31 - 14:36

or if this forwarder is showing
up in Splunk Enterprise or not.
14:36 - 14:39

And for that, what you can
do, you can go to Dashboard.
14:39 - 14:43

Your dashboard may be empty, OK?
14:43 - 14:46

So what you can do, you
can create a dashboard.
14:46 - 14:49
14:49 - 14:51

OK.
14:51 - 14:54

Let's go back to Search first.
14:54 - 14:58

And here you can come
and say Data Summary.
14:58 - 15:01

A quick way to test
your data inputs
15:01 - 15:04

are by setting--
click on Data Summary.
15:04 - 15:06

Once you click on
Data Summary, it
15:06 - 15:09

is going to look
how many hosts--
15:09 - 15:13

that means forwarder-- is
talking to this Enterprise
15:13 - 15:14

server.
15:14 - 15:17

And if you click on
that, I have two.
15:17 - 15:23

One, which is sending the 121,
which is sending [INAUDIBLE].
15:23 - 15:28

And that is defined by
this naming convention.
15:28 - 15:29

And then another is Ubuntu Pi.
15:29 - 15:34

So these two data are being
sent to Enterprise server.
15:34 - 15:37

Sources, what source
we are monitoring?
15:37 - 15:40

All those things
are listed here.
15:40 - 15:43

And source type,
it automatically
15:43 - 15:47

tries to classify by reading
the files by some existing rules
15:47 - 15:49

and say these are
the source type.
15:49 - 15:53

There are various pre-built
source type, like ASS.
15:53 - 15:55

Not all those pre-built
source type is there.
15:55 - 16:00

You can also build a
custom-built source type.
16:00 - 16:04

So let's look at the host
and try to load this.
16:04 - 16:10

So here, you can see
all my var/log/firewall,
16:10 - 16:16

the place which we are
monitoring on syslog-ng server.
16:16 - 16:18

All these logs
started showing here.
16:18 - 16:22
16:22 - 16:26

And based on these logs here, it
has created some selected field.
16:26 - 16:30

You can select those field
and create a new search query.
16:30 - 16:33

Right now, it is just
searching on the host name.
16:33 - 16:38

And you can see all those events
nicely getting populated here.
16:38 - 16:39

You can go back in timeline--
16:39 - 16:43

24 hour, 30 minute, five minute.
16:43 - 16:47

Everything you can see.
16:47 - 16:50

You can create your
own search pattern,
16:50 - 16:53

and you can also do
some visualization.
16:53 - 17:00

And at the same time, you
can create a table view.
17:00 - 17:06

So different ways of
visualization, table format,
17:06 - 17:07

bar chart format,
and all those things.
17:07 - 17:10

But the nice, cool
thing about Splunk,
17:10 - 17:14

which need a little
bit of education
17:14 - 17:17

about Splunk Processing
Language, SPL,
17:17 - 17:20

so that you can
actually use these
17:20 - 17:23

logs to create your search
query or create a pattern,
17:23 - 17:27

so that you can present these
logs in a meaningful way.
17:27 - 17:29

And that's the end goal, right?
17:29 - 17:30

Right now, in today's
video, I'm just
17:30 - 17:36

going to making you familiar
with Splunk distributed model.
17:36 - 17:37

What is universal forwarder?
17:37 - 17:38

What is the Enterprise?
17:38 - 17:41

And how you can
bring your logs here.
17:41 - 17:46

But you can do much more
by learning a few tricks
17:46 - 17:48

in SPL language.
17:48 - 17:49

OK.
17:49 - 17:51

What else I want to show you?
17:51 - 17:53

I want to show you--
17:53 - 17:57

if you go to the home
page, Splunk, here I
17:57 - 18:00

created the forwarder instance.
18:00 - 18:01

So it's a snapshot.
18:01 - 18:04

When I come to the
home page, it quickly
18:04 - 18:09

gives me a snapshot
of my forwarders,
18:09 - 18:10

which are the
forwarders available,
18:10 - 18:13

and how their data
pattern looks like.
18:13 - 18:16

So, as I mentioned,
I have two of them.
18:16 - 18:18

And I can load them here.
18:18 - 18:21

I can watch their data patterns.
18:21 - 18:25

And I can also click
on any of these
18:25 - 18:28

and see who is my receiver.
18:28 - 18:32

So this Windows machine
itself is a receiver.
18:32 - 18:34

So this is a cool thing
to monitor your forwarder,
18:34 - 18:38

if they are sending your
data in the real-time or not.
18:38 - 18:43

Finally, if you want to know
something about the Splunk
18:43 - 18:46

utilization or the Enterprise
utilization itself,
18:46 - 18:49

so what you can do, you can
always go to Monitoring Console
18:49 - 18:54

and see here how your
Enterprise server is
18:54 - 18:56

doing resource-wise right now.
18:56 - 19:00

So basically, these are the
license usage, disk usage,
19:00 - 19:04

CPU usage, and all those
things for Enterprise server.
19:04 - 19:07

That means how the server
instance installation
19:07 - 19:09

is doing health-wise.
19:09 - 19:11

Is there any memory pressure?
19:11 - 19:12

Is there any CPU pressure?
19:12 - 19:18

Are we hitting any license or
disk or throughput indexing rate
19:18 - 19:19

threshold?
19:19 - 19:22

All those things, you
can manage from here.
19:22 - 19:22

All right.
19:22 - 19:26

But mostly, why you come
here, if you are not a Splunk
19:26 - 19:27

administrator,
you will come here
19:27 - 19:30

to parse log for
your application.
19:30 - 19:34

And for that, mostly, you
want to create some search
19:34 - 19:38

and reporting, create
some cool search indexes,
19:38 - 19:44

so that you can find a
needle in a haystack.
19:44 - 19:48

So with that, I'm going
to stop this video.
19:48 - 19:51

And I'll continue
learning Splunk.
19:51 - 19:54

And I hope you will find
it interesting also.
19:54 - 19:55

So let's continue this journey.
19:55 - 19:57

Thank you.
19:57 - 19:59

Title:: Mastering Splunk: A Beginner's Guide to Big Data Analysis
Description:: more » « less
Video Language:: English
Duration:: 20:00

OE Tech edited English subtitles for Mastering Splunk: A Beginner's Guide to Big Data Analysis

English subtitles

Revisions

Revision 1 Uploaded

OE Tech

Mastering Splunk: A Beginner's Guide to Big Data Analysis

Revisions

Our website uses cookies

Operating cookies (Required)