Module 1 - Deploying Splunk Flashcards
Four stages of Splunk
- Input any text data
- Parse the data into events
- Index and store events
- Search and report
Deployment types
- Single server. Good for tests and development
- Single server with inputs (forwarders). Forwarders installed at data source
- Distributed non cluster. Collection tier: universal and heavy forwarders, other input. Indexing tier: multiple indexers. Search tier: search head
- Distributed non cluster with central management. Same as 3 but also includes license manager, monitoring console and deployment manager as separate components
- Clustered environment. Search head clustering: Replicates knowledge objects. Indexer clustering: Replicates data across indexers, Single-site or multi-site, Allows balance of growth, speed of recovery and disk usage
Deployment server purpose
Manages forwarders
Cluster environment licensing
Doesn’t require additional licenses
Cluster environment components
Search head cluster
Indexer cluster
Forwarders
License manager
Monitoring console
Cluster manager
Shc deployer
Deployment server
Splunk enterprise packages
Splunk enterprise package includes all components
Universal forwarder package includes forwarder client
Server hw requirement for indexer
12-48 CPU cores or 24-96 vCPU
12-128GB RAM
Disk capable at least 800 IOPS
SSD for hot/warm buckets
Server hw requirement for search head
16 CPU cores or 32 vCPU
12GB RAM
2 x 10K RPM 300GB SAS drives, or better
Default network ports Splunk enterprise
Splunkd - 8089
Web server- 8000
Web app server Proxy - 8065
KV store - 8191
No default ports for S2S receiving ports, any network/http input, index replication ports, search replication ports
Default network ports Universal forwarder
Splunkd - 8089
NO default for any network/https input
No other components present on UF
How to view resource limits
ulimits -a
Best practice parameters on search beds and Indexers
File descriptors (ulimit -n) >= 64k, based on buckets and searches
Max user processes (ulimit -u) >= 16k, based on forwarders / concurrent searches
NTP on Splunk
Enable. Best practise
Splunk users requirements
Avoid using root or administrator on windows
Read files and directories configured for monitoring by Splunk
*NIX: /var/log is not typically open to non-root accounts
# Write to the Splunk Enterprise directory (SPLUNK_HOME)
# Execute any scripts required (alerts or scripted input)
# Bind to the network ports Splunk is listening on
*NIX: non-root accounts cannot access reserved ports (< 1024
Start Splunk automatically on Linux
Enable boot-start manually
Start Splunk automatically on Windows
Started automatically by default
Installing Splunk on Linux
tar zxvf splunk_package.tgz-C /opt
Splunk directory structure
SPLUNK_HOME
Linux - /opt/splunk
Windows c:\Program files\Splunk
/opt/splunk/bin - contains executables
/opt/splunk/etc - configuration and licenses
/opt/splunk/car/lib/splunk - indexes
What is SPLUNK_HOME
/opt/splunk
What is SPLUNK_DB
/opt/splunk/var/lib/splunk
Running Splunk at boot
Linux - run after installation
splunk enable boot-start -user username -systemd-managed 1
Windows - by default services set to auto start: splunkd and splunkweb
splunkd
Runs on 8089 by default
Spawns and controls all splunk processes: splunk web proxy, KV store, introspection services, all searches, scripted input or scripted alert
Access, processing and indexing of incoming data
Handles all searches and displays results
View splunkd status from CLI
splunk status
Splunk web
Webui
Provides front end for splunkd
Http://x.x.x.:8000
