Splunk Basics Flashcards
(33 cards)
After installation what does a machine contain?
Splunk Instance
What can a Splunk Instance be configured into?
One or more Splunk Components
Types of processing components
Indexers
Forwarders
Search Heads
Types of management components
Deployment Server
Indexer Cluster manager
Serach head cluster deployer
Licesne Manager
Monitor console
Forwarder(s)
Install on host
Configure to collect and send data to splunk indexer
Universal Forwarder- main function to collect and send data.
Heavy Forwarder - Can parse and make changes before forwarding.
Indexer
Splits the data to fields and parses, can also assign meta data.
Writes the data to repositories known as INDEXES.
Buckets
repositories containing files with indexed data.
When data is written it is to a HOT bucket.
When searching data it can be to the hot, warm, and cold bucket.
Archived buckets are frozen and need to be thawed.
Indexer Cluster
Group indexers together to provide data replication
Cluster manager manages the cluster
Bucket definistions
Hot - Data that is actively being written to (Can have multiple per index)
Warm - When a hot bucket fills up or when Splunk is restarted it rolls to warm.
Cold - When index size limit is reached warm rolls to cold.
Frozen- After aging out data is rolled to frozen. Not searchable. Default data that is deleted is frozen, but you can choose to archive.
Search Heads
Search management and presentation from indexers
Serach Head cluster - group of search heads with identical config
Cluster Captain
One of the search heads in cluster
Coordiantes search jobs and replication
Failover management, if captain fails another is auto elected
Search Head Cluster Deployer
Pushes configuration bundles (apps and settings) to search heads
Deployment Server
Distributes content, configuration, apps to other groups of Splunk Instances (Deployment clients(Indexers, search heads, forwarders not in cluster))
Mostly used to distribute apps to forwarders.
Forwarder management
a GUI that manages your deployment server.
Accessible through Web UI
Splunk Licensing
Volume based - volume of data indexed per day
Infrastructure based - Recourse (vCPU) usage across deployment
license manager
Host licenses and assigns license volume to Splunk components (License peers)
Can create license pools from licenses added together (Stacks)
License Peers
Any splunk instance (indexer, heavy forwarder, etc) that uses a license and reports usage to license master
License Master
Manages and enforces the license
Monitoring Console
Used to view topology and performance information about deployment
Monitoring dashboards use data from splunk internal logs
Splunk Enterprise Installation Requirements
Default OS - Windows, Linux, and MacOS
Machine types: laptop, server, VM, container
Packages: Trial license, universal forwarder package
Need Splunk account
Limits on Trial License
Up to 500 MB / day
60 days for features like authentication, alerting, indexing clustering
Splunk Web UI
Primary way to use administer Splunk
Splunk CLI
Configuration files (other 2 ways change these, but you can directly edit them aswell)
Splunk User Roles
User - Run searches, use dashboards & reports, save personal searches/ reports
Power - Can create alerts, tag events, use workflow actions, reassign knowledge objects they own
Admin - Edit system settings, manage indexes and data inputs, manage users and roles, install and manage apps, manage KO across all users
Knowledge objects
Reports, Alerts, Dashboards, data models, etc
