Pass Splunk SPLK-1002 Exam in First Attempt Easily

Introduction

1. Introduction

This module is designed for complete beginners who are totally new to Splunk. This course should be able to give you a fair understanding of Splunk and its products, as well as the huge benefit of having Splunk in your organization. So let's get on with it.

Hide

Introduction to Splunk Enterprise

1. What is Splunk?

The first step as part of this module is to understand what Splunk really is. Some of these points are commonly heard when reading about Splunk on an Internet blog or discussing Splunk with colleagues. The first point here is that it comes up when discussing Splunk. Some people call it a log management or a log collection tool. Yes, it can be a log management or log collection tool. It can collect logs, and it can manage those logs as per organisational policy. But that is not it. And one more common point that comes up whenever a discussion on Splunk is going on is that it is an IT monitoring tool or application performance monitoring tool. If you ask me, yes, of course I will say it is a monitoring tool. It can monitor your CPU, RAM, hardware usage, etc. which is what any typical monitoring tool does, but it can also alert you based on threshold conditions that you specify as part of your alerts. Also, as far as application monitoring is concerned, it can monitor or keep track of JVM sheep size, response time of your request, website status, thread locks, and the thread usage by applications, et cetera and so on. So to conclude, yes, Splunk can be used as a monitoring tool for IT or infrastructure, and it can also monitor your application's performance. So the next point in our discussion is the Big Data domain, or where Splunk has been seen adding great values and getting the most out of the data available inside the organisation in which it has been projected as a Big Data analysis platform. And also, it has been used to get insights on business intelligence like cost per click, views per page, advertisement revenues, and impacts from campaigns that are run on social media like Facebook, Instagram, or LinkedIn. And adding a few more points would be like identifying the sources of the traffic. It might be social media or search engines or other third-party sites on the internet. And now moving on to our next point, SIM stands for Security Information and Event Management, which is used as part of their stock in most organisations and plays a vital role in securing those organizations. Since Splunk can be used in security, it also has a position as a next-generation SIM solution. It is a major competitor for traditional sims like IBM, Cured, HP, ArcSides, Logarithm, etc. And this vertical is the most active as of now. When I say most active, it is most active in terms of growth, revenue improvements, and the innovations that are happening at this time. When you see a sprung perspective in the next point, we can see that "operational intelligence," which has been coined by Splunk itself as a tagline for its product and which refers to all the points we have discussed before and many more in this discussion of how we can define Splunk, If you ask me what Splunk is, I would simply say it is like Google for your organization, with all of your organization's data fed into Splunk, indexed, and stored within Splunk so that you can simply write a search like you would in Google or any other search engine whenever you need it. You'll get information that is specific and related only to your organization, all the data that has been fed to Splunk in your organization, and if you know how to search, it will be like a mini Google for your organisation where you'll be able to find quick solutions, get value out of what data is in your organization, and troubleshoot any issues inside your organization.

2. Products of Splunk: Splunk Light

Now we know what Splunk is. Let us look at some of the products that it can offer us for our business or organisation to enhance the performance and efficiency of our day-to-day activities and properties and get more value out of our existing data in our organization. The first product in Splunk's ad portfolio is called Splunk Light, which is actually a small or limited version of the product. Splunk enterprise. Splunk Light can be used by individuals or small companies for analysing their data by uploading or forwarding it to Splunk Light, which is hosted in the cloud environment of Splunk. Frankly speaking, using Splunk Light feels like being handed a Nokia phone in this generation of smartphones. Similarly, Splunk Light can do the basic functions of analysing and passing data, but it has a lot of limitations when compared to its enterprise version. So now let's see what Splunk Light looks like. If you just go to Google and search for Splunk Light, you'll see some of the images. This is how basic or Splunk Light appears. When you register for a Splunk Light version, it costs you around $25 per month. I believe when you register it on the Splunk Portal, you have to pay by credit card. This is how, basically, it looks. You'll get a URL with the credentials where you can log in, upload your data or forward the data to that instance, and you can start searching and analysing your data. That is all about the Splunk Light.

3. Products of Splunk: Splunk Cloud

The next product Splunk has to offer is the Splunk Cloud. This is a significantly improved version of Splunk Light that is comparable to the Splunk Enterprise version and the availability of Splunk users. And the only difference between Splunk Cloud and Splunk Enterprise is that Splunk Cloud is hosted and completely managed by Splunk itself. Since it is managed and indexed in a Splunk environment, it's like your data will be safe and your environment will be much more stable since they are the product owners, they know their product in and out, and they manage it very well. The Splunk Cloud basically means that you will get a URL once you are enrolled, and you will have a couple of certificates that are sent to you so that the data from your organisation will be sent to the Splunk Cloud, where you are using Splunk Enterprise Cloud, and it will be sent over an encrypted channel. So this data is being parsed and stored inside Splunk Cloud. This cloud instance as a user you will get a URL and support contract with the Splunk. The URL is used for logging in which will be your searcher where you will log in, create reports, alerts, dashboards, all stuff you typically do with the Splunk and the support is for like if you're facing any slowness issues with your Splunk, something breaks with the application, you can raise an incident and contact the support to troubleshoot or fix the issues on this plank cloud.

4. Products of Splunk: Splunk Enterprise

Now, the third product of Splunk is Splunk Enterprise. The Splunk Enterprise is a software package, and to be clear, Splunk does not have any hardware—it is a complete software package. The Splunk Enterprise is its flagship product; it has been around since the beginning, and all other products were built around this Splunk Enterprise package. As a matter of fact, with Splunk Cloud and Splunk Light versions, you'll get a URL once you have purchased or enrolled for Splunk Light or Splunk Cloud, and that's it. Everything can be accessed by a Splunk URL, which has been shared with you. The Splunk Enterprises package is a software package that can be downloaded and installed in your environment, either in the cloud, on a virtual infrastructure, or on a physical server. And as a Splunk admin or architect, you will have full Splunk functionality with the Splunk Enterprise package, not to mention the difference between Splunk Enterprise and Splunk Cloud. The Splunk cloud is hosted in the Splunk environment itself. It will be owned by Splunk.com and completely managed by Splunk.com. You'll be utilising their Cloud service and your data should be sent to their cloud. Of course, it will be over SSL, and any conflict changes should be requested by you through a support portal, and they will be handled as per the incident management SLA agreements with Splunk. But whereas Splunk Enterprise, which is implemented in your organization, will give you full control over your configuration changes and customization, you will have more control compared to Splunk Cloud, which also has a default retention policy like 30 days of storing your data or 60 days or 90 days, which comes as part of your initial package. But if you want to store for a longer duration, then you have to pay more because of the storage cost, whereas with Splunk Enterprise, it can be decided considering how much storage is available for your Splunk in your organization. We are clear with Splunk Light, Splunk Cloud, and Splunk Enterprise. Let's move on to the next product.

5. Products of Splunk: Hunk & Premium Apps

Moving on to the next product in our list is Hunk which is nothing but Splunk used to search in adult data environment. As of now, this product has been merged with the Splunk Enterprise Package itself. Hunk was a previous term used for searching Hadoop data environments or using Splunk in Hadoop data environments. The premium apps are the final product of this module. It is also known as the "Premium Solution" offered by Splunk, where the apps of Splunk that add value to the organisation have been commercialised by Splunk and have official support, which makes it more convenient to use and get help. Premium Apps The first one is the Enterprise Security which can also be referred as SIM solution. First, Splunk when you come to apps concept in Splunk similar to apps that you download from App Store or Play Store. For example, if you want your phone to scan a piece of paper, you download a scanner app from the Play Store or App Store. Similarly, if you want to make your Splunk to act as a SIM solution, you can download this app which is completely focused on security, will give your Splunk ability to analyses security data from day one. The next premium app on the list is It Si, which is widely used for gaining insight into complete infrastructure and service availability, as well as many other features included in the package, and generating significant value to teams or organizations right from the time of installation when we move on to The third app on our list is the UBA, which stands for User Behavior Analytics app and focuses on insider threats to the organisation by profiling users through monitoring their activity and alerting or flagging if anything suspicious is discovered. This is a great app to consider for many industries, considering the threat of malicious intent by an employee, which can impact their company and also their customers. The next one is the PCI, which stands for Payment Card Industry. This is Payment Card Industry Standards, and any company that handles credit or debit card information must adhere to them. This app is used to check the address of PCI standards and flag any policies that have been violated in the organization or policies that are not implemented as per PC standards. It can be a single point of monitoring for your complete organization's PCI compliance status, which gives you insights into problems and can assist in fixing them to comply with the PCI standards. And if you look at a few more premium apps or the MS Exchange and the VMware MS Exchange, which are used to measure the health of your Exchange infrastructure and monitor it for any errors or warnings And one more is the VMware which is used for the VMware environment to monitor performance and availability of the whole environment which is running VMware. There are a few more apps like Fraud Analytics, which is used widely to detect financial frauds like money laundering, transaction fraud, et cetera. So to conclude these apps which are sold by Splunk are called premium solution or premium apps can be done by your Splunk engineer or Splunk Admin or Splunk architect. All of these features, however, can be built and customised in-house by Splunk engineers. But it requires a lot of time and effort. Whereas purchasing this will give you all these rules, dashboard reports, and dollars, which are predefined and customized as per the best practices and commonly used methods per the respective industry standards. You.

6. Components of Splunk: Search Head

In our previous modules, we understood what Splunk is and what products it has to offer us. Now we will narrow down our topic to Just Splunk Enterprise, which is the core product of Splunk. Once you have mastered Splunk Enterprise, you can play around with other products of Splunk, which are built around Splunk Enterprise. From now onwards, in our discussion, I'll be using Just Splunk, which refers to our Splunk Enterprise, for simplicity's sake. Our next topic of discussion in our journey to becoming a Splunk Master is to understand the different components of Splunk. There are many components of Splunk. The first component in our list is the Splunk Search head, which is where the visualisation part of Splunk is carried out. The search head is the most fancy of all the other components of Splunk. Since all the dashboard reports are charted, alerts are configured and viewed on the search engine to define them. Splunk Search Ad is a component of Splunk that offers a web interface to visualise and query the data for reporting alerts or creating dashboards in Splunk.

7. Components of Splunk: Indexer

Moving on. The next component of Splunk is the indexer, which is the core component of any Splunk installation. The indexer is the one who does all the heavy lifting in a Splunk environment and indexes the place where all the data will be stored on the Splunk. The more efficient your index, the better your Splunk environment's health will be. To define an indexer, it is a component of Splunk where the data is passed. When I say "parse," it is known as the breaking down of events into smaller, manageable pieces by Splunk. So to define an index here, it is a component of Splunk where the data is passed or broken down and stored in the indexer. The rule of the indexer is to pass data and store data inside Splunk. And this stored data is where all your queries that are run by the searches for fetching reports or creating colours will be run, and the results will be given. went back to the searcher for visualisation or sending it out via email.

8. Components of Splunk: Universal Forwarder

The third component of Splunk in our list is the universal forwarder, which is also referred to as a Splunk agent. The universal forwarders are used to collect data from remote data sources. When I say remote data sources, it can be anything that is holding data. It can be a flat file, log files, scrapes or database logs, web server logs, or any remote machine that has data. We can install a universal forwarder to fetch that data and feed it to our Splunk environment for further processing. The Universal Forwarder is a lightweight package. All it can do is to fetch the data and send it to other Splunk instances. It can also run scripts to collect the data on local or remote machines. Installation of a universal forwarder for collecting data is highly recommended for fetching data from the remote machines. It has very little overhead on CPU and RAM, which is negligible when compared to other processors. To define a universal forwarder, it is a lightweight component of Splunk that fetches the data from flat files or scripts and sends it to other components of Splunk for processing the data further up the chain.

9. Components of Splunk: Heavy Forwarder

The next component is the heavy forwarder. As the name suggests, this is a heavy instance. It requires its own infrastructure to operate, and when compared with yourself, it has additional capabilities for passing and storing the data. But in every forwarder, it is highly recommended not to store any data because it will be a duplication since your index is also storing the data, and it comes with the added cost of the storage on the heavy forwarder. The heavy forwarder parses the data and sends it to the indexer. The passing process involves masking your data, filtering out noise from the logs, and has also evolved. It will help improve indexer performance by decreasing the load of parsing. When we say "parsing," it is the breaking down of events into smaller, manageable pieces. So it will help improve indexer performance by decreasing the load of passing on the index. The heavy folder is usually an optional component for small and medium enterprises. Splunk, the administrator, or the architect will decide whether or not to use a heavy forwarder. Ford or not, having a heavy forwarder gives you the following benefits: masking of the data, filtering of the noise, and reducing load on the index. All this can be done using the indexer itself, but it comes with additional processing cost of the indexer. Always remember, if your indexer performance is good, your overall Splunk performance will be good. So in order to improve performance on the indexer, we can have heavy forwarder masking filtering to reduce the parsing load on the index. We can always afford heavy forward, but it remains an option. It is good to evaluate the option of having heavy forwards in any environment.

10. Components of Splunk: Deployment Server

Moving on to our next component. It is the License Manager, which is an optional component that keeps track of licence utilisation inside the organization. It has very limited functionality and is only dedicated to D with Plan's licensing. It interacts with your indexes, searches index clusters even with multisite indexes, and collects information regarding the data process per day and keeps track of your licence utilization. Whenever it reaches a threshold, it can alert you by sending an email or creating a ticket. Because of this, you will often see that in many organisations, the License Manager will be clubbed with either the Searcher or the Indexer. Since these components can also be made to act as a licence manager in future parts of our tutorial, you'll be able to see when we are building our own enterprise-level, multi-site, highly available index or cluster environment of Splunk on Amazon AWS Cloud. As part of this tutorial, we will be making one of the components of Splunk: a licence manager. Moving on. The next component in our discussion will be the Deployment Server, which is another optional component for small and medium organisations, but for large deployments or Splunk, the Deployment Server is a must. If deployment servers are not installed in a large organization, it will be a nightmare to rollout any changes to the Splunk components, making it necessary to manually log into each Splunk component to update the configuration. The Deployment Server can be defined as a central point of management for your entire Splunk infrastructure. Changes to forwarders indexes, searchers licence managers, and all other Splunk and Last deployment components can be managed by the deployment server.

11. Components of Splunk: Cluster Master

The final component of our discussion is the cluster master. The cluster master will be the responsible for managing the cluster and replicating the data and to monitor health of the Splunk cluster. It might be your indexer cluster, single site or multi site. This will be monitored by your cluster master. The cluster master will be present and used only in Splunk cluster environments. Either it can be an indexer, a single site, or a multisite cluster. It is the role of the cluster master to manage the replication of the data, monitor the status of the cluster, and alert if something breaks between the clusters.

12. Splunk Package Downloads: Part 1

Since this is an introduction to the Splunk course, we have gone through lots of theoretical stuff. As of now, let us do some activity where we'll be seeing how to download Splunk. Also, before downloading Splunk, as we learned in our previous lecture, there are many components of Splunk. Do we need to download all these components? The answer is no. All we have to do for any installation of Splunk is just download two packages. One is the Splunk Enterprise. The second is the Universal Forwarder, also referred to as a Splunk agent. the Splunk Enterprise, which is the core product of Splunk. And this package can be used to install any component of Splunk, whereas the Splunk Universal Forwarder, which is an agent of Splunk, is used to collect data from the remote machines. Now let's proceed to download these packages. To download the Splunk Enterprise package, click on the link provided or visit Splunk. When you visit Splunk.com, you can see there is a "Free Splunk" icon, which you click. It will ask you to fill out a registration form, which you can fill out if you don't already have a Splunk account you created with your personal ID or official ID. since I already have my ID. I'll click on login. Once the login page is loaded, let me enter my credentials. Once you've successfully registered or logged into Splunk, you'll be able to see two products, which you can download. one, Splunk Enterprise. second, Splunk Cloud. From our previous lectures, we already know the difference. What does "Splunk cloud" mean? And what does Splunk Enterprise mean? Throughout this course, we will be dealing only with Splunk Enterprise, which has a software package that can be downloaded and installed in our own environment. This is what happens when we log in from theslung.com: If you click on the direct link, you'll be landed directly on this page, where if you click on "Free download," it will again ask you to log in. If you're not logged in, or if you have already logged in, it will redirect you to the download page. Similarly, the same happens here. If I click on "redownload," it will direct me to choose the flavour of OS that I need Splunk Enterprise to install. Now we have this page. There are some informational items displayed on this page. Let's go through them. The first, as of today, the Splunk latest version is Splunk six, dot six, dot two. By default, whenever you download a Splunk package, you get a free licence of 500 MB per day. You might think that is good enough data for trying out, understanding, or learning spunk. Yes, it is sufficient. But once you realise the potential of Splunk, you see that 500 MB is not sufficient for whatsoever. Once you have downloaded this package, you'll get a 500 MB license, which is free of charge and comes as part of the installation. package can be used for 60 days. after 60 days. Once the licence is expired, you will not be able to run any search on your Splunk instance, including reports, dashboards, or alerts. If you see down below you have Windows version of Splunk, Linux version Solaris and Mac. Throughout this course, we'll be completely focusing on installing Sprung on the Red Hat Linux platform, which you can call Center OS.

13. Splunk Package Downloads: Part 2

In a production environment. Splunk Enterprise, or Splunk, is highly recommended to run on the Linux platform because of the performance and also the file system, which can respond much faster than a Windows file system. In Windows, I've seen a couple of environments where Splunk has been installed, and probably they were not able to keep it up and running for a good amount of time because the CPU is stuck at 100% almost every time. Each search you make will take forever to run, usually for medium- to large-scale deployments. Installing Splunk on Windows is probably not a good idea, but whereas Linux will be using RPM packages and Red Hat Linux throughout this course, we will be building our own enterprise-level multi-site deployment with high availability and multi-site index clustering. On Amazon. AWS. We have solar and macOS versions. These are Splunk’s. Enterprise package. They are close to 200 MB. So let's go and download our red Adobe package. If you are using any other version of Linux, you can download TGZ. If your OS is debian flavor, you can download the deep package and install the Splunk. We'll download an RPM package, so once you click on download, it should download without any issues. And if you want to download directly on your server, which is our red Linux machine, you can use the command wgat. This is the command; let's see that I have copied Wget I'll log into my demo Splunk instance which is as of now on Amazon AWS. Now we have logged into our image on AWS. Let me bring up my demo Splunk instance, and we have downloaded the Splunk package in our local system, which we can upload using any file transfer software such as Zillow, Seques, FTP, or similar software. However, there is a better option: directly upload or download the Splunk package onto your Splunk machines. Once my instance is up, I can login and paste this command and hit Enter. This plank will be automatically downloaded into our environment. Let's log into our AWS with our private key, and let me log into my Splunk account. So now we're in our Splunk account, so there are no files. Copy the same command that was given during the download, and I'll just hit Enter. As you can see, the Splunk package is now directly on the server where we need to install Splunk. Now that we are done with it, let's proceed.

Hide