Student Feedback
SPLK-1002: Splunk Core Certified Power User Certification Video Training Course Outline
Introduction
Introduction to Splunk Enterprise
Designing Splunk Architecture
Installation and Configuration o...
Splunk Post Installation Activit...
Splunk Inbuilt & Advanced Vi...
Splunk Apps And Add-On's
Forwarder Management And User Ma...
Splunk Indexer And Search Head C...
Splunk Advanced Concepts
Building Splunk Enterprise Archi...
Splunk Use Cases Of All Industries
Congrats: Completion of the Course
Introduction
SPLK-1002: Splunk Core Certified Power User Certification Video Training Course Info
Gain in-depth knowledge for passing your exam with Exam-Labs SPLK-1002: Splunk Core Certified Power User certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Splunk SPLK-1002 practice test questions and answers, study guide and exam practice test questions. Unlike any other SPLK-1002: Splunk Core Certified Power User video training course for your certification exam.
Introduction to Splunk Enterprise
15. Splunk Package Downloads: Part 3
Previously, we have downloaded Splunk on our local machine and also on the cloud machine where we need to install Splunk. Now let's see how we can download Universal Forward. For downloading Universal Forwarder, you can either directly click on the link in the document or Google Splunk Universal Forwarder. The first link that pops up should be your link to download Splunk, you and yourself Forwarder.Now, if you click on the link that is provided in the document, it will take you to this page. If you have not registered, go ahead and register. If you have previously registered, click Login. If you're already logged in, refresh the page. So since I've already logged in, I'll just refresh the page. I'll be able to see the link to download the unit itself moving forward. As of today we have 66 two. That is the latest version of Splunk available at the time of this tutorial. We have lots of varieties when we compare ittoSplunk Enterprise package, because Planck Enterprise package, ithad Linux version, it had Solaris, it had Windows,and also probably Ax, I believe. No, it was Windows, Linux, Solaris and macOS. It had just the four flavors. but when you see UniversalForwarder, it has three more. Because the remote data source can be from different sources or from many sources, it can be a Windows machine, a Linux machine, a Solaris machine, a Mac machine, any other flavour of Linux, or even HP or IBM servers. There are many variants. And since Splunk Universal Forwarder is a lightweight package, it is almost one third of the package that Splunk Enterprise offers. It was close to 220 megabytes. but this is like 54 MB. So it is much more lightweight, and it consumes less processing. When you compare it to the RAM and CPU usage of any other processes, it is very lightweight, and it sits without affecting any performance on the remote machines. We can download Windows as part of this tutorial. We'll be installing the Windows client to fetch data from the Windows machine. Again, it has a command-line option where you can click and download this, or you can wait for this to finish, then copy this into all the Windows machines wherever you would like to install the Universal Forward app.
16. Splunk Add on and Application downloads
From our previous lectures, we have seen that there are apps that can be added to Splunk, which adds tremendous value to our Splunk installation. Let's see how we can download some of this app. To download apps for Splunk, you can click on the links provided as part of this document, or you can directly type in appsdotsplunk.com or Splunk base dot Splunk.com.As you click on those links, you'll be redirected or taken into this site where Splunk has lots of applications that are categorised based on technology, vendor, author, or industry. There are a wide variety of apps that are freely available for download, which makes it very dynamic, and you can get any kind of app on this as of now because the community is so rapidly evolving. A lot of new apps that are beingput into this site almost like every week. This is maintained by Splunk, but it has been widely used by splunkers all around the world who like to exchange information, create apps, upload the apps, interact with the users, and troubleshoot apps. This information is used by the app developers to make their apps more usable by a wide variety of industries. Let's look at some of the apps we'll look at using keywords like Linux. I need a Linux app or a Linux technology app. Let's see what pops up. I have one Splunk app for Linux (Audit D). These are a few examples of Linux-based applications. Similarly, you can select based on the products—let's say we want only those that support blank interest—the categories based on the industry that you want to choose, and the technology organization. Let us return to our homes and attempt to filter out based on technology. Let's say I need security, fraud, and compliance apps. You can see everything related to security under this, and the most common apps will be under "featured apps," which are most commonly used by many of the organizations. That was our category wise.Now we'll move on to technology, where you can see which technologies people are using based on their specific technology. There is a menu for the Splunk Build app. These are authorized, and you get official support from Splunk, and you can also use these tags while asking questions at theanwestplunk.com.Basically, this is where you find all the applicationsand the add ons related to your Splunk environment. Let's try to download some of them now. Let us try the Windows App. There is an app for Windows that is most common across the organization; it is known as the Splunk app for Windows Infrastructure. This is the Splunk app for Windows infrastructure. As you can see, there are many downloads on the installs. That means it shows how many different environments are using this app. The more downloads or the more installs, the better. That means you have more chances of getting support or fewer issues using this app. There is also documentation where you can see how to deploy and configure this app. And since we have already logged in to our portal, if you click on "download," it gives us a small agreement, which by default will check, and we'll start downloading our app. We have downloaded our app, and this is how you download any app on this site. If you are logged in, you can probably downloada bunch of them at once going through. And if you're just researching, it's probably better to browse by category or technology so that you know what you're looking for. And the most reviewed or most installed apps will be shown on top so that you can pick and choose the best one.
17. Splunk GUI Overview : Part 1
Since we have seen from our previoustutorials how to download Splunk packages andwhat, all packages for Splunk are available. Let's see how Splunk actually looks. Sales, I have already my Splunk instance set upAmazon AWS but we will be covering the installationofSplunk and the later part of tutorial. Let's log into our Splunk. These are all the concepts in Show Over. Your Splunk gym will be there to help. Let's go to our Amazon AWS. So this is our IP for the instance I've already logged in to because by default, the Splunk GUI or the Splunk web process runs on port 8000. Let me log in once we have logged in. This is a simple Splunk instance that is running on Amazon Web Services with some basic infrastructure just for demo purposes during this tutorial. So once you log in, you'll be seeing this page, which is also known as the launcher screen or the welcome screen, which is the default welcome page for all users and can be customised to a great extent for the simplicity of the tutorial. We will leave this as it is for now. But first, let's start with the Splunk icon, which will be like your home button on your mobile phones. no matter where you are in Splunk. If you click on the Splunk icon, you will be brought to your home page. The next link right next to the home button is the apps menu, which shows the list of apps that are installed on Splunk. As of now, we have just the search and reporting app, which is the basic app that comes as part of all Splunk instances. The next link in the top menu is the user menu, where it displays as administrator since I've logged in with admin credentials. If you are logged in as a normal user or another user, it will display your name, whichever is mentioned, as part of the user profile. This has many links related to the user profile where you can change your password and set your time zone, and most of them are self explanatory.This is your password-resetting zone; you can call it US, and you can set your time zone to whatever location you are in. The Launcher is the default application that you want to see by default. The second one is your search. These are some built-in apps that will be implemented later. So just remember that the default is the launcher. The search is the search and reporting app, and these are some just to restart your background jobs in case flunk restarts, so that your background jobs re-initiate. These are some default Splunk modes. Whatever you require, you can customise and the theme for highlighting syntax while writing search queries. These are some basic, self-explanatory account settings, which you'll be able to do as part of this tutorial. You'll be getting free access for 30 days. You can go around all these links once you get free access to the Demo instance, which will be part of the complete package of this plank tutorial. Moving on to our next link on the top menu, the messages In this, you can see all Splunk-related errors, warnings, and licence violation messages, which you should make sure as a Splunk admin or architect are kept in the message tab almost all the time. The next step is the Settings tab, which is the most important and crucial and includes all the configuration related to Splunk. Under this menu, we will be going through this complete module of settings in a separate section to keep this initial overuse session short. Let's move onto the next step. Next is the Activity tab. Here you'll be able to see and analyseSplunk performance, where you can see how many searches are running, who is running them, how long the searches have been running, and what the status of the searches is on this Splunk instance. When you click on the Jobs link, you'll see that I ran a couple of searches a few days ago that were successful. And if you look at all the searches that have been performed, you will notice that there has only been one search. This was just for testing whether my instance was up or down, whether it was indexing some data or doing something else; it was up and running. So this information is used for troubleshooting your Splunk performance.
18. Splunk GUI Overview : Part 2
The submenu in the Activity tab is the menu called "Triggered Alerts." This is the location where all the alerts that are triggered will be locked, which can be useful for analysing and checking if the alerts are triggered or not, or even how many alerts are triggered per day, or alerts that are triggered by a single rule. Because this is a new installation with little data ingestion or searching activity, you'll be able to see all of these alerts under this menu. As of now, we don't have any alerts that are triggered or created in this instance. And the final tab in the top menu is Help, which can be very resourceful at any stage of a Splunk user's career. Let's go through them quickly, one by one. The first one, What's New, takes us straight to the documentation site of Splunk, where you can search for any topic related to Splunk, check for the newer version of Splunk, or see what's new with the latest releases. The second link takes you to the documentation site where you will have access to this Plank enterprise documentation download and each step-by-step guide where you'll be able to search and find answers. The Documentation The one good thing about Splunk is that the complete documentation part is kept open. If you click on Tutorials, you will be taken directly to the documentation site, where you will find all of the resources you need to learn and understand Splunk. But the only problem is Splunk is so bigit has like probably if you combine all thedocuments two together it will give you like 30,00, 40 00 pages of documentation. Going through them will be a mess. You get directly into Search Tutorials, where you will have a short tutorial on how to create reports, charts, dashboards, and enrich your data. We'll be going through all this one by one, but probablyin a different order, which will be much more useful. Let's see some of the other important links in the Help menu. The Splunk Answers site is one of the most informative and highly active stack overflow sites for Splunk. If you click on that link, it will directly take you to Answers.splunk.com, where there are a huge number of people constantly asking queries and posting answers to help other members of the Splunk community. If you are already logged in, you can directly click on "Ask a Question," and it will pop up a menu. Whatever the questions, how dumb it is, no issues. You can probably search before asking a question to see if somebody has asked the same question, and you'll find the answer probably 80% to 90% of the time because the community has been around for a very long time and is very active. The last link, I believe, is the Contact Support link in the Splunk portal, where you log an incident, raise an incident to Splunk Support, which will be through your customer portal, and based on the priority, it will be resolved. The next link is the Help page, which takes you right back to the documentation. This is our admin manual. This is also one of the important manuals where you will be able to get the configuration references for Splunk. I highly recommend you download this manual. Go through it whenever you have time. This shows on which page of Splunk you clicked the Help menu on.It takes directly all the activities related to thatpage or the functionality present in that page whichgives you a complete picture of how it worksor what are the options it has and howyou can configure it in the Help menu. The final one on the How About Page is the link, which shows you the build version, details of your Splunk installation, and also the app version. Since this is the default app, your app version will be the same as six six.That is our current version, and this is the build version.
19. Splunk GUI Overview : Part 3
In our previous lecture, we went through the SplunkTop menu and all the links in those menu.Now let's get inside an app, and let's see how the app menu and other features look like.I'll be using the Search and Reporting app, which is the default app, and it has five different menus, of which searches are our default menu, so that as soon as we click the app, we are landed on the search menu page. There are other menus like datasets, reports, alerts, and dashboards. In this case, we'll be going through a complete walkthrough of the search menu and giving a brief overview of all other menus. Let's come to the search menu in the last data set, which was previously known as the Pivot. It is used as the typical pivot function in Excel, where you can build visualisations just by clicking and selecting pivots or data sets. Here. For example, I have one dataset called Splunk internal server lock. Since this is a new instance, we should be able to see if we have any events related to our internal locks. Okay, we do have some of the events related to our internal locks. On the left side, you can see there are a lot of visualisation features. If you click on them, it willautomatically pop up any kind of visualization. We will be going through brief forthis tutorial purposes very briefly about this. But in the future, we'll be going through how to create a new pivot. how to visualize. how to customize. How to add it to a dashboard. How to add or use pivot comments in reports these kinds of features. But for now, think of it as a simple Excel Pivot where you can visualise data without writing any queries. Moving on the next menu isthe Report Alerts and Dashboard. Tabs are self-explanatory and are used to search, create or manage a report, or even accelerate a report or dashboard, respectively. Now let's continue with our search menu, which is the most important and most informational menu in any app. The Search Bar This is known as the search bar. You write your queries based on custom conditions in the white rectangle just below the search term to pick the needle from the HDAC. This is where you'll be writing all your queries to fetch the data, probably from millions or billions of events that the organisation is generating every day. And right next to the search bar there's a time selector, which is by default set to last 24 hours and is completely customizable. And these are some of the preset conditions that are commonly used during searching and splitting. Next to the time selector, this is known as the time selector. There is a search icon next to the time selector, so after you choose a time, you can click Search to begin searching, or you can use the enter key to begin searching. Let's search for something pretty basic. I'll search for Splunk audit logs for the last 60 minutes. Welcome to writing a search query, and what does that mean in the later parts of our tutorials? As soon as I hit Enter, the entire bottom screen—just below the search bar—changes. After we started our search, pressing Enter and typing index equals underscoreaudit, which is nothing more than saying search to search its local audit trail or audit logs. Just below this, there is some text displayed saying that from this time to this time, which is nothing but our last 60 minutes, there were 3000 events and there was no event sampling. The event sampling is basically used for predicting a trend, and we can set a sample size for how many samples to use. And there is a job function that is used to edit these jobs. Whether to expire or who can view this job—whether for yourself or everybody with this link—can see or use this job. There is a lifetime, which you can specify by default. I believe it's ten minutes. You can set it to seven days. Whereas if you share this job by default, it will be kept for seven days. So, that is one more option. The inspecting job Whenever your query is throwing errors or the performance is very slow, the search returns take a very long time to respond. This job inspector will help you troubleshoot such kinds of issues. The delete job is just to make sure; kind of remove it from the splash page so that even if you do a search, it will start from scratch. It doesn't pop up as it is. That is the case with this menu.
20. Splunk GUI Overview : Part 4
The pause and stop menus can be used only while the search is running, and it is self-explanatory to pause the search to stop the search. So there is a print option to print the entire Web page. There is an export option, which by default is CSL-free XML and JSON. And also, you can export the raw events. That is nothing but your log file. You can export it from here when you export all the events that match, like 3000 plus events in the last 16 minutes, from only this filter. When I say filter, we are just looking for Splunk internal audit logs. If you want to see this lock, you cannot export it from here. We'll see how we can narrow down how we can change our search to do a targeted search to fetch the information we need, then you should click on export, and if you click on Raw Events, you'll get the actual log files. If you get CSV, you'll get a good pass. The content of your logs, specifying each field and its value in XML and JSON, It will be within their specific values. The next menu is one of the most important: smart, fast, and verbal mode. To differentiate them, there is a small description that is specified that you can go through. That will most likely be when you gain access to the mostplank instance as part of this comprehensive package course. It is nothing, but the fast are the fastest, the smartest are the smartest, and the verbose are the dumbest. What it does is extract only the minimum required fields, or only the necessary fields. Let us see. We ran the last 60 minutes of searching. Let us run for the fast mode, and let us see how this looks. First, the main differences Here we have three interesting fields, three chosen fields, and the first, let's see how long this job took to complete. You can see that by clicking on "Jobedit inspect job," you'll be able to see that it was completed in 4 seconds. That was the last 60 minutes in fast mode. Let's go to Smart Mode. Smart mode is like the smarter one, which gets the information that is needed. Like, if I write a query to get the raw events, it will show me the raw events. If I write a query to display a visualisation or a chart, it displays only the chart. It does not show my raw event. So that is how the Smart Mode works. It just gives you the information that you need. In this smart mode, you can see there are a lot more fields, which say these are interesting fields and will be useful. Smart Mode has extracted it automatically. And this Smart Mode lets us see how much time it has taken to run our previous service. That was the first mode she used to get to zero four. This took care of zero points the fastest. How can that be? The fast mode ran again. Let me search again. The fast mode took around 23 seconds. In Smart Mode, it basically refreshes from the cache. That's why, from Fast Mode to Smart Mode, it showed it as being less so. Let us see This would have taken much longer than what FastMode took. This took 00:38, whereas Fast mode took 23 seconds. But if I run the same search in Warbags mode, it will take even longer. It will try to add more information, get more meta information, and add field information to the locks. And since we are running the same search over and over again, most of them will be stored in Splunk Cash. And as you can see, our verbal mode, which took zero seconds, It was 00:23 when compared to Fast, and 00:38 when compared to Smart. And when you compare it to virtues, it is zero for four. This is okay for running a 60-minute search. However, if you run a search for three months, the verbose mode will continue to run indefinitely. As a splunker, you should make sure that Verbose Mode is absolutely not used. And it is only used whenever there is a real need for using it. Most of the time, you'll be able to get your job done by using Smart Mode. We'll see. One more example for Smart Mode Let's say I have a field called Action. Here I'll click on the top values. My search query is auto-updated, and the search is running. Now, it automatically populated a visualization, which shows the top 20 values by default. Here. I'm running it in smart mode. If I go back to Events, I can't see any events. It clearly says you didn't run this in Verbose Mode. If you want to see the events along with your chart, you need to run in Verbose Mode. Running in Verbose Mode is like performing heavy duty on your Splunk. It will just kill your resources. So make sure that verbose mode is used whenever it is necessary.
Pay a fraction of the cost to study with Exam-Labs SPLK-1002: Splunk Core Certified Power User certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including SPLK-1002: Splunk Core Certified Power User certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.