Introduction to

Operational Intelligence Using Splunk - Agenda

Day 1 Day 2
1. Overview of APM & Operational 6. Creating splunk app & Reporting
Intelligence
7. Creating dashboards
2. Introduction to Splunk
3. Installation & configuration [Hands-on] 8. Demo & Hands-on

4. Search (Splunk processing language) Day3

5. Search – Hands on 9. Distributed architecture
10. Demo Cluster setup

11. Activity Cluster setup

What is splunk?
• Splunk is a platform used for Operational Intelligence, log analytics and
machine data visualizations.
• Splunk helps with handling Machine data – structured/unstructured/semi-
structured data.
• The background data that is lost gets the spotlight through Splunk, giving
us useful insights
• It can be used for different forms of visualizations, alerts, lookups, reports
etc.,
• Splunk is a paid tool. Licensing is based on the amount of data indexed per
day.
• Splunk has its own query language – Splunk Search Processing Language
 What is Splunk?
Make machine data accessible, usable & valuable
 Splunk usage
Operational
Intelligence

Index
Report & Data Log
Analyze Analytics

Search &
Reporting
Machine data
Monitor & Alert visualizations
Add Knowledge
 Splunk components

Search Head

Indexer

Splunk
Enterprise Forwarder
Splunk Enterprise
Data Phases in splunk

Source
Sourcetype
Host
Index –
main(default)
 Splunk Phases - Detailed
• Input phase – is handled at the source ( mostly forwarder)
The source data is opened & read, any configuration settings are applied.
• Parsing phase – handled by heavy forwarder or indexer(part of Splunk enterprise)
Data is broken down into a series of events and advanced operations like masking, selection can be done
• Indexing phase – The parsed data runs through the license meter before getting written to disk, prior to
compression.
Indexed data cannot be changed.
• Search phase – Taken care of by the search head (part of splunk enterprise)
Licensing
Source Parsing meter Indexing Searching

Universal
Fwd
Data Disk
Splunk Enterprise - Standalone

Splunk Enterprise
 Splunk Deployment – Basic

Searching

Indexing

Parsing

From Input
Forwarders
Splunk Deployment - Distributed
Search Head

Indexer

Forwarder

Deployment
Server
 Index DBs in splunk
• Hot bucket
• Warm bucket
• Cold bucket
• Frozen bucket  thawed bucket
Licensing
Splunk license meters works based on the amount of data indexed per
day.
For more details on splunk license, refer :
https://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Manage
yourlicenses
Splunk Directory structure
• $ SPLUNK_HOME - C:\Program Files\Splunk (for windows)
SPLUNK_HOME

bin etc var

Licenses, config
executables
system apps users
lib

search launcher < custom

apps> splunk

indexes