Splunk is an increasingly popular platform for collecting, searching, monitoring, and analyzing ever-growing amounts of big data from applications, network devices, and Internet of Things sensors. Aggregating, centralizing, and analyzing log and event data with Splunk turns that data into answers regarding the health of machines and applications, counts and trends in customer transactions, security threats, and a multitude of other insights that may be valuable to a particular company or industry.

Over the last five years, Splunk has more than doubled its number of customers, which now totals over 13,000 in 110 countries, including 89 of the Fortune 100. Given the increasing trend and opportunity to profit from the valuable insights derived by leveraging machine learning (ML) techniques on large data sets, Splunk has positioned itself well for further growth by building ML into its premium applications, such as IT Service Intelligence, Enterprise Security, User Behavior Analytics, and Industrial Asset Intelligence, in order to provide real-time and predictive analytics in those environments, as well as providing the Machine Learning Toolkit for developing custom solutions. So, as far as the IT professional who likes to work with data and data systems is concerned, learning how to architect, implement, administer, and/or use Splunk for analyzing data is a safe and valuable career investment for the foreseeable future. This book was written with a view to helping you embark on that journey and learn the landscape as quickly as possible.

This book is intended for experienced IT personnel who are just getting started working with Splunk and who want or need to quickly get to the heart of the matters of architecting, implementing, and administering Splunk, as well as working with Splunk search and several key apps to extract value from collected data and/or help their user base to do so. Business users who need to leverage Splunk to extract useful data from Splunk by building reports, dashboards, and alerts, and perhaps even utilize the Machine Learning Toolkit or one of Splunk's premium apps, such as Enterprise Security, will also benefit from this book, as it is a quick read that will help them better understand and work with the underlying technology from which their rich datasets and solutions are derived, and gain insights that may foster ideas for extracting even more value from their data.

This book is obviously too short to provide complete coverage of all of Splunk's features, possible configurations, and related options (that would require a few thousand pages), but it does strive to provide an introduction to all of the most crucial topics, sufficient information and examples to get the immediate job done, and sufficient insights to support intelligent and efficient research to fill in any gaps and successfully complete customizations of a Splunk environment to suit any business environment or situation.

Chapter 1, Introduction to Splunk, introduces Splunk to the newcomer, with a high-level overview of Splunk components, features, and capabilities, along with the basics of how Splunk works, so as to serve as a solid foundation when going into further detail in subsequent chapters.

Chapter 2, Architecting Splunk, provides guidance and examples for selecting the appropriate Splunk configuration for a variety of business environments, choosing and sizing the hardware Splunk will run on, and how to calculate the amount of disk space and number of indexers you'll need to accommodate your anticipated data ingestion volume.

Chapter 3, Installing and Configuring Splunk, covers installing Splunk Enterprise and configuring each of the required components to perform their specific functions. This chapter includes a checklist for implementing a complete Splunk environment, working examples of the essential configuration file settings, and guidance for documenting the final Splunk solution.

Chapter 4, Getting Data into Splunk, gets to the heart of managing a Splunk environment. This chapter provides working examples of all of the key parameters and settings used to configure data inputs from Universal Forwarders for various log types, inputs from other data sources, and using the HTTP Event Collector for getting data into Splunk. We also cover parsing and storing the data in the various types of indexes, and how they're configured.

Chapter 5, Administering Splunk Apps and Users, wraps up the administration tasks by discussing how to manage the apps and search capabilities that users will need in order to find and extract the data stored in Splunk. Since Splunk is usually implemented as a distributed/clustered solution for reliability and scalability purposes, the focus will be on managing this more complex type of environment. Threaded throughout this chapter will be tips and strategies to help develop and apply the best standards and practices for managing and supporting a Splunk solution in a typical business environment.

Chapter 6, Searching with Splunk, is perhaps the most important part of the entire book, as this chapter covers all the crucial skills needed to get data out of Splunk indexes, reduce it to its essential elements, and transform and format the results into a dataset and visualizations that provide real value and powerful insights. The important features of the user interface—Splunk web—are leveraged in working examples of the more basic Search Processing Language (SPL) commands, which serve as the foundation for a gentle and logical progression to using the more advanced commands and visualization options.

Chapter 7, Splunk Knowledge Objects, covers the various ways you can powerfully enhance and enrich machine data with user-defined fields and additional data to help harness that information in a smarter and more focused way. Event types, tags, and aliases allow you to classify and normalize similar events; field extractions create fields from otherwise unlabeled segments of an event. Lookups enhance your data with additional information, such as the meaning of HTTP status codes. Data models are pre-prepared representations of one or more datasets created to drive pivot tables and allow business users to create complex reports and visualizations without having to use the SPL. These capabilities help make Splunk a much more useful and valuable business analysis tool, and you will want to know how it all works.

Chapter 8, Splunk Reports, Dashboards, and Alerts, builds on the search skills developed in the previous chapter to help you quickly and easily create effective reports and dashboards from saved searches that provide status indicators, charts, graphs, tables, and complex visualizations that can be viewed directly or scheduled for delivery by email with embedded PDFs. You'll also learn how to configure alerts to let support and business line personnel know when something isn't right.

Chapter 9, Splunk Applications, explains how to combine the knowledge objects, saved searches, and reports/dashboards/alerts you built from previous chapters into a Splunk app—a packaged solution that makes Splunk more useful and relevant to specific technologies or use cases. It also covers in detail how to install and configure several of the more useful (and free!) apps and add-ons available from Splunkbase – one that collects OS-level data from all your Linux and Windows servers, and another very popular app that allows you to query relational databases and ingest that data into Splunk. Finally, we'll install and review the Splunk Machine Learning Toolkit, as well as introduce Splunks' premium apps – ITSI, ES, and UBA—and see how they fit into comprehensive monitoring and situational detection solutions.

Chapter 10, Advanced Splunk, is an overview and reference for several important topics and skills that any Splunk administrator will want to include in their tool chest. While Splunk is inherently stable and reliable, there will be times when you have to troubleshoot problems; this chapter covers the most useful Splunk logs and tools for determining what's working and what isn't. Then, we segway into using the Monitoring Console to keep tabs on overall Splunk health, as well as providing working examples of searches that can be built for monitoring disk and index sizes versus configured capacity, search concurrency and performance, and other factors than an administrator will be interested in. As a finale for this chapter and book, the reader is introduced to the essential concepts and references for taking Splunk to the next level – using API endpoints and the Splunk SDKs and frameworks for developing powerful customized solutions on top of the Splunk platform.

The coverage of functionality and the examples provided in this book are based on Splunk 7.1.1, which was current at the time of writing. Splunk is aggressively expanding and improving its product, so there will inevitably be new features and capabilities released in the future that are not covered, but the functions and configurations that are covered in this book are central to the Splunk platform, meaning that the information should remain relevant and useful for quite some time.

To get the most out of this book, you will need to install the free version of Splunk Enterprise on your desktop or laptop so that you can investigate Splunk's directory structure and configuration files and options, and follow along in each chapter by experimenting with the configurations, searches, apps, and report/dashboard/alert examples provided.

If you want to develop your architect and administration skills with Splunk and don't have admin-level access to a Splunk sandbox environment at your workplace, you may want to consider building a small Splunk environment on cloud-based servers; the cost is not too great if you manage your up-time carefully, and you can configure and run a clustered solution using the free Splunk Enterprise trial license for up to 30 days.

Downloading the extra material

You can download a file that contains the data collection forms and indexer disk space calculator spreadsheets featured in Chapter 2, Architecting Splunk, clickable links to all the URLs providing additional information, and the search strings from each chapter, which you can copy/paste and alter to meet your requirements by logging into your account at www.packtpub.com. If you purchased this book elsewhere, you can visit www.packtpub.com/ support and register to have the file emailed to you.

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

1. Log in or register at www.packt.com.
2. Select the SUPPORT tab.
3. Click on Code Downloads and Errata.
4. Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

• WinRAR/7-Zip for Windows
• Zipeg/iZip/UnRarX for Mac
• 7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Splunk-7.x-Quick-Start-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789531091_ColorImages.pdf.

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The rpm will install Splunk in the /opt/splunk directory"

A block of code is set as follows:

index=<index> <filter> <"text string to match"> 
| command1 <arguments> 
| command2 <arguments> 
| visualization commands & arguments

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

hot bucket (files being written to)
/opt/splunk/var/lib/splunk/myindex/db/hot_v1_41
warm bucket (closed for writing, searchable)
/opt/splunk/var/lib/splunk/myindex/db/db_1530043376_1529957920_40/
cold bucket (searchable, may reside on different storage)
/opt/splunk/var/lib/splunk/myindex/colddb/db_1508276979_1508276438_0/

Any command-line input or output is written as follows:

$ sudo su - splunk                don't forget this step! 
$ cd $SPLUNK_HOME/bin 
$ ./splunk start --accept-license 

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "You can now click Settings | Fields | Field extractions and view the list of all the field extractions, including the one you just created."

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.