Pass Splunk SPLK-2002 Exam in First Attempt Easily

Introduction to Splunk & Setting Up Labs

1. Introduction to Splunk

Hey everyone and welcome back. So today's video is dedicated to an introduction to Splunk. So let's get started. So Splunk is one of the most popularlog analysing as well as monitoring tool whichis available in the industry currently. Now basically, Splunk is a software platform that allows us to search, analyze, as well as visualise the machine-generated data that can be gathered from a wide variety of devices. So, as shown in the screenshot above, data gathered from various servers, active directory applications, virtual machines, databases, and so on is displayed on the left side. Or it can be any machine-generated data. It goes to Splunk. And basically, depending upon the queries that you write, you can generate great, meaningful dashboards in a minimum amount of time. So these are some of the dashboards that you can literally create within a few minutes. And in the later videos, we'll look into how we can create these dashboards as well as prioritise events based on severity. So if you'll see, you have a red, you have a blue, and you have a yellow. So red means that this event is more critical than either yellow or blue. So all of these are much easier to create in Splunk when you compare it with the other log monitoring and analysing tools. Now, one of the features that makes Splunk really powerful is its marketplace. Now, Splunk has its own marketplace, which is also referred to as Splunk Base, where people and organisations can submit their applications and add ons.Now, due to this, it really allows customers to use out-of-the-box solutions for a wide variety of use cases. Now, one of the examples that I can give you is for Android. So if you talk about the Android Marketplace, it's huge, and you'll typically get most of the applications that are typically available in the mobile space. So any developer who might write an application will definitely put it first on Android and iOS because those are the two most famous mobile platforms that are available. However, when you compare that with Windows, people have stopped writing or stopped porting applications to the Windows OS. Android and iOS are more famous. Similarly to Splunk, there is a wide range of apps and add-ons available in this marketplace. So let's look into what exactly that might look like. So if you look into the Splunk database, if you go a bit down, you can basically browse your applications by category. So for DevOps, you have 112 apps. For utilities, 674. Security fraud and compliance, 858. Its operations number 884 and so on. So let's say that you have AWS in your environment. AWS is pretty famous. You just type AWS, and you have so many apps and add-ons that are available for AWS. So if you just click on one of them, which is plumbed up for AWS, you have a ready-made app that contains so many dashboards prebuilt. All you have to do is download it and install it within Splunk, and you will have all of these functionalities out of the box. And the Splunk marketplace's power makes Splunk a very powerful log monitoring and analysing tool that many organisations prefer. Splunk has evolved into more than just a Loganizing tool due to its low learning curve, as demonstrated in the following videos. And because of its powerful Splunk query language, it really becomes easy to promote Splunk in various niche-specific areas. So Splunk has been promoting and developing new applications that are very specific to areas like security information and event management, which is Si M. Splunk IT Service Intelligence, Splunk User Behavior Analytics, and many other tools are available. So, if we quickly look here, this is Splunk Enterprise Security. So this is an app that you have to install on top of your Splunk Enterprise. And this app really gives you very powerful dashboards related to the SI-M solution. And I have used Splunk Enterprise Security, and it really gives you a lot of capabilities to detect anomalies, specifically where security is concerned. You also have Splunk user behavioural analytics, which is also a powerful solution. And apart from that, Splunk has been promoting itself rapidly or developing various dashboards for compliance. So you see, this is the Plank app for PCI compliance. So if your organisation is PCI DSS compliant, you can use this app for PCI compliance, which really makes it easy for the management to see whether your organisation is compliant or, if not, what are the improvement areas. It also helps the auditor to easily assess if there are some things that are missing or not. So all of these functionalities really make Splunk a very powerful product. So, coming back to a PowerPoint slide, one last thing that I wanted to show you is the magic quadrant for the SI M. And, as you can see, all of this plank was not traditionally an SI-M solution. It was more of a big-data log monitoring and analysing solution. After the introduction of Splunk Enterprise Security, Splunk has been one of the top solutions within SIM. Now, this is only because of its powerful log analysis and log monitoring capabilities, as well as its powerful SPL command capability that Splunk has.

2. Introduction to Docker Containers

Hey everyone and welcome back to the Knowledge Portal video series. So today we'll have a very high-level overview of Docker's platform. Now, Docker as a technology has been gaining huge popularity in today's industry because of some amazing features that it offers, and this is the reason why having knowledge about Docker is very important. So let's go ahead and understand more about Docker. So, in a nutshell, Docker is an open platform, which means that once we build a Docker container, we can run it anywhere, which is one of the main or amazing features of a Docker. So let's assume we built a Docker container so we could actually run it on different platforms. It can be Windows, it can be Linux, it can be Mac; it can actually run on a laptop, in a data center, or in the cloud, so it follows an approach called the "build once, run anywhere" approach. So once you build a Docker container, that container can actually run anywhere from your laptop running Windows to your server running Linux; it does not really matter the underlying platform. Now I'll show you one of the real-world use case scenarios because we used to run CentOS in production, so our centres in production were based on 6.0 and our CentOS in development environments were based on 6.3. So we earlier thought it would not create a huge problem because only the minor version was different. So we went ahead and tested everything in the development environment, and things were working perfectly, but until the time we deployed it in production, everything broke. Our entire website went down, and this is one of the big challenges here. We are only considering a minor version difference in Asyndos, but running that same application in Ubuntu, or even running that same application in Windows or Mac, is beyond imagination, and this is what Docker truly fulfills. Since most applications are now built on top of Docker containers, what happens in deployment processes? You actually take that working Docker container from the development environment to staging and from staging to production, and it is guaranteed to work perfectly. So this is the good thing about Docker containers. Now, many of you might wonder, like, what is the difference between Docker containers and virtual machines? Because till now we have been working on virtualization like VMware, KVM, or Zen, et cetera. So, when you talk about a virtual machine, it contains an entire operating system, which is good, but it is also bad. So we'll look into it When you look at the difference between a container and a VM, you will notice that on the right hand side there is a server, and on the server there is some kind of operating system. You can have Windows, and you can have Linux as well. On an operating system, what you do is you install a Docker container, and then you have a container application. So what these container applications can do is use the underlying operating system resource, and this is the beauty. And when you talk about a normal virtual machine, you have the host operating system, and on top of the host operating system, you have to install some kind of hypervisor; it can be a VMware, a KVM, a HyperV, etc. And on top of Hypervisor, we have to install the entire operating system again. So even if the host OS, let's assume issent to us, if you're using a virtual machine,you again have to install a sentos VM. So you have host as Sentos, yourvirtual machine also has sent to us. So you see there are a lot of redundancy which ishappening and on top of that get sent to us. Then you have your binaries and libraries, and then you have your application. However, when you talk about Docker, you talk directly about your binaries, libraries, and application. So you don't really have to install this guest operating system. So this is a major one, and since you don't have to install this guest operating system piece, you can have a lot of benefits. So let me show you some of the examples of how that would work. So, I have my Windows machine, so this is my Windows machine, and on my Windows machine, actually, I have a container. So this is a Docker container, which is based on the CentOS 6 operating system. So if you will see, letme connect to this docker container. The name is very interesting. So now you see what happened earlier I had Cdrive users, so this was typically a Windows kind of area. However, when I logged into mycenter's six-docker container, I was presented with a root-like environment. So, when I perform an LS, it is very similar to a traditional Linux virtual machine. I can actually run all the Linux commands, and this is actually a Linux virtual machine. So if you see Proc CPU info, these are all the Linux commands that work perfectly because this is a Linux container. The difference between this and before is that when you go to boot, you'll notice that I don't have a kernel over here; there is none. As a result, there is no gas operating system over here. So this part is omitted, and this actually creates a lot of issues, like requiring additional RAM, additional CPU, etc. For that reason, that part is not present in Docker. When it comes to a standard virtualization environment, you'll notice that I've given it 2.5 GB of RAM, so many processors, and the size of this operating system itself is around 2 to 3 GB. However, when you talk about the size of a Docker container, let me show you if I do a PS. Let's do Docker images. I have an image of Sendoff, which I have downloaded. The file is only about 194 MB in size. and this is a very nice feature. So what really happens is that you login to your Docker container and build your entire application in the Docker container. Once your application is built, you take this Docker container and put it anywhere. You put it in windows machine, you put itin Linux server, you could put it in Mac. And this Docker container will work perfectly, as it is working right now. Okay? So this is the advantage of Docker containers. So along with this, I'll show you. So this is the official Docker website. If you go a bit down, you'll see Docker is supported for the following platforms: You have a Mac, a Windows computer, and you have sent us Fedora, Oracle, Rail, Ubuntu, and other operating systems. So this is about Docker. And one interesting thing that I would liketo show you is the docker Hub. So Docker Hub is one of the places where you can get readymade images. For example, I have taken the example of Nagis. So Nagios is a monitoring tool. Now, in a normal environment, what you have to do is install Nagios. You have to do all the configuration yourself. But in the Docker Hub, people who have already written them put the Docker container image online. So if you see over here, this is the entire Docker container image. So all you have to do is you have to downloadthe docker container and you have to run it and everything. You'll have the entire Nagio setup up and running without even having to do anything. And this is the beauty about Docker Hub: So in Docker Hub, you will actually find a lot of ready-made images. So if you want to configure an application, all youhave to do is just search in docker hub. If someone has put that application container online, download the container and run the container, and your entire application will be up and running. So this is the beauty about Docker: In the next lecture, we'll look into how we can install Docker and how we can do various kinds of configurations in and around Docker. So this is it for this lecture. I hope this has been informative for you, and I look forward to seeing you in the next lecture. You.

3. Setting up Docker Environment

Hey everyone and welcome back. So we had a great introduction to what Docker is all about. So, what we'll do today is install a Docker container, and we will look into how exactly the basic commands work. So for our lab, what we'll be doing is installing Docker for our CentOS-based system. So, I'm connected to one of my servers, which is running the CentOS one. You can, however, install it in Windows, Mac, Ubuntu, or even Fedora, depending on your environment. So, let me show you Windows also, because most of you might be running a Windows system. So in order to download Docker from Windows, just click on "Download from Docker Store." And once you do it, there are two versions of Dockers that are available. One is the stable channel, and the second is the edge channel. So, Edge Channel is where you get the most recent releases or features. However, Stable Channel is where you geta stable software which is well tested. So for your kids, you should be using the stable channel. because I'll be recording lectures in Windows and I've downloaded the stable edition of Docker So click on Get Docker, and your download will get started. So it is a simple exe file. So all you have to do is double-click on the exe file, click on Next, Next, and it will go ahead and install. Once it gets installed, you will have to log out once, and then your Docker will be up and running. So you will have this kind of pop-up within your Start menu. So, this is the Windows version. Let me show you a Linux-based version. So you have to run yam y install Docker IO. So this will go ahead and install Docker for Linux. Now, one important thing to remember is that once Docker gets installed, only the initial installation process might be different. But after that, whatever commands you will be running will be very similar across both Windows and Linux. So, let me show you. I'll start the Docker service systemsCDs status docker and start the service once I've downloaded the Docker in CentOS. So now it has started. You see that it is active and running. Similar goes for windows. You see, my Docker is running on Windows as well. So the very first command that you can try is Docker PS. So what Docker PS basically does is show you the status of any containers that might be running. Since I don't really have any running containers right now, it is showing it as empty. So I can show you that in Windows as well. So this is my Windows command prompt. And if I do a Docker PS, currently none of the containers are running, but that does not actually mean that I don't have any containers. So, what happens if I do a Docker psych? All the containers which are running or instopped state or someone which have existed abruptly. So these are all the Docker containers that I have on my Windows computer. But when you talk about Linux, since it is a fresh installation, I don't really have any Docker containers installed. So once we have Docker up and running, what we can do is go to DockerHub and download a container image. So we will be using sentences. There are various other images, like Ubuntu, or other ones as well, which are available now. Within CentOS, you also have various builds similar to US Seven and CentOS Six. So what we'll be doing is pulling the Sent file from the US six-base archive. and this is something that we are really looking for. So, if you go down, you'll notice that it's given us a command like Docker pull Sentos Six or Docker pull Sentoscol Seven. So if you copy this command, let me copy this and paste it in your prompt. I'm putting it over here. If you're using Windows, type it into the command prompt. So, once I do that, it will pull the most recent message sent to a six-based container. You see, it has pulled, and after it pulls, it will give you a digest. So once you get the digest, it means that the container image has been successfully pulled. So if you do a Docker image search, it will give you the latest pulled image. So this Docker-sending US image is something we just pulled. So it is only 194 MB only.Now this is a container image. Now, if I want to launch a container from this image, I'll run the command docker-rundet and specify the image I'll ruSo only a very simple and short Docker command, "run D T," and the container ID are needed. Just press Enter, and again you will see that you will get a digest similar to this. and this means that your Docker container has started. So now if you do a Docker PS over here, you will see that you have one container that is in the start state, and you will have an image container ID and a container name. Now, once you have this, if you want to go inside this container, you have to type Docker exec I, which stands for Interactive. T will give you the TTY terminal so that you can type commands. And then you can either specify the containerID or you can specify the container name. Let's try for the containername; I'll say Pedanticoitras. And next thing you have to do isyou have to type this is very important. You press Enter, and now you see you are under the Docker container. And if I do a LS over here, it will show you all the aspects related to the Docker container image. Now, I can do the same thing for Windows. Also, let me actually start one of the containers that I have been using. So the same command: docker exec "put a container name." This seems like an interesting name. Laughing Swirls. So let's try this out. I'll put on a brave face, Laughing Swirles. Okay, so it is saying it is not running. So go ahead and start a his out. Laughing Now that the container has started, Do a Docker PS. The container has started, and now you can connect to the container. So once I connect to the container, you see, I automatically get a root session. So I was in my C Drive users z earlier. This is the window. And now I have a root. So if I LS over here, I am under the Docker container. So one thing that you will see is that, actually, the commands that you are typing in Windows as well as in Nuts are very similar. So this is the beauty of Docker. Now you can actually do everything over here. You can use Yam to run top commands or install software. So if you do YAM install Nano, it will actually install the Nano tax editor within your container. So think of this as your Linux-based operating system. Perfect. So if you want to come out of the container, just press Exit. And now you are back to the original state, similar to Windows. If I do an exit over here, you will see that I am back to C drive, user Z. And if you do a Docker pier, the container is already up and running. Perfect. So the next command I'd like to demonstrate is docker commit. So let's say, for example, you actually set up a lot of software within the Docker container. So after you installed your Docker container, you setup NGINX or you set up some amount of software, which took you around 15 to 20 minutes. And what you want to do is take a snapshot of this Docker container so that even if you mess this up, you can relaunch a new container from the snapshot itself. And this part is very easy. So if you do a Docker commit, give the container ID and the name of the container. So I'll say, "First commit, and I'll press enter." So what this will do is actually take a snapshot. And now you can see you have the message digest. So now you go to Docker images and you will see there is one image that is stored, which is called the Docker commit. If you want to launch a Docker container from this snapshot, use the docker rundt command followed by the firstcommit command, which has been executed. So if I do a Docker PS, now you can see I have one more Docker container that is up and running. So if I log into this Docker container, let me log in here. And if you note we had installed Nano, if I do a rpm QA on Nano over here, you will see my Nano packages installed. So this is a very high-level overview of Docker containers. Go ahead and install Docker on your system. Depending upon the operating system that you have, the installation process will vary. But trust me, installation is very, very simple. Once you go ahead and install it, practice the commands that we have done. Pull the Docker sent to a six base image, create a container, do something inside that container, create a snapshot, and launch a new container from that snapshot. So this is the basic idea behind Docker containers. I hope you got the basics about Docker containers, and I look forward to seeing you in the next lecture. Bye.

4. Installing Splunk - Docker Approach

Hey everyone, and welcome back. In today's video, we will go ahead and look into the installation procedure for Splunk Enterprise. Now, generally, there are two ways in which you can install Splunk Enterprise. The first is by downloading the Splunk Enterprise installation package. So this would generally vary depending on the distributions that you might have. So if you have an Ubuntu distribution, it might have a depth package. A Red Hat-based distribution would have an RPM-based package. So there's little difference there. The second way is to download the Splunk Enterprise Docker image. The Splunk Enterprise Docker image would now undoubtedly work on Windows, Linux, Mac, and a variety of other platforms. So we'll be looking into both aspects. One thing that I would really like to share is that in one of the organisations that I was working with, there was basically a research and development center. And we used to have close to 500GB of data per day in our Splunk. And our entire cluster that was built was close to 15 servers. Everything was built on top of a Splunk Docker image. So it was really a great experience. And Splunk does work well, provided you know a little bit about Docker networking and how Docker works. So with this, let's go ahead and install Splunk's Docker image in this video. And in the upcoming video, we'll go ahead and install the Splunk Enterprise installation package. So I'm in my Docker Hub. So this is Hub Docker.com.And yeah, if I press Splunk and I press Enter, you will see that there are two packages here. One is Plank Universal Forwarder, and the second is Splunk. Now the Splunk Universal Forwarder is basically the agent that gets installed on the server and pushes the logs from the server to a centralised Plunk. Now this is something that we'll be working on within the upcoming sections, but in today's video, we'll be looking into the installation of Splunk. So I'll click here, and within here you will see that the first command that it is showing is the Docker pull command. So the command is "Docker pull Splunk. Splunk. Now, one interesting thing that you will see is that the owner is Splunk themselves. Anyway, what we'll do is run this specific command. I'll copy this command, and what I'll do is I'll paste it. In my attempt, I'll upload all of these notes after the videos so that you can use them right away. So the first command basically pulls this Docker container image. So I'll go ahead and press Enter, and you will see that it is actually pulling the latest Docker container image. So let's quickly wait for a minute for this to complete. Perfect. So our Docker image has been downloaded. So now if I do a Docker image, you would see that I have this image, which is downloaded. Now, again, you will see a lot of images, primarily because I use Docker extensively for training videos as well as testing. But we'll focus more on the first image that we have downloaded. So, once that is completed, the next step is to execute a Docker run command. So let me directly copy this Docker run command and I'll paste it in my Atom editor here. Now, we'll be doing certain modifications because if you use it directly, it might not really work. So this docker run command basically says that it is running the docker container and that it is running from the Splunk latest image. So this image was already downloaded. So you see that the Splunk tag is the latest. So, this is the image from which the container will be started from.Now, there is a port where you are binding the host 8000 port to the container 8000 port. So basically, the Splunk Web UI gets started on port 8000. So I've bound my Windowsport 8000 to the container Sport 8000 here. So any traffic I send to my Windows port 8000 is routed to my containers port 8000. Along with that, we are passing two environment variables. One is of accept license. So basically, if you do not pass this environment variable, you'll have to manually accept the license. And the second environment variable is the Splunk password. So this is the password for your Splunk installation. So one thing that you will have to do is that you'll need to remove the codes, otherwise you will generally get an error. So I'll remove the codes, and I'll say password as the password for our testing purpose. And one more tag that I will add here is "Hyphen Name," and the name that will be given to the container is "Splunk." So I'll go ahead, I'll copy this command, and let me paste it over here once I press Enter. Now, if you do a Docker PS, you will see that I have a Docker container up and running. So the status is up for 2 seconds and was created 4 seconds ago. And the name of the container is Splunk. So, if you remember, we had bound Port 8000 of my Windows machine to Port 8000 of my container. So, to quickly test it, I'll do a local host; I'll say 8000, and you'll see I have my login page. So, if I quickly press Admin, and the password is password, I'll go ahead and click sign in, and you'll see that I have a brand new Splunk installation up and running. So you would see how simple it is when you do things with Docker. It's really simple. And you don't really need any servers. You can test everything locally, even if you havea Windows, or even if you have a Mac,or even if you have a Linux servers.

5. Installing Splunk - RPM Approach

Hey everyone and welcome back. In today's video, we will look into how we can install Splunk in her Red Hat-based system. It can be sent to the US, Amazon, Linux, or various others with support for RPM files. So the first thing that we'll generally do iswe'll go to Splum.com and we'll go ahead and go to Accounts and we'll sign up. So this is very important. Do sign up because this is something that will be needed in the upcoming videos as well. So we'll go ahead and create an account. Go ahead and create your own account. You can fill in your own details here, so let me fill in mine. So once you fill in all the details, just accept the terms and conditions, and you can go ahead and create your own account. So once you have created your account, you should see that you are automatically logged in here. So I'll go ahead and state my credentials so that I don't really have to remember them all the time anyway. So once you have the account created, you can go ahead and proceed with the downloadable package installations. Now, one of the easiest ways in which you can do that is you can just put Splunk Download Linux, and if you just click on the first link, which is Plunge Enterprise Download, you will see that this is Plunge Enterprise 7.2.0. The version always changes. I'll select the Linux distribution. Now, if you have Ubuntu, you need to download the depth package. Now, since I have Amazon Linux, which is a Red Hat base, or if you have Amazon Linux or Central S, you can go ahead and do a RPM-based installation. I'll go ahead and click on Download. So you will have to accept the licencing agreement, and you have to click on "Start your download." Now, keep in mind that since you will be installing this on your server, the best way to avoid this is to download via command line, which is Wgate. So I'll copy this URL and paste it on my server. So I'm already logged into my server; I'll create a directory called Splunk, I'll do a CD called Splunk, and I'll go ahead and run this. Come on. Now, in case you're wondering, I have a server called Kplab Two in AWS, and this is where I'll be doing this specific practical. So you can have several inAWS or Azure or anywhere else. All you need is SSConnectivity and properly configured firewall rules. Now, this is downloaded, so if you see this is the RPM-based package, I'll go ahead and do a young-Y install of Splunk 7.2. I'll press Enter, and it will go ahead and install the Splunk package. Perfect. So once the Splunk package is installed, you can go ahead and verify if everything is working correctly. So, one of the simplest ways to do that is to run a quick Netstat hype on NTLP and remember that the Splunk Web UI is associated with port 8000. So you can see that there is currently no 8000 port associated. That means the Splunk process has not started. Now, Splunk instals itself in the opt Splunk directory, and if you do LS, these are all the binaries and configuration files. So what you can do is go to Bin, and you will see that there are a lot of binaries that are present over here. and you can quickly go ahead and start Splunk. Now, in order to do that, what I'll do is opt Splunk bin Splunk," and I'll say "start." And as you will see here, it is asking me for the licence agreement. I hope you remember that we put an environment variable in the previous video so that it does not ask for this licence agreement. So I'll quickly go ahead. I'll accept this licence agreement. So, if you want to go down, you'll have to keep up the pace. So you have to put the administrator, username, and password exactly right. So, once you've done that, you'll notice that the Splunk Web interface is accessible at port 8000. So now, if you quickly do a Netflix type of NTLP, you should see that there is a Splunk process that is running on port 8000. Now, one important part that you need to remember is that whatever security group you associate with, you need to open port 8000 years.So definitely you should not do zero. So this is just a quick demonstration, but you should have entered 8000 to be up and running. So I'll copy the public IP of my server, and I'll press this and 8000, and you'll see I am getting a signing page. I'll go ahead and I'll signit with my credentials and perfect. We have a Splunk installation up and ready. So this is how you can install Splunk on a server. Now, I hope you understand both the differences between a Docker container and a service. For the time being, we'll be continuing with the Docker container, primarily because I do not really want everyone to spend their money on servers. Docker is quite easy to set up, and you can do it locally. So why spend money on the Internet? And the service was so good that that is the primary reason why we'll be moving with the Docker containers. But in case you decide to go with the server-based approach, everything we'll be doing will be very similar. So this is it. about today's video. I hope this has been useful for you and hope to see you in the next video.

Hide