SPLK-1003: Splunk Enterprise Certified Admin Certification Video Training Course Outline
Introduction to Splunk Enterprise
Designing Splunk Architecture
Installation and Configuration o...
Splunk Post Installation Activit...
Splunk Inbuilt & Advanced Vi...
Splunk Apps And Add-On's
Forwarder Management And User Ma...
Splunk Indexer And Search Head C...
Splunk Advanced Concepts
Building Splunk Enterprise Archi...
Splunk Use Cases Of All Industries
Congrats: Completion of the Course
SPLK-1003: Splunk Enterprise Certified Admin Certification Video Training Course Info
Gain in-depth knowledge for passing your exam with Exam-Labs SPLK-1003: Splunk Enterprise Certified Admin certification video training course. The most trusted and reliable name for studying and passing with VCE files which include Splunk SPLK-1003 practice test questions and answers, study guide and exam practice test questions. Unlike any other SPLK-1003: Splunk Enterprise Certified Admin video training course for your certification exam.
Introduction to Splunk Enterprise
11. Components of Splunk: Deployment Server
moving on to our next component. It is the License Manager, which is an optional component that keeps track of licence utilisation inside the organization. It has very limited functionality and is only dedicated to D with Plan's licensing. It interacts with your indexes, searches index clusters even with multisite indexes, and collects information regarding the data process per day and keeps track of your licence utilization. Whenever it reaches a threshold, it can alert you by sending an email or creating a ticket. Because of this, you will often see that in many organisations, the License Manager will be clubbed with either the Searcher or the Indexer. Since these components can also be made to act as a licence manager in future parts of our tutorial, you'll be able to see when we are building our own enterprise-level, multi-site, highly available indexor cluster environment of Splunk on Amazon AWS Cloud. As part of this tutorial, we will be making one of the components of Splunk: a licence manager. Moving on. The next component in our discussion will be the Deployment Server, which is another optional component for small and medium organisations, but for large deployments or Splunk, the Deployment Server is a must. If deployment servers are not installed in a large organization, it will be a nightmare to rollout any changes to the Splunk components, making it necessary to manually log into each Splunk component to update the configuration. The Deployment Server can be defined as a central point of management for your entire Splunk infrastructure. Changes to forwarders indexes, searchers licence managers, and all other Splunk and Last deployment components can be managed by the deployment server. It is mandatory to have a deployment, so
12. Components of Splunk: Cluster Master
The final component of our discussion is the cluster master. The cluster master will be responsible for managing the cluster, replicating the data, and monitoring the health of the Splunk cluster. It might be your indexer cluster, single site, or multi site.This will be monitored by your cluster master. The cluster master will be present and used only in Splunk cluster environments. Either it can be an indexer, a single site, or a multisite cluster. It is the role of the cluster master to manage the replication of the data, monitor the status of the cluster, and alert if something breaks between the clusters.
13. Splunk Package Downloads: Part 1
Since this is an introduction to the Splunk course, we have gone through lots of theoretical stuff. As of now, let us do some activity where we'll be seeing how to download Splunk. Also, before downloading Splunk, as we learned in our previous lecture, there are many components of Splunk. Do we need to download all these components? The answer is no. All we have to do for any installation of Splunk is just download two packages. One is the Splunk Enterprise. The second is the Universal Forwarder, also referred to as a Splunk agent. The Splunk Enterprise, which is the core product of Splunk, And this package can be used to install any component of Splunk, whereas the Splunk Universal Forwarder, which is an agent of Splunk, is used to collect data from the remote machines. Now let's proceed to download these packages. To download the Splunk Enterprise package, click on the link provided or visit Splunk. When you visit Splunk.com, you can see there is a "Free Splunk" icon, which you click. It will ask you to fill out a registration form, which you can fill out if you don't already have a Splunk account you created with your personal ID or official ID. since I already have my ID. I'll click on login. Once the login page is loaded,let me enter my credentials. Once you've successfully registered or logged into Splunk, you'll be able to see two products, which you can download. One Splunk Enterprise second splunk cloud. From our previous lectures, we already know the difference. What does "Splunk cloud" mean? And what does Splunk Enterprise mean? Throughout this course, we will be dealing only with Splunk Enterprise, which has a software package that can be downloaded and installed in our own environment. This is what happens when we log in from theslung.com: If you click on the direct link, you'll be landed directly on this page, where if you click on "Free download," it will again ask you to log in. If you're not logged in, or if you have already logged in, it will redirect you to the download page. Similarly, the same happens here. If I click on redownload, it will directme to choose the flavour of OS whichI need my Splunk Enterprise to install. Now we have this page. There are some informational items displayed on this page. Let's go through them. The first, as of today, the Splunk latestversion is Splunk six, dot six, dot two. By default, whenever you download a Splunk package, you get a free licence of 500 MB per day. You might think that is good enough data for trying out, understanding, or learning spunk. Yes, it is sufficient. But once you realise the potential of Splunk, you realise that 500 MB is not sufficient for anything whatsoever. Once you have downloaded this package, you'll get a 500 MB license, which is free of charge and comes as part of the installation. package can be used for 60 days. after 60 days. Once the licence is expired, you will not be able to run any search on your Splunk instance, including reports, dashboards, or alerts. If you see down below you have Windowsversion of Splunk, Linux version Solaris and Mac. Throughout this course, we'll be completely focusing on installing Sprung on the Red Hat Linux platform, which you can call Center OS.
14. Splunk Package Downloads: Part 2
in a production environment. Splunk Enterprise, or Splunk, is highly recommended to run on the Linux platform because of the performance and also the file system, which can respond much faster than a Windows file system. In Windows, I've seen a couple of environments where Splunk has been installed, and probably they were not able to keep it up and running for a good amount of time because the CPU is stuck at 100% almost every time. Each search you make will take forever to run, usually for medium- to large-scale deployments. Installing Splunk on Windows is probably not a good idea, but whereas Linux will be using RPM packages and Red Hat Linux throughout this course, we will be building our own enterprise-level multi-site deployment with high availability and multi-site index clustering. On Amazon. AWS. We have solar and macOS versions. These are splunks. Enterprise package. They are close to 200 MB. So let's go and download our red Adobe package. If you are using any other version of Linux, you can download TGZ. If your OS is a Debian flavour, you can download the deep package and install Splunk. We'll download an RPM package, so once you click on download, it should download without any issues. And if you want to download directly on your server, which is our red Linux machine, you can use the command wgat. This is the command let's see that I havecopied Wget I'll log into my demoslunk instance whichis as of now on Amazon AWS. Now we have logged into our image on AWS. Let me bring up my demo Splunk instance, and we have downloaded the Splunk package in our local system, which we can upload using any file transfer software such as Zillow, Seques, FTP, or similar software. However, there is a better option: directly upload or download the Splunk package onto your Splunk machines. Once my instance is up, I can login and paste this command and hit Enter. This plank will be automatically downloaded into our environment. Let's log into our AWS with our private key, and let me log into my Splunk account. So now we're in our Splunk account, so there are no files. Copy the same command that was given during the download, and I'll just hit Enter. As you can see, the Splunk package is now directly on the server where we need to install Splunk. Now that we are done with it, let's proceed.
15. Splunk Package Downloads: Part 3
Previously, we have downloaded Splunk on our local machine and also on the cloud machine where we need to install Splunk. Now let's see how we can download Universal Forward. For downloading Universal Forwarder, you can either directly click on the link in the document or Google Splunk Universal Forwarder. The first link that pops up should be your link to download Splunk, you and yourself Forwarder.Now, if you click on the link that is provided in the document, it will take you to this page. If you have not registered, go ahead and register. If you have previously registered, click Login. If you're already logged in, refresh the page. So since I've already logged in, I'll just refresh the page. I'll be able to see the linkto download the unit itself forward. As of today we have 66 two. That is the latest version of Splunkavailable at the time of this tutorial. We have lots of varieties when we compare itto Splunk Enterprise package, because Planck Enterprise package, ithad Linux version, it had Solaris, it had Windows,and also probably Ax, I believe. No, it was Windows, Linux, Solaris, and MacOS. It had just the four flavors. but when you see UniversalForwarder, it has three more. Because the remote data source can be from different sources or from many sources, it can be a Windows machine, a Linux machine, a Solaris machine, a Mac machine, any other flavour of Linux, or even HP or IBM servers. There are many variants. And since Splunk Universal Forwarder is a lightweight package, it is almost one third of the package that Splunk Enterprise offers. It was close to 220 megabytes. but this is like 54 MB. So it is much more lightweight, and it consumes less processing. When you compare it to the RAM and CPU usage of any other processes, it is very lightweight, and it sits without affecting any performance on the remote machines. We can download Windows as part of this tutorial. We'll be installing the Windows client to fetch data from the Windows machine. Again, it has a command-line option where you can click and download this, or you can wait for this to finish, then copy this into all the Windows machines wherever you would like to install the Universal Forward app.
16. Splunk Add on and Application downloads
From our previous lectures, we have seen that there are apps that can be added to Splunk, which adds tremendous value to our Splunk installation. Let's see how we can download some of this app. To download apps for Splunk, you can click on the links provided as part of this document, or you can directly type in appsdotsplunk.com or Splunk base dot Splunk.com.As you click on those links, you'll be redirected or taken into this site where Splunk has lots of applications that are categorised based on technology, vendor, author, or industry. There are a wide variety of apps that are freely available for download, which makes it very dynamic, and you can get any kind of app on this as of now because the community is so rapidly evolving. A lot of new apps that are beingput into this site almost like every week. This is maintained by Splunk, but it has been widely used by splunkers all around the world who like to exchange information, create apps, upload the apps, interact with the users, and troubleshoot apps. This information is used by the app developers to make their apps more usable by a wide variety of industries. Let's look at some of the apps we'll look at using keywords like Linux. I need a Linux app or a Linux technology app. Let's see what pops up. I have one Splunk app for Linux (Audit D). These are a few examples of Linux-based applications. Similarly, you can select based on the products—let's say we want only those that support blank interest—the categories based on the industry that you want to choose, and the technology organization. Let us return to our homes and attempt to filter out based on technology. Let's say I need security, fraud, and compliance apps. You can see everything related to security under this, and the most common apps will be under "featured apps," which are most commonly used by many of the organizations. That was our category wise.Now we'll move on to technology, where you can see which technologies people are using based on their specific technology. There is a menu for the Splunk Build app. These are authorized, and you get official support from Splunk, and you can also use these tags while asking questions at theanwest plunk.com.Basically, this is where you find all the applications and the add-ons related to your Splunk environment. Let's try to download some of them now. Let us try the Windows App. There is an app for Windows that is most common across the organization; it is known as the Splunk app for Windows Infrastructure. This is the Splunk app for Windows infrastructure. As you can see, there are many downloads on the installs. That means it shows how many different environments are using this app. The more downloads or the more installs, the better. That means you have more chances of getting support or fewer issues using this app. There is also documentation where you can see how to deploy and configure this app. And since we have already logged in to our portal, if you click on "download," it gives us a small agreement, which by default will check, and we'll start downloading our app. We have downloaded our app, and this is how you download any app on this site. If you are logged in, you can probably download a bunch of them at once by going through. If you're just looking for information, it's probably best to browse by category or technology so you know exactly what you're looking for. And the most reviewed or most installed apps will be shown on top so that you can pick and choose the best one.
17. Splunk GUI Overview : Part 1
Since we have seen in our previous tutorials how to download Splunk packages and what is available, all packages for Splunk are available. Let's see how Splunk actually looks. Sales, I have already my Splunk instance set upAmazon AWS but we will be covering the installationof Splunk and the later part of tutorial. Let's log into our Splunk. These are all the concepts in Show Over. Your Splunk gym will be there to help. Let's go to our Amazon AWS. So this is our IP for the instance I've already logged in to because by default, the Splunk GUI or the Splunk web process runs on port 8000. Let me log in once we have logged in. This is a simple Splunk instance that is running on Amazon Web Services with some basic infrastructure just for demo purposes during this tutorial. So once you log in, you'll be seeing this page, which is also known as the launcher screen or the welcome screen, which is the default welcome page for all users and can be customised to a great extent for the simplicity of the tutorial. We will leave this as it is for now. But first, let's start with the Splunk icon, which will be like your home button on your mobile phones. no matter where you are in Splunk. If you click on the Splunk icon, you will be brought to your home page. The next link right next to the home button is the apps menu, which shows the list of apps that are installed on Splunk. As of now, we have just the search and reporting app, which is the basic app that comes as part of all Splunk instances. The next link in the top menu is the user menu, where it displays as administrator since I've logged in with admin credentials. If you are logged in as a normal user or another user, it will display your name, whichever is mentioned, as part of the user profile. This has many links which is related to userprofile where you can change your password, set yourtime zone and most of them are self explanatory. This is your password-resetting zone; you can call it US, and you can set your time zone to whatever location you are in. The Launcher is the default application that you want to see by default. The second one is your search. These are some built-in apps that will be implemented later. So just remember that the default is the launcher. The search is the search and reporting app, and these are some just to restart your background jobs in case flunk restarts, so that your background jobs re-initiate. These are some default Splunk modes. Whatever you require, you can customise and the theme for highlighting syntax while writing search queries. These are some basic self explanatory account settings which you'llbe able to do as part of this tutorial. You'll be getting free access for 30 days. You can go around all these links once you get free access to the Demo instance, which will be part of the complete package of this plank tutorial. Moving on to our next link on the top menu, the messages In this, you can see all Splunk-related errors, warnings, and licence violation messages, which you should make sure as a Splunk admin or architect are kept in the message tab almost all the time. The next step is the Settings tab, which is the most important and crucial and includes all the configuration related to Splunk. Under this menu, we will be going through this complete module of settings in a separate section to keep this initial overuse session short. Let's move onto the next step. Next is the Activity tab. Here you'll be able to see and analyse Splunk performance, where you can see how many searches are running, who is running them, how long the searches have been running, and what the status of the searches is on this Splunk instance. When you click on the Jobs link, you'll see that I ran a couple of searches a few days ago that were successful. And if you look at all the searches that have been performed, you will notice that there has only been one search. This was just for testing whether my instance was up or down, whether it was indexing some data or doing something else; it was up and running. So this information is used for troubleshooting your Splunk performance.
18. Splunk GUI Overview : Part 2
The submenu in the Activity tab is the menu called "Triggered Alerts." This is the location where all the alerts that are triggered will be locked, which can be useful for analysing and checking if the alerts are triggered or not, or even how many alerts are triggered per day, or alerts that are triggered by a single rule. Because this is a new installation with little data ingestion or searching activity, you'll be able to see all of these alerts under this menu. As of now, we don't have any alerts that are triggered or created in this instance. And the final tab in the top menu is Help, which can be very resourceful at any stage of a Splunk user's career. Let's go through them quickly, one by one. The first one, What's New, takes us straight to the documentation site of Splunk, where you can search for any topic related to Splunk, check for the newer version of Splunk, or see what's new with the latest releases. The second link takes you to the documentation site where you will have access to this plank of enterprise documentation download and each step-by-step guide where you'll be able to search and find answers. The Documentation The one good thing about Splunk is that the complete documentation part is kept open. If you click on Tutorials, it will take you directly to the documentation site, where you'll find complete resources to learn and understand Splunk. But the only problem is that Splunk is so big that, probably, if you combine all the documents together, it will give you like 3000 or 4000 pages of documentation. Going through them will be a mess. You get directly into Search Tutorials, where you will have a short tutorial on how to create reports, charts, dashboards, and enrich your data. We'll be going through all this one by one, but probably in a different order, which will be much more useful. Let's see some of the other important links in the Help menu. The Splunk Answers site is one of the most informative and highly active stack overflow sites for Splunk. If you click on that link, it will directly take you to Answers.splunk.com, where there are a huge number of people constantly asking queries and posting answers to help other members of the Splunk community. If you already logged in, you can directly click onAsk a Question and it will pop up a menu. Whatever the questions, how dumb it is, no issues. You can probably search before asking a question to see if somebody has asked the same question, and you'll find the answer probably 80% to 90% of the time because the community has been around for a very long time and is very active. The last link, I believe, is the Contact Support link in the Splunk portal, where you log an incident, raise an incident to Splunk Support, which will be through your customer portal, and based on the priority, it will be resolved. The next link is the Help page, which takes you right back to the documentation. This is our admin manual. This is also one of the important manuals where you will be able to get the configuration references for Splunk. I highly recommend you download this manual. Go through it whenever you have time. This shows on which page of Splunk you clicked the Help menu on.It takes you directly to all the activities related to that page or the functionality present in that page, which gives you a complete picture of how it works or what options it has and how you can configure it in the Help menu. The final one, on Page, is the link, which shows you the build version, details of your Splunk installation, and also the app version. Since this is the default app, your app version will be the same as six six.That is our current version, and this is the build version.
19. Splunk GUI Overview : Part 3
In our previous lecture, we went through the SplunkTop menu and all the links in those menu.Now let's get inside an app, and let's see how the app menu and other features look like.I'll be using the Search and Reporting app, which is the default app, and it has five different menus, of which searches are our default menu, so that as soon as we click the app, we are landed on the search menu page. There are other menus like datasets, reports, alerts, and dashboards. In this case, we'll be going through a complete walkthrough of the search menu and giving a brief overview of all other menus. Let's come to the search menu in the last thedata set which was previously known as the Pivot. It is used as the typical pivot function in Excel, where you can build visualisations just by clicking and selecting pivots or data sets. Here. For example, I have one dataset called Splunk internal server lock. Since this is a new instance, we should be able to see if we have any events related to our internal locks. Okay, we do have some of theevents related to our internal locks. On the left side, you can see there are a lot of visualisation features. When you click on them, any type of visualisation will appear. We will be going through brief forthis tutorial purposes very briefly about this. But in the future, we'll be going through how to create a new pivot. how to visualize. how to customize. how to add it to a dashboard. How to add or use pivot comments in reports these kinds of features. But for now, think of it as a simple Excel Pivot where you can visualise data without writing any queries. Moving on the next menu isthe Report Alerts and Dashboard. Tabs are self-explanatory and are used to search, create or manage a report, or even accelerate a report or dashboard, respectively. Now let's continue with our search menu, which is the most important and most informational menu in any app. The Search Bar This is known as the search bar. You write your queries based on custom conditions in the white rectangle just below the search term to pick the needle from the HDAC. This is where you'll be writing all your queries to fetch the data, probably from millions or billions of events that the organisation is generating every day. And right next to the search bar there's a time selector, which is by default set to last 24 hours and is completely customizable. And these are some of the preset conditions that are commonly used during searching and splitting. Next to the time selector, this is known as the time selector. There is a search icon next to the time selector, so after you choose a time, you can click Search to begin searching, or you can use the enter key to begin searching. Let's search for something pretty basic. I'll search for Splunk audit logs for the last 60 minutes. Welcome to writing a search query, and what does that mean in the later parts of our tutorials? As soon as I hit Enter, the entire bottom screen—just below the search bar—changes. After we started our search, pressing Enter and typing index equals underscoreaudit, which is nothing more than saying search to search its local audit trail or audit logs. Just below this, there is some text displayed saying that from this time to this time, which is nothing but our last 60 minutes, there were 3000 events and there was no event sampling. The event sampling is basically used for predicting a trend, and we can set a sample size for how many samples to use. And there is a job function that is used to edit these jobs. Whether to expire or who can view this job—whether for yourself or everybody with this link—can see or use this job. There is a lifetime, which you can specify by default. I believe it's ten minutes. You can set it to seven days. Whereas if you share this job by default, it will be kept for seven days. So, that is one more option. The inspecting job Whenever your query is throwing errors or the performance is very slow, the search returns take a very long time to respond. This job inspector will help you troubleshoot such kinds of issues. The delete job is just to make sure; kind of remove it from the splash page so that even if you do a search, it will start from scratch. It doesn't pop up as it is. That is the case with this menu.
Pay a fraction of the cost to study with Exam-Labs SPLK-1003: Splunk Enterprise Certified Admin certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including SPLK-1003: Splunk Enterprise Certified Admin certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.