Create a Splunk index

Splunk stores the events in separate databases based on index names. It is faster to search for events if the event types are separated into multiple indexes. To create an index for the event type you want to send to Splunk In the Settings menu select Indexes Click the New Index button Enter the name of the …

Enable the HTTP Event Collector in Splunk

To send events to Splunk via HTTP posts, enable the HTTP Event Collector functionality on the Splunk Enterprise server. If you operate your own Splunk server Log into the Splunk web interface as an administrator In the Settings menu select Data inputs Select the HTTP Event Collector link In the upper right corner click the …

How to send an event to the Splunk HTTP Event Collector

The Splunk HTTP Event Collector is the preferred way to send events to Splunk. The Splunk HTTP Event Collector closes the connection if you don’t use HTTPS when you are sending a POST message. Recv failure: Connection reset by peer To send the event from the Macintosh Bash terminal curl -k https://MY_SPLUNK_SERVER_IP:8088/services/collector -H ‘Authorization: Splunk MY_TOKEN’ …

Splunk App for AWS

To collect data from AWS install the Splunk App for AWS plugin. The app currently can collect information from AWS Config, Config Rules, CloudTrail, Inspector, CloudWatch, CloudWatch Logs, Billing, S3, Kinesis, Metadata. New data source To set up a new data source, click the Set up button Already set up data source To add a …

Splunk configuration

Splunk stores the configuration values in files in the /opt/splunkforwarder directory structure. Splunk client Description Location Splunk Deployment server /opt/splunkforwarder/etc/system/local/deploymentclient.conf   Example targetUri = DEPLOYMENT_SERVER_URL:8089 Splunk Forwarder address /opt/splunkforwarder/etc/apps/tcpout-aws/local/outputs.conf    Example server = FORWARDER1_ADDRESS:9997,FORWARDER2_ADDRESS:9997  Linux event log. Splunk tails this file. /var/log/messages    To log a message in the Linux event log logger “My message”    To …

Splunk lookups

Lookups provide readable information to users, so they don’t have to understand the returned codes in the reports. Lookups are defined for a specific app, and not accessible from other apps. Lookup options Lookup code, description (input, output) values can be defined in multiple ways Comma delimited text file (csv), Search results saved as lookup …

The Splunk Search Language (SPL)

  Search Terms: see Searching in Splunk Commands: tell Splunk what we want to do with the search result Charts Computing statistics Formatting Functions: explain how we want to chart, compute and evaluate the results Arguments: variables we apply to the functions Clauses: grouping and definition of results Separator Use pipes (|) to separate the components …

Searching in Splunk

When you are building the search criteria, click the field and value in the search result to add it to the search.   Wildcard character * (asterisk) one or multiple characters Exact phrases Use ” (double quotes) Search for quotes \” (use backslash to escape quotes if you want to search for quotes) Keywords in the search …