Splunk troubleshooting
Universal Forwarder SSH into the server running the Universal Forwarder To verify if the forwarding is configured
Create a Splunk index
Splunk stores the events in separate databases based on index names. It is faster to search for events if the event types are separated into multiple indexes. To create an index for the event type you want to send to Splunk In the Settings menu select…
Enable the HTTP Event Collector in Splunk
To send events to Splunk via HTTP posts, enable the HTTP Event Collector functionality on the Splunk Enterprise server. If you operate your own Splunk server Log into the Splunk web interface as an administrator In the Settings menu select Data inputs…
How to send an event to the Splunk HTTP Event Collector
The Splunk HTTP Event Collector is the preferred way to send events to Splunk. The Splunk HTTP Event Collector closes the connection if you don’t use HTTPS when you are sending a POST message. Recv failure: Connection reset by peer To send the…
Splunk App for AWS
To collect data from AWS install the Splunk App for AWS plugin. The app currently can collect information from AWS Config, Config Rules, CloudTrail, Inspector, CloudWatch, CloudWatch Logs, Billing, S3, Kinesis, Metadata. New data source To set up a new…
Splunk configuration
Splunk stores the configuration values in files in the /opt/splunkforwarder directory structure. Splunk client Description Location Splunk Deployment server /opt/splunkforwarder/etc/system/local/deploymentclient.conf Example targetUri =…
Splunk lookups
Lookups provide readable information to users, so they don’t have to understand the returned codes in the reports. Lookups are defined for a specific app, and not accessible from other apps. Lookup options Lookup code, description (input, output)…
The Splunk Search Language (SPL)
Search Terms: see Searching in Splunk Commands: tell Splunk what we want to do with the search result Charts Computing statistics Formatting Functions: explain how we want to chart, compute and evaluate the results Arguments: variables we apply to…
Searching in Splunk
When you are building the search criteria, click the field and value in the search result to add it to the search. Wildcard character * (asterisk) one or multiple characters Exact phrases Use ” (double quotes) Search for quotes \” (use…
Splunk user management
The default Splunk user roles are Admin Power User