|Deployment area||Collecting large amounts of machine generated data||Iterative applications & in-memory processing|
|Nature of tool||Proprietary||Open Source|
|Working mode||Streaming mode||Both streaming and batch mode|
Splunk is a powerful platform for searching, analyzing, monitoring, visualizing and reporting of your enterprise data. It acquires important machine data and then converts it into powerful operational intelligence by giving real time insight to your data using alerts, dashboards and charts etc.
Get a clear understanding of Splunk by going through this informative blog.
Splunk works into three phases –
Get Splunk Certification in just 12 Hours
Splunk has four important components :
Learn more about Splunk in this Splunk Tutorial.
Splunk has two types of Splunk forwarder which are as follows:
An alert is an action that a saved search triggers on regular intervals set over a time range, based on the results of the search. When the alerts are triggered, various actions occur consequently.. For instance, sending an email when a search to the predefined list of people is triggered.
Three types of alerts:
Are you interested in learning Splunk? We have the comprehensive Splunk Training Courses to give you a head start in your career.
SPL commands are divided into five categories:
Common ports numbers on which services are run (by default) are :
|Splunk Management Port||8089|
|Splunk Index Replication Port||8080|
|Splunk Web Port||8000|
|Splunk Indexing Port||9997|
|Splunk network port||514|
Download Splunk Interview questions asked by top MNCs in 2017 ?
A directory that contains indexed data is known as a Splunk bucket. It also contains events of a certain period. Bucket lifecycle includes following stages:
$SPLUNK_HOME/bin/splunk enable boot-start
$SPLUNK_HOME/bin/splunk disable boot-start
It evaluates an expression and consigns the resulting value into a destination field. If the destination field matches with an already existing field name, the existing field is overwritten with the eval expression. This command evaluates Boolean , mathematical and string expressions.
Using eval command:
Give your career a big boost by going through our Splunk Training Videos!
The lookup command adds fields based while looking at the value in an event, referencing a lookup table, and adding the fields in matching rows in the lookup table to your event.
… | lookup usertogroup user as local_user OUTPUT group as user_group
inputlookup command returns the whole lookup table as search results.
…| inputlookup intellipaatlookup returns a search result for every row in the table intellipaatlookup which has two field values:
This command outputs the current search results to a lookup table on the disk.
...| outputlookup intellipaattable.csv saves all the results into intellipaattable.csv.
transaction – Groups events that meet different constraints into transactions, where transactions are the collections of events possibly from multiple sources.
It sorts search results by the specified fields.
sort [<count>] <sort-by-clause>... [desc]
... | sort num(ip), -str(url)
It sort results by ip value in ascending order whereas url value in descending order.
Take charge of your career by going through this professionally designed Splunk Training Course.
Search head pooling is a group of connected servers that are used to share load, Configuration and user data Whereas Search head clustering is a group of Splunk Enterprise search heads used to serve as a central resource for searching. Since the search head cluster supports member interchangeability, the same searches and dashboards can be run and viewed from any member of the cluster.
Alert manager displays the list of most recently fired alerts, i.e. alert instances. It provides a link to view the search results from that triggered alert. It also displays the alert’s name, app, type (scheduled, real-time, or rolling window), severity and mode.
SOS stands for Splunk on Splunk. It is a Splunk app that provides graphical view of your Splunk environment performance and issues.
It has following purposes:
It is a general SQL database plugin that permits you to easily combine database information with Splunk queries and reports. It provides reliable, scalable and real-time integration between Splunk Enterprise and relational databases.
Splunk App Framework resides within Splunk’s web server and permits you to customize the Splunk Web UI that comes with the product and develop Splunk apps using the Splunk web server. It is an important part of the features and functionalities of Splunk Software , which does not license users to modify anything in the Splunk Software.
Splunk SDKs are designed to allow you to develop applications from the ground up and not require Splunk Web or any components from the Splunk App Framework. These are separately licensed to you from the Splunk Software and do not alter the Splunk Software.
The indexer is a Splunk Enterprise component that creates and manages indexes. The main functions of an indexer are:
Input : Splunk Enterprise acquires the raw data from various input sources and breaks it into 64K blocks and assign them some metadata keys. These keys include host, source and source type of the data.
Parsing : Also known as event processing, during this stage, the Enterprise analyzes and transforms the data, breaks data into streams, identifies, parses and sets timestamps, performs metadata annotation and transformation of data.
Indexing : In this phase, the parsed events are written on the disk index including both compressed data and the associated index files.
Searching : The ‘Search’ function plays a major role during this phase as it handles all searching aspects (interactive, scheduled searches, reports, dashboards, alerts) on the indexed data and stores saved searches, events, field extractions and views
Replace command performs a search-and-replace on specified field values with replacement values. The values in a search and replace are case sensitive.Syntax:
replace (<wc-string> WITH <wc-string>)... [IN <field-list>]
… | replace *localhost WITH localhost IN hostChange any host value that ends with “localhost” to “localhost”.
File precedence in Splunk is as follows:
It removes results that do not match the specified regular expression.
regex (<field>=<regex-expression> | <field>!=<regex-expression> | <regex-expression>)
Splunk default configuration is stored at $splunkhome/etc/system/default
To reset password, follow these steps:
rest /servicesNS/-/-/saved/searches splunk_server=loca
stats – This command produces summary statistics of all existing fields in your search results and store them as values in new fields.
eventstats – It is same as stats command except that aggregation results are added in order to every event and only if the aggregation is applicable to that event. It computes the requested statistics similar to stats but aggregates them to the original raw data.