Data Onboarding Introduction Flashcards
What are Regex uses in Splunk?
a) parsing data and line breaking
b) extracting data at search time or index time
c) to extract fields within your SPL (Search Processing Language)
Why is parsing data correctly (using regex) very important?
Because data that is parsed incorrectly could have the details of a single event cut off too early or it could see two separate events as just one single event.
In which conf file we configure the way that splunk parses data?
props.conf
What is line breaking?
It tells splunk where the old event ends and the new one begins. These are the common characters used:
\r - Carriage return character
\n - New line character
What is the line breaking regex?
([\r\n]+)
It is used together as the default line breaking regex for parsing data in Splunk
Tell us about index vs search time extraction
Index time extraction simply means that the indexers are told to extract field/value pairs from the data as they are commiting it to disk
Search time extraction means that the search head will perform extractions as it is bringing back your data from indexer. When it presents the data to you it shows you these field value pairs.
Search time extraction is a better option.
What does onboarding mean in splunk?
Onboaarding it simply means to bring your data into Splunk
What are some types of environments?
a) PROD - (production_ where all changes are finalized and go live.
b) DEV - (development) - most commonly used for testing and development. Sometimes isolated from prod, sometimes connected. This environment is unpublished and exact copy of PROD
c) UAT - Usar Acceptance Test - once the testing phase is over, the user in which will be using the application most accept your work at their end
d) Sandbox - testing - isolated environment where you can safely write code and run tests without any communication with production environment
DEV —-> UAT(OPTIONAL) —> PROD
What are some different ways to onboard data?
a) Standard Onboarding - via UF
b) Syslog
c) HEC (HTTPS event collector)
d) API collection
e) Scripted inputs
f) One Shot upload
What are te primary .conf files for onboarding?
inputs. conf
outputs. conf
authentication. conf
authorize. conf
serverclass. conf
indexes. conf
props. conf
transforms. conf
What are “tools” in work environment
different applications, devices, etc that companies use
Give quick overview of data onboarding
- The first thing we gonna do is get the requirements ffrom the customer/data owner about the data (where we can find logs, where to send them, from which servers will we gather logs, etc etc, source type)
- Decide whether you gonna use custom or premade TA
- Decide which method of onboarding you will use to bring data in
Decide where data will reside in Splunk, and what index you will use
- You should recieve sample log from data owner for purpose of testing, and use props.conf to test it
- Brind the data throught proper .conf files
- Decide who gets access to the data
Give quick overview of data onboarding
- The first thing we gonna do is get the requirements ffrom the customer/data owner about the data (where we can find logs, where to send them, from which servers will we gather logs, etc etc, source type)
- Decide whether you gonna use custom or premade TA
- Decide which method of onboarding you will use to bring data in
Decide where data will reside in Splunk, and what index you will use
- You should recieve sample log from data owner for purpose of testing, and use props.conf to test it
- Brind the data throught proper .conf files
- Decide who gets access to the data