Splunk 101 Flashcards
What is Machine Data?
Machine data is automatically generated by programmable things, like factory machinery, smart cars, smart city systems, IoT devices, IT infrastructure, and the smartphones we carry.
What does Splunk software do?
Splunk gathers, analyzes, filters, refines, and allows to search into big piles of machine data, to aid (mostly buisness) decision making.
What is Splunk?
Splunk is proprietary software that logs, stores, and analyzes enormous amounts of data quickly to derive insights from the patterns discovered.
What are 3 basic components of Splunk?
Forwarder: collects data at the source and forwards it to the indexers.
Indexers: stores and organizes data, and makes it searchable
Search Head: transforms data into desired end products, such as reports and alerts
What is a database?
A database is an organized collection of structured information, or data, typically stored electronically in a computer system.
Give a few examples of databases
MySQL, SQL server, Oracle, Redis
What is a forwarder and what does it do?
A forwarder collects data at the source and forwards it on to the indexers for processing.
What is an indexer and what does it do?
An indexer parses, organizes and stores data, and maintains searchable copies of data.
What is a search head and what does it do?
A search head allows a user to retrieve data and transform it into usable insights using reports and alerts.
How does data flow through Splunk?
From the source, it gets collected with the forwarder, sent to the indexers for parsing, processing and storage. The users then access the search head, which will communicate with the indexers to retrieve the data that the user is looking for.
What is a deployment server and what does it do?
A deployment server is a configuration manager that sends configurations (or settings that tell a server how to behave) to any cluster of servers. It can be used with all three main components: forwarders, indexers or search heads.
What is a deployment client?
A deployment client is any server that receives configurations from the deployment server. That could be a forwarder, a search head or an indexer.
What is a serverclass?
A serverclass is a logical grouping of a group of deployment clients that are meant to receive a set of (the same) configurations. A serverclass can be grouped by location, by machine type, by component or any of that combined.
How does serverclass relate to the deployment server?
A serverclass relates to a deployment server because a deployment server must have a targeted group of servers set up to receive its configurations. We do this by putting servers into serverclasses that will all receive the same set of config files.
What is a purpose of configuration files in Splunk?
Configuration files program the behavior of a server by setting attributes. This is similar to going into “Preferences” of a new cellphone to configure your preferred settings, or changing the “Settings” within a computer.
Name the 4 basic indexer and forwarder level configuration files, and what do they do?
Inputs.conf - tells Splunk which files to monitor within a server
Outputs.conf - tells Splunk where to send the data that it has collected
Indexes.conf - configures the indexes and instructs the indexers on how to retain the incoming data
Props.conf - stands for “properties”, and this configures the properties of the incoming data and the way it is parsed
How are serverclasses, deployment servers, deployment-apps and inputs.conf all connected?
You place an inputs.conf file within the deployment-apps directory WITHIN the deploymentserver, and this configuration file tells a server which directory to monitor.
On the deployment server, you then create a serverclass, where you place the inputs.conf. You then add the client(s) that need to receive this configuration. Once a client is added to a serverclass, it will receive whatever configurations are also placed within the serverclass.
How would you install any Splunk component that is not a universal forwarder?
Via Splunk enterprise installer package, so technically I would not install a Splunk component, but configurate the package to be given Splunk component.