Getting started with Splunk user interface:
Splunk helps to collect event and log information from any data source in real time scenario and allows to do search and visualization with those event concurrently.
Data analysis is the core feature of Splunk enterprise. It becomes widely popular in IT operations, performance management, and security event monitoring, forensic compliance. It also provides predefined searches, rules to monitor incident, custom visualization tools to support real-time security monitoring and alerting, incident response etc.
Splunk has 4 parts as per working process: 1) Data input 2) Parsing 3) Indexing 4) Searching
There are five main components of Splunk enterprise.
- Index data,
- Search and investigate
- Add knowledge
- Monitor and alert
- Report and analyze.
These splunk components will make our machine data accessible, usable and readable.
1) Index data: It usually collects data from any source in raw format. Then inspect the data and try to find the match and if they understand it via its source type then they label it with source type.
In general, they break the source type into events. Then timestamp are identified and normalized to events in consistent format. The events are then stored in splunk index and they can be searched.
2) Search and investigate: If you want to perform a real time search to investigate events. You have to put your search query into splunk search index. By entering a query into splunk search box, you can find events value from multiple data sources. Allowing you to analyzing and running statistics based on events using splunk [search language].
3) Add knowledge
We can create/add knowledge objects to our data. This is allowing splunk enterprise to deal with how data can be interpreted, add a classification, normalize it and save report for future use.
In short, knowledge objects are user defined entity for extracting different kind of knowledge from existing data or run time data. Splunk has searching, alert and reporting feature that gives it leverage over Hadoop.
4) Monitor and alert:
Splunk can proactively monitor our entire infrastructure in real time. To identify our problem and attack before it could impact customer service and support. We can create alert to monitor for specific condition and automatically response in variety of action.
5) Report and analyze
Splunk allow us to collect event and log and transform it into report and generate visualization into dashboard.
After login into splunk enterprise, we will direct to an Apps. They are preconfigured and sit on top of splunk instances. You can think of it as a workplace with specific capability.
“The apps you see are defined by splunk administrator with a role”
It determines what a user is able to see, do and interact with.
There are three major roles in Splunk:
- Admin: Can install apps and create knowledge objects for all users
- Power: Can create and share knowledge objects for users of an app and do real-time searches.
- User: will only see their own knowledge objects and those shared with them
In general, Splunk enterprise comes with two default apps:
Home app: It allows launching and managing splunk apps. Administrator can also add Apps and data from here.
Search and reporting apps: This is the apps where we put search term to locate our desired data/ event in real time manner.
Splunk has more than 100 apps to extending splunk enterprise or we can develop it according to our need.