How to use Splunk with tips

Tweet

Yes, it is expensive tool, if you attempt to use it on large network. Yes, it is not easy to use if you are not IT savvy. However, it is clever tool and powerful. This article will share some tips and experiences of Splunk tool. Here is the best practics c

 

Installation

1. Download free version from Splunk website(Window, Linux and MAC), prefer to install linux version(Faster than Window version in my opinion)
2. It is very straigtforward to install (About 15 min)

See “Splunk Installation Tips for Ubuntu“

Configuration

1. Add data is very important step to use Splunk properly and effectively

See “Add data to Splunk“

2. Use Splunk Application, if you are not farmiliar with adding data tools

Reference : http://www.splunk.com/apps

 

Searching

1. Boolean logic; AND, OR, and NOT (must be capitalized). Also it uses parentheses to group Boolean expressions.

Splunk > index=sampledata http AND 404

 Search for all HTTP requests that do not contain error code 404:
Splunk > index=sampledata http NOT 404


Search for all sampledata events of sourcetype access_common or syslog.
Splunk > index=sampledata (sourcetype=access_common OR sourcetype=syslog)

Cleaning indexs

Here is the how to use the clean command:

 

Important: You must stop Splunk before you run the clean command:

./splunk stop

1. To access the help page for clean;

./splunk help clean

2. To remove(permanent) event data from all indexes;

./splunk clean eventdata

3. To remove(permanent) event data from a single index;

./splunk clean eventdata -index [index_name]

* [index_name] is the targeted index.

** Add the -f parameter to force clean to skip its confirmation prompts.

ex)Removing event data from the _internal index and forces Splunk to skip the

confirmation prompt:

./splunk clean eventdata -index _internal -f

Tips and Tricks

Being updated……