Splunk is a well known and popular log management and application monitoring operation intelligence technology/product. It generally parses logs(machine data) and take them as raw data and lets users to search, monitor, analyze and visualize them.
Here I will give you a little practical overview and show how it looks
I have downloaded the Splunk enterprise trail for our testing. you can download it from here
My platform is linuxmint ( ubuntu based) with minimal configuration
I downloaded the product binaries and installed using alien
alien -i splunk-6.4.3-b03109c2bad4-linux-2.6-x86_64.rpm
By default, it will get installed into /opt/splunk directory. Go there and start your Splunk server
Before going there, we have little prerequisite to read. you should have little understanding about how splunk handles the data and what types of data Splunk can read/index? what types of data sources can splunk support? etc..
I recommend you to go here once and read.
well..! I hope you have read and understood the various data sources and forwarders.
now. let's come back to the practical part of our article.
I have splunk installed in /opt/splunk directory. cd to /opt/splunk/bin and you will see a cli interface named splunk (make sure it has execute permission)
We need to start the splunk using the command ./splunk start command.
we can access the management console at http://<hostname>:8000/. It has a great GUI console. If we are accessing a first time username and password would be admin/changeme
once we are logged into splunk . we should add the data source from where the data will be indexed. If the data is from remote box we need splunk forwarders.
Select the Files & Directories option as our data source is a directory then we should give additional details about the file to be monitored like source location of the file. source type/ index etc.
After the source is selected. ( in my case am going to add the tomcat logs from /opt/tomcat/apache-tomcat.7.0.68/logs/" directory ) we have to enter the source type and index. we can create it in the run time on the same page.
Note*: While creating new index. Except the name, leave all the fields _blank
Now we have created the sourcetype and index named tomcat_logs. Here you can refer the index as the normal DataBase(RDBMS) index where your data is going to be stored. A single index can have multiple sources and source types.
Now its a time to review and submit our configuration. ( Click on review button on the top to review)
Once submitted. Data will get indexed and you are ALL SET to be amazed with Search Processing Language of Splunk and its capabilities.
Yes!. Splunk has its own query language called SPL. For more information regarding SPL click here
Splunk search can present data as a chart (or) as a statistics (or) as a report and many more.
Splunk also having the monitoring facilities as it can trigger email on certain conditions. It can act like a superb applicaiton monitoring and transaction monitoring product as well.
Look at the examples below.
Hope it helps.
Feel free to let me know you feedback through comments. If you like it. Share it :
A K S A R A V
Signup for Exclusive "Subscriber-only" Content