75 lines
2.1 KiB
Plaintext
75 lines
2.1 KiB
Plaintext
Mitch Fleischman
|
|
mitchf@splunk.com
|
|
|
|
studentid: 06
|
|
ipaddress: 52.53.200.165 10.0.0.206
|
|
ssh username: btv_splunker06
|
|
|
|
set servername and hostname to splunk06
|
|
also set sessiontimeout, to something helpful for class
|
|
|
|
Modules 1-6.5 today, 6.5-11 tomorrow
|
|
|
|
When do you add more indexers?
|
|
Partly based on how much searching, but add a new indexer every 100 = 250GB daily
|
|
with Enterprise Security, you'll trend closer to the lower number (aka more indexers)
|
|
|
|
Search Heads?
|
|
8-12 users per search head
|
|
user might mean scheduled searches, etc
|
|
|
|
hardware
|
|
12G ram
|
|
indexer: 12@2Ghz 800iops
|
|
search: 16@2Ghz 2x10k SAS RAID1
|
|
|
|
splunk kv store is mongodb
|
|
|
|
Linux OS tuning: pg 20
|
|
ulimit -c 1073741824
|
|
ulimit -n 48 x default
|
|
ulimit -u 12 x default
|
|
|
|
disable THP
|
|
|
|
change root password, insert sha256 checksum (I believe) into $SPLUNK_HOME/etc/passwd to change admin password
|
|
|
|
./splunk enable boot-start -user <username>
|
|
|
|
|
|
Windows
|
|
Autostarts automatically
|
|
|
|
$SPLUNK_DB = $SPLUNK_HOME/var/lib/splunk
|
|
|
|
Licensing:
|
|
3 warnings for free splunk, 5 for paid
|
|
30 day rolling window
|
|
|
|
Module 3: Installing Apps
|
|
App is collection of files (inputs, indexes, sourcetypes, extractions, transformations), (eventtypes, tags, reports, dashboards, other KOs), (Scripts, web assets)
|
|
Addon is an App subset (like the bits needed to make a forwarder work)
|
|
Remove an app:
|
|
splunk remove app <app_folder>
|
|
Permissions:
|
|
read - to see and interact with it
|
|
write - to add delete modify the KO in the app
|
|
Default is read only
|
|
|
|
Module 4: Configuration files
|
|
*/default - comes with splunk
|
|
*/local - user overrides
|
|
.meta files determine how global a configuration file setting is.
|
|
app/metadata/local.meta
|
|
[tags/action%3Daddtocart/browser]
|
|
access = read : [ * ]
|
|
export = (none|system)
|
|
owner
|
|
version
|
|
modtime
|
|
|
|
splunk btool check
|
|
splunk btool (inputs|) list (|monitor:///var/log{, --debug}) # debug shows which file the line came from
|
|
splunk btool tags list (list all tags configured) --debug (also show the file they came from)
|
|
splunk btool tags list --debug --app=search --user=<username>
|