Scribd
Upload
1K views

Splunk Quick Reference

The document provides instructions for installing, configuring, and managing Splunk software including installing licenses, setting ports, enabling inputs and outputs, configuring indexes, access controls, and apps. It also lists and describes the purpose of various configuration files used to customize Splunk functionality and behavior.

Uploaded by

Vasudeva Nayak
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views

Splunk Quick Reference

The document provides instructions for installing, configuring, and managing Splunk software including installing licenses, setting ports, enabling inputs and outputs, configuring indexes, access controls, and apps. It also lists and describes the purpose of various configuration files used to customize Splunk functionality and behavior.

Uploaded by

Vasudeva Nayak
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Each instance of Splunk that does any indexing must have its own license.

1. Stop Splunk: ./splunk stop


2. Copy $SPLUNK_HOME/etc/splunk-forwarder.license to
$SPLUNK_HOME/etc/splunk.license
3. Start Splunk: ./splunk start
This license does not limit how much data you can forward from that machine.
To install or update your license using the CLI:
1. Create a new file named splunk.license.
2. Copy your new license key and paste it into splunk.license.
3. Move your license file, splunk.license, into the $SPLUNK_HOME/etc/ directory:
mv splunk.license $SPLUNK_HOME/etc/
features that are available with the Enterprise license are
disabled:
Multiple user accounts and role-based access controls
Distributed search
Forwarding in TCP/HTTP formats (you can forward data to other Splunk instances, but not to
non-Splunk instances)
Deployment management (including for clients)
Scheduled saved searches (including summary indexing) and alerting/monitoring
splunk set datastore-dir /var/splunk/
Open a Web browser and navigate to http://localhost:8000.
To change the splunk web service port:
From the %SPLUNK_HOME%\bin directory: splunk set web-port ####
To change the splunkd port:
From the %SPLUNK_HOME%\bin directory: splunk set splunkd-port ####
Install on Linux
To install the Splunk RPM in the default directory /opt/splunk:
rpm -i splunk_package_name.rpm
To install Splunk in a different directory, use the --prefix flag:
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
To upgrade an existing Splunk installation using the RPM:
rpm -U splunk_package_name.rpm
To upgrade an existing Splunk installation that was done in a different directory, use the --prefix
flag:
rpm -U --prefix=/opt/new_directory splunk_package_name.rpm
If you want to automate your RPM install with kickstart, add the following to your kickstart file:
./splunk start --accept-license
./splunk enable boot-start
Note: The second line is optional for the kickstart file.
Debian DEB install
To install the Splunk DEB package:
dpkg -i splunk_package_name.deb
To uninstall from RedHat Linux
rpm -e splunk_product_name
Debian Linux
To uninstall from Debian Linux:
dpkg -r splunk

pkgadd -d ./splunk_product_name.pkg
pkgadd -n -d ./splunk_product_name.pkg

System configurations
From the System configurations area, you can manage:
System settings: Manage system settings including ports, host name, index path, email server
settings (for alerts), and system logging.
Server controls: Restart Splunk.
License: View license usage statistics and apply a new license.
Data inputs: Add data to Splunk from scripts, files, directories, and network ports.
Forwarding and receiving: Configure this Splunk instance to send or receive data.
Indexes: Create new indexes and manage index size preferences.
Access controls: Specify authentication method (Splunk or LDAP), create or modify users, and
manage roles.
Distributed search: Set up distributed search across multiple Splunk instances.
Deployment: Deploy and manage configuration settings across multiple Splunk instances.
User options: Manage user settings, including passwords and email addresses.
Apps and knowledge
From the Apps and knowledge area, you can manage:
Apps: Edit permissions for installed apps, create new apps, or browse Splunkbase for apps
created by the community.
Searches and reports: View, edit, and set permissions on searches and reports. Set up alerts
and summary indexing.
Event types: View, edit, and set permissions on event types.
Tags: Manage tags on field values.
Fields: View, edit, and set permissions on field extractions. Define event workflow actions and
field aliases. Rename sourcetypes.
Lookups: Configure lookup tables and lookups.
User interface: Create and edit views, dashboards, and navigation menus.
Advanced search: Create and edit search macros. Set permissions on search commands.
All configurations: See all configurations across all apps.

Important: Do not edit the default copy of any conf file in


$SPLUNK_HOME/etc/system/default/. Make a copy of the file in
$SPLUNK_HOME/etc/system/local/ or $SPLUNK_HOME/etc/apps/<app_name>/local and
edit that copy.
File Purpose
admon.conf -- Configure Windows active directory monitoring.
alert_actions.conf Customize Splunk's global alerting actions.
app.conf Configure your custom app.
audit.conf Configure auditing and event hashing.
authentication.conf --Toggle between Splunk's built-in authentication or LDAP, and configure
LDAP.
authorize.conf -- Configure roles, including granular access controls.
commands.conf Connect search commands to any custom search script.
crawl.conf Configure crawl to find new data sources.
default.meta.conf A template file for use in creating app-specific default.meta files.
deploymentclient.conf Specify behavior for clients of the deployment server.
distsearch.conf Specify behavior for distributed search.
eventdiscoverer.conf Set terms to ignore for typelearner (event discovery).
event_renderers.conf Configure event-rendering properties.
eventtypes.conf --- Create event type definitions.
fields.conf Create multivalue fields and add search capability for indexed fields.
indexes.conf -- Manage and configure index settings.
inputs.conf -- Set up data inputs.
limits.conf -- Set various limits (such as maximum result size or concurrent real-time
searches) for search commands.
literals.conf Customize the text, such as search error strings, displayed in Splunk Web.
macros.conf Define search language macros.
multikv.conf Configure extraction rules for table-like events (ps, netstat, ls).
outputs.conf -- Set up forwarding, routing, cloning and data balancing.
pdf_server.conf Configure the Splunk pdf server.
procmon-filters.conf Monitor Windows process data.
props.conf
Set indexing property configurations, including timezone offset, custom
sourcetype rules, and pattern collision priorities. Also, map transforms to
event properties.
pubsub.conf-- Define a custom client of the deployment server.
regmon-filters.conf Create filters for Windows registry monitoring.
report_server.conf Configure the report server.
restmap.conf Configure REST endpoints.
savedsearches.conf Define saved searches and their associated schedules and alerts.
searchbnf.conf Configure the search assistant.
segmenters.conf Customize segmentation rules for indexed events.
server.conf Enable -- SSL for Splunk's back-end and specify certification locations.
serverclass.conf Define deployment server classes for use with deployment server.
serverclass.seed.xml.conf Configure how to seed a deployment client with apps at start-up time.
source-classifier.conf Terms to ignore (such as sensitive data) when creating a sourcetype.
sourcetypes.conf Machine-generated file that stores sourcetype learning rules created by
sourcetype training.
sysmon.conf Set up Windows registry monitoring.
tags.conf Configure tags for fields.
tenants.conf Configure deployments in multi-tenant environments.
times.conf Define custom time ranges for use in the Search app.
transactiontypes.conf Add additional transaction types for transaction search.
transforms.conf Configure regex transformations to perform on data inputs. Use in tandem
with props.conf.
user-seed.conf Set a default user and password.
web.conf -- Configure Splunk Web, enable HTTPS.
wmi.conf Set up Windows management instrumentation (WMI) inputs.
workflow_actions.conf -- Configure workflow actions.

You might also like