SPLK-1002 Splunk Core Certified Power User – Splunk Advanced Concepts

1. Binding Splunk to an IP Address

Multiple IP address. This is a Splunk searcher or any Splunk instance. For that case, let us say we have multiple IP addresses. Here we have one loop back and the other one is private. The last one is our public, which is at our network level. Let’s say we have some other interfaces, ten interfaces, 192 interfaces. These are Internet interfaces which you want Splunk to listen, particularly on that interface. We’ll see how we can achieve this requirement. For that we need to go to Splunk home, etc. Here you will find a configuration file called Splunkifonlaunch. com. This is the file where you need to specify the IP address to which Splunk has to bind.

The parameter for it is Splunk. All caps underscore bind IP equals whichever, the interface that is assigned to the present requirement. Mention the IP address of it. Save and exit the file. Now restart your splunk instance. Once it is successfully restarted, you’ll be able to see that Splunk now specifically binds to that IP address previously or by default. When Splunk starts up, it will start listening on all the ips that is assigned to the present host it is running upon. As you can see now it is just listening on the IP that we specified. So in this way you can limit Splunk to be accessed on a particular interface, or Splunk to receive logs on particular interfaces. The same configuration holds good for all your Splunk instances, including your Splunk forward.

2. Changing Process Name of Splunk Processes

We all know now that how to bind IP to our Splunk instance. Now let us see how we can rename our Splunk process that is Splunk web and Splunk demon something different. This might be some weird requirement where you don’t need somebody knowing that you are running Splunk. You can do in that scenario where you can rename the Splunk instance to something just compliant to your organization. Let’s say all the process names should start from your company name and the vendor and specific department. This way you can rename your own splunk instance or the process name of your Splunk instance. For that we’ll again go back to Splunklaunch. com that is under etc splunk.

Iflaunch. com here you can see it says the Splunk server name is splunk D and Splunk web name is splunk Web. So before changing the process name, make sure you stop the process splunk process. Because we already have Splunk running, we don’t need to conflict once it is up. As you can see, there are a lot of Splunk processes running under the name Splunk D, splunk Web. All these processes will make sure everything is clean by stopping it. Then we will go ahead and change our configuration and bring our instance back so that we will not have any conflict in the process name.

Now let us go back to our ATC splunklaunchcon file. Here for example, I’ll rename this as similarly this one has Splunk web process. Since we have edited configuration file and Splunk is already down, let us bring it up. As you can see now Splunk has restarted or started up with the new names that are provided. You can see our Splunk D is running. That is our demon process. It is a utility name, not the processor name.

3. Disabling Splunk Web Components

Click on settings. Server settings. Under server settings, click on General. As you can see here under Splunk web where we have in our previous videos enabled Https. For our Splunk instance there is an option to run splunk web or not. We can choose it to know if you click on save it will ask for a restart post restart where we will not be able to access our splunk web console. So let us go ahead and restart must restart it from command line so you’ll be able to see when the splunk instance is starting up. Only port 80 89 will be mapped because 8000 port will not be used since we have disabled our splunk web component.

As you can see there is only 80 89 port that is running. What happens if I refresh my splunk url? So here it will not be able to load because we have disabled our splunk web component. So this web component can be disabled on your av forwarders and indexes because usually you will not be using the web component of indexes and avoiders you can go ahead and disable them. This is how we do it via web from Cli. Let us consider the linux Cli that is via editing configuration file.

You need to go to splunk home ATC system localweb. com. So in this file you’ll be able to set this start web server to zero which represents the false represent scenario where Web server is disabled. If you set this option to one, the web server will be enabled. That is your gui component will be accessible. So in this case you can edit the configuration file using linux Cli. Now let us see how we can do this via splunk Cli. For this since it is already disabled, I will enable it.

That is enable web server. It is asking my admin credentials or Splunk. As you can see it has updated these changes. We need to restart it to take effect before restarting. Let’s see our previous entry which was zero in web what it has been changed to? As you can see it has been changed to one from our cli command that is enable web server. So let us go ahead and restart. We should be able to get our splunk web back online to successfully up. Now as you can see our splunk web back online where we are able to load login and probably run a couple of searches.

4. Splunk CLI Selective Restarting

Similar to any other technical tools that are in the It industries. The cli version of the product gives you much more control and much more features of any accessibility within the product using cli when compared to the web console. The web console is very flexible using user friendly and it can give you access to some of the things, whereas cli is kind of difficult. But once you get hold of it, you will have more access to Splunk rather than on the web console. In this video we’ll go through some of the commonly used or familiar commands which are used in Splunk day to day operation.

As you all know by now, we will be using Splunk utility. This is the Splunk utility which is under Splunk home bin and we have seen status is used for checking the status of the Splunk process, start for starting them, restart is used for restarting the Splunk service and stop is used to stop the Splunk services that are both web and Splunk demon. Now let us see, I need to stop only splunk web or restart only Splunk web. So what do I do?

I’ll mention restart followed by you can mention the service name that is Splunk web. It will go ahead and ask you for the Splunk privilege credentials. Once you enter them, you’ll be able to notice the Splunk web will be restarted. As you can see the Splunk web restarted and this is much more faster than restarting your complete Splunk services. In a similar way, if I have made the changes to configuration, I can restart Splunk d alone.

Since we have already entered the username and password here it attend kits based on the same session and it restarts the Splunk D process by default. When you are restarting Splunk D process, it restarts the Splunk web also. This restarting Splunk web is mainly used when you are dealing with much of a ui change or changing your logos banner on the Splunk web. These kind of static changes that are visually stored on your browser cache or Splunk application cache which requires a restart. Then this command will be helpful in doing a selective service restart of Splunk Web.

5. Splunk CLI: ENABLE, DISABLE and ADD commands

The next command we are going to discuss is add, that is Splunk utility along with adoption. We have seen this command multiple times during our forwarder installation and indexer configuration. That is Splunk utility followed by adoption. Let’s say if you do not remember the configuration or the syntax used, you can just type in Splunk help add so that it will display the commonly used options. As you can see, these are some of the commonly used options.

This ad function is widely used for adding inputs, adding a listener, adding forward server that is configuring deployment clients, adding users. As you can see, it has wide number of functionality which includes examples and complete syntax of ad. Similar to ad we have seen in our previous tutorials, we have used enable. This is some more examples where it enables Windows Print Monitoring, windows Host monitoring, windows performance monitoring, network monitoring.

These are typical inputs that are enabled. If you go further up, you can see input, active directory collection, registry collection, wmi input. And here you can see it also enables maintenance mode, that is, during an upgrade or maintenance activity of Splunk clustering or Splunk searcher. You can put them on under maintenance mode indicating there is a change on the splunk server that is going to impact either clients or servers or any splunk machines.

You can put them under maintenance mode. This will be very andy during an upgrade process, migration process and scaling up process. The synonym or the synonym in explanation for enable is disabled. It has almost the same functionalities of enable. As you can see here, they have mistakenly added enable example. But it’s okay. You can enable an app disable an app using the same Splunk utility. These are some of the examples for enable disable and add features of Splunk cli.

6. Splunk CLI: Show Commands

The commands which we are going to discuss in this video are one of the most important and widely used by a splunk admin and architect for day to day operations and also managing of splunk. Let us imagine this is a cluster master. I need to know the cluster cluster status instead of going to all the splunk urls or the web links in order to click on to multiple links and log into splunk, check the status of your cluster status. We can all do this with the help of single command that will be splunk utility with Show option. So here I can type cluster iphone status.

It will show me my cluster status. Since this instance as of now, clustering is not configured, that’s not being displaying the clustering status. If you have seen our clustering tutorial where we have seen search factor, replication factor and searchable indexes and how many instances are in the cluster, the complete gui information that we have discussed in indexer clustering, the same information will be displayed here. Similarly, the show utility can be used to multiple options. I can ask it to show my web port. Similarly daemon or management port.

So in order to see the right syntax I’ll go and choose help. As we can see, there are a lot more options like cluster status. It can check whether our searched cluster is in maintenance mode. It can also check the normal indexing cluster is on maintenance mode or not. It can show you where your data store are storing, that is your splunk db location and also splunk server name and what is the default host name. So this is the port that we were looking for show splunk.

The port it is 80 89. Similarly, there are a lot more options which you can explore while using splunk cli. The most important are cluster status and cluster bundle status in a clustering environment. These other information are just forgetting the information from the splunk cli on a regular basis.