Walkthrough of the home app and the default start page when you log into Splunk.
- [Instructor] The Splunk interface is organized into what are called apps. Each app corresponds to a feature pane of the program. By default, the home app is installed and the search and reporting app is installed. The home app is really just the default home page when you first log in to Splunk, but it has a couple of handy features. I'll click on Product Tours here, and you can see there's a list of different tours you can take. I won't go through those now. You can go through those on your own if you like.
They'll cover things in a little bit more depth and in a different way than I'll cover them. A lot of the features you'll encounter in the product tour will make a lot more sense as we get deeper into the features of Splunk, but adding data is actually a good place to start. Splunk makes a lot more sense if you have something to look at. They even offer a video tutorial if you'd like another perspective on going through this. But let's just go through the steps now. First you click Add Data, and I'm going to say Skip, because I don't want to take the tour.
I'm going to enlarge the screen a little bit, and I'll click on Monitor, because I want to monitor a directory on my Splunk server. I want to click over here to Files and Directories, and I want to specify a file. In my case, I'm going to use the syslog, which is in var/log/syslog. I'm picking this because it has a lot of system specific messages, so there should be some content in it already, and it's something you might realistically monitor in real life.
We can just accept the defaults here and click Next. Here you can see some examples from our syslog that it's already picked up, and it'll auto-detect the source type. You see it says Source type: syslog. Splunk has a lot of built-in types that it recognizes already, so it figured out that this was syslog and it'll process the data correctly. And we'll click on Next. We can just click through Review on Input Settings, and click Submit. Now we should be ready to use our new data source, so let's click on Start Searching, just to take a look.
And we'll skip the tour again. Here it's put in an automatic search for us. Let's click the Search button, and you'll notice that it doesn't come up with any results first. The way Splunk works is it needs to index our log files, so it needs to actually process through them. When you first add data, it doesn't appear immediately. Let's click back to our main page, and click on Search and Reporting again. Here you can see, now it's indexed 950 events from our syslog, so we should be ready to move on to the next section.
- Installing Splunk
- Filtering search data
- Advanced search syntax
- Creating reports and dashboards
- Creating alerts and actions
- Configuring remote data and multiple data streams