3.2 Parts of Splunk

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 29 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
in this video, we'll discuss the parts of Splunk.
00:04
First, we'll talk about the data pipeline,
00:07
then going to spawn components
00:09
and have a little bit of a discussion on distributed versus non distributed versus clustered Environments.
00:18
The data pipeline US Blanc See's. It is made up of input, parsing, indexing and searching
00:25
the input. Part of that is just what you might think. *** is getting data
00:30
at this stage. There's also metadata at it, like source host and source type.
00:35
But the main focus is getting input. Those data coming in
00:40
each of these stages corresponds to different actual splint components. We'll talk about each of these, but input goes along with four orders universal or heavy foreigners,
00:51
and it can be done at the index for level
00:53
at the next stage, we have parsing
00:56
data is getting turned into events. At this stage,
01:00
this could be line breaks happening or data being transformed based on certain rules.
01:04
This can occur on an index or or heavy foreigner.
01:08
Indexing is taking the parsed events and putting them into an index for later use.
01:15
When you get to the searching stage, there's some interaction between the search head and indexers. The search had as responsible for search management.
01:25
This is where you would go to run a search and that search request get sent to an indexer, and then the results get sent back to the search head for you to view and work with.
01:34
At the searching level, you can have scheduled searches, alerts and dashboards
01:41
along the side. Here as a common set up, you might see
01:44
I have you f for universal foreigner.
01:48
You can think of a universal foreigner as something like an agent
01:52
may be installed on a server and set up to collect Windows Event logs. It's getting them put taking those windows event logs and sending them on to the indexer
02:01
on the index. Sir, you have parsing and
02:05
indexing is taking the data,
02:07
breaking it into events and organizing it in a place the search head can easily friend. Request for
02:15
search heads are what users typically interact with.
02:19
They perform search management.
02:21
You can, for example,
02:23
go into this box
02:24
and run a basic search, which the search head then distributes other requests to the different indexers and then displays the results from
02:34
you can do things like have
02:36
custom dashboards, alerts and reports
02:39
indexers received in next in store data.
02:44
They can provide the search head with needed information.
02:49
There's a bit of complexity around the term index, so I wanted to break down the different definitions.
02:54
Index as a noun is a data repositories.
02:59
By breaking up data into different indexes, you can improve performance, apply different data retention policies and limit access to different sets of data.
03:08
For example, if you're collecting firewall logs, you may have an index title firewall logs where logs from multiple firewalls get stored.
03:19
This could make it easier to limit your searches to the type of information you're looking for.
03:23
And if you have another team, say, helped us
03:28
that these two look at authentication logs, but maybe not Web traffic. You could easily limit them from viewing this data.
03:35
If you need to keep far wall logs for a set amount of time for audits,
03:38
you could specify this on the date of retention policies.
03:43
Index as a verb, is the process.
03:46
The theme of raw data, as in taking the data and handling and organizing it
03:53
and indexer is a particular Splunk index.
03:58
It's a particular ***. Instance that indexes data. This sentence might help you remember the different meetings
04:04
and indexer indexes data and puts it in an index.
04:11
Foreigners like I mentioned,
04:13
you can kind of think of them like agents. You installing a host, they send data onward.
04:18
There are several different types of foreigners. A light for it, er is deprecate ID meeting. There are newer versions of it, but it does exist.
04:28
Your first soul. Foreigners are typically what you want to install. One possible. They have a pretty light footprint and mostly just worked to send data onward. You can do some filter. And with universal four order such a cz
04:39
bye blacklisting certain event types. But if you want to do any more complex filtering, you're probably going to need to set up a heavy foreigner.
04:47
There are also different server rolls. We're going to talk about them too much in this course. But I want you to know they exist.
04:55
For example, things like a deployment server can help you manage foreigners and send APS by groups.
05:02
Distributed environments are basically once where different components of Splunk are broken out.
05:10
The set up in this course will be a simple non distributed environment or search head indexer and license master are all combined
05:17
for larger companies. Or, if you're handling a lot of data, you'll probably need to separate these pieces out.
05:24
This is sometimes thought of as horizontal scaling as you grow. You can add different parts to scale the environment
05:32
with the idea of different deployment scales. If you have a very small office working with less than 20 gigs a day with fear than 100 foreigners, you could probably get away with a non distributed environment like we're doing for this course.
05:47
For a larger company, you're probably going to need a distributed environment.
05:56
Clustering is a more advanced topic, but she should know what it is. At a basic level, it replicates data between different components to create redundancy so that there is duplicate data across multiple instances.
06:09
This is good to look at if you can't have any downtime in your environment or if you're worried about disaster recovery or the potential of losing data.
06:17
Question time. Universal Florida. It deals with the blank part of the data pipeline.
06:27
The answer is input.
06:29
A universal four. ITER helps to bring data into the *** environment
06:34
as a review for it. Er send data
06:38
indexers, turn data into events and place them in indexes. Search head, send search requests and display data.
06:46
A larger company will likely need a distributed environment, but for this course we will set up a simple non distributed environment.
06:54
Clustering also won't be covered in this course as it is a more advanced topic.
06:58
But you should know that it provides redundancy and is a good option for high availability and disaster recovery options.
07:05
There. Next to video, we will install ***.
Up Next
Introduction to Splunk

This Splunk training class is designed to quickly introduce you to Splunk and its many capabilities.

Instructed By