Time
1 hour 59 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
in this video, we'll discuss the parts of Splunk.
00:04
First, we'll talk about the data pipeline,
00:07
then going to spawn components
00:09
and have a little bit of a discussion on distributed versus non distributed versus clustered Environments.
00:18
The data pipeline US Blanc See's. It is made up of input, parsing, indexing and searching
00:25
the input. Part of that is just what you might think. *** is getting data
00:30
at this stage. There's also metadata at it, like source host and source type.
00:35
But the main focus is getting input. Those data coming in
00:40
each of these stages corresponds to different actual splint components. We'll talk about each of these, but input goes along with four orders universal or heavy foreigners,
00:51
and it can be done at the index for level
00:53
at the next stage, we have parsing
00:56
data is getting turned into events. At this stage,
01:00
this could be line breaks happening or data being transformed based on certain rules.
01:04
This can occur on an index or or heavy foreigner.
01:08
Indexing is taking the parsed events and putting them into an index for later use.
01:15
When you get to the searching stage, there's some interaction between the search head and indexers. The search had as responsible for search management.
01:25
This is where you would go to run a search and that search request get sent to an indexer, and then the results get sent back to the search head for you to view and work with.
01:34
At the searching level, you can have scheduled searches, alerts and dashboards
01:41
along the side. Here as a common set up, you might see
01:44
I have you f for universal foreigner.
01:48
You can think of a universal foreigner as something like an agent
01:52
may be installed on a server and set up to collect Windows Event logs. It's getting them put taking those windows event logs and sending them on to the indexer
02:01
on the index. Sir, you have parsing and
02:05
indexing is taking the data,
02:07
breaking it into events and organizing it in a place the search head can easily friend. Request for
02:15
search heads are what users typically interact with.
02:19
They perform search management.
02:21
You can, for example,
02:23
go into this box
02:24
and run a basic search, which the search head then distributes other requests to the different indexers and then displays the results from
02:34
you can do things like have
02:36
custom dashboards, alerts and reports
02:39
indexers received in next in store data.
02:44
They can provide the search head with needed information.
02:49
There's a bit of complexity around the term index, so I wanted to break down the different definitions.
02:54
Index as a noun is a data repositories.
02:59
By breaking up data into different indexes, you can improve performance, apply different data retention policies and limit access to different sets of data.
03:08
For example, if you're collecting firewall logs, you may have an index title firewall logs where logs from multiple firewalls get stored.
03:19
This could make it easier to limit your searches to the type of information you're looking for.
03:23
And if you have another team, say, helped us
03:28
that these two look at authentication logs, but maybe not Web traffic. You could easily limit them from viewing this data.
03:35
If you need to keep far wall logs for a set amount of time for audits,
03:38
you could specify this on the date of retention policies.
03:43
Index as a verb, is the process.
03:46
The theme of raw data, as in taking the data and handling and organizing it
03:53
and indexer is a particular Splunk index.
03:58
It's a particular ***. Instance that indexes data. This sentence might help you remember the different meetings
04:04
and indexer indexes data and puts it in an index.
04:11
Foreigners like I mentioned,
04:13
you can kind of think of them like agents. You installing a host, they send data onward.
04:18
There are several different types of foreigners. A light for it, er is deprecate ID meeting. There are newer versions of it, but it does exist.
04:28
Your first soul. Foreigners are typically what you want to install. One possible. They have a pretty light footprint and mostly just worked to send data onward. You can do some filter. And with universal four order such a cz
04:39
bye blacklisting certain event types. But if you want to do any more complex filtering, you're probably going to need to set up a heavy foreigner.
04:47
There are also different server rolls. We're going to talk about them too much in this course. But I want you to know they exist.
04:55
For example, things like a deployment server can help you manage foreigners and send APS by groups.
05:02
Distributed environments are basically once where different components of Splunk are broken out.
05:10
The set up in this course will be a simple non distributed environment or search head indexer and license master are all combined
05:17
for larger companies. Or, if you're handling a lot of data, you'll probably need to separate these pieces out.
05:24
This is sometimes thought of as horizontal scaling as you grow. You can add different parts to scale the environment
05:32
with the idea of different deployment scales. If you have a very small office working with less than 20 gigs a day with fear than 100 foreigners, you could probably get away with a non distributed environment like we're doing for this course.
05:47
For a larger company, you're probably going to need a distributed environment.
05:56
Clustering is a more advanced topic, but she should know what it is. At a basic level, it replicates data between different components to create redundancy so that there is duplicate data across multiple instances.
06:09
This is good to look at if you can't have any downtime in your environment or if you're worried about disaster recovery or the potential of losing data.
06:17
Question time. Universal Florida. It deals with the blank part of the data pipeline.
06:27
The answer is input.
06:29
A universal four. ITER helps to bring data into the *** environment
06:34
as a review for it. Er send data
06:38
indexers, turn data into events and place them in indexes. Search head, send search requests and display data.
06:46
A larger company will likely need a distributed environment, but for this course we will set up a simple non distributed environment.
06:54
Clustering also won't be covered in this course as it is a more advanced topic.
06:58
But you should know that it provides redundancy and is a good option for high availability and disaster recovery options.
07:05
There. Next to video, we will install ***.

Up Next

Introduction to Splunk

This Splunk training class is designed to quickly introduce you to Splunk and its many capabilities.

Instructed By

Instructor Profile Image
Natasha Staples
Incident Response Security Engineer at Arrow Electronics
Instructor