4.2 Web Interface Tour

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 29 minutes
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Hi, we're on Module 4,
00:00
and in this video we'll be getting
00:00
familiar with the Splunk Web Interface.
00:00
To start off, I'm logged into
00:00
my machine where we
00:00
previously installed Splunk Enterprise.
00:00
I've got a browser open to the Splunk Web Interface,
00:00
and it's unable to connect.
00:00
Since I didn't enable
00:00
boot start and have since shut down this machine,
00:00
Splunk isn't currently running.
00:00
I can check that by going opt/splunk/bins/splunk/status.
00:00
Splunkd is not running.
00:00
If you want to start
00:00
the Splunk software to
00:00
run automatically when you turn on your machine,
00:00
you can enter the following command,
00:00
opt/splunk/bin/splunk enable boot.
00:00
start. Perfect. To start it up,
00:00
I'm going to go opt/Splunk/bin/Splunk start.
00:00
Checking that everything is up and running,
00:00
and once that's done,
00:00
I should be able to log in.
00:00
Perfect.
00:00
For starters,
00:00
we're going to one of the most commonly used places,
00:00
the search and reporting app.
00:00
Since we haven't got data yet forwarding the Splunk,
00:00
you'll only be able to get Splunk on
00:00
Logs about how it and its host are doing.
00:00
I'm going to type in index equals internal,
00:00
just so we have something to see here.
00:00
From this screen, we have a few options.
00:00
We could save this as an Alert,
00:00
Report or Dashboard and
00:00
we can go through some different options
00:00
to visualize the data.
00:00
This green eye,
00:00
is another good place to know about.
00:00
It's a quick overview of the health status of Splunk.
00:00
Since everything's green, there
00:00
isn't anything we need to investigate here.
00:00
Messages can be another good place
00:00
to check for possible errors and issues.
00:00
These just tell me there's a newer version available.
00:00
Another place you can get
00:00
a more thorough overview of
00:00
the health and status of Splunk
00:00
is by going to settings, monitoring console.
00:00
This page gives us
00:00
a nice overview of how I'm looking as far as CPU,
00:00
disk memory, and licensed usage.
00:00
If I click on health check,
00:00
I can run a report for possible issues.
00:00
We aren't going to go in-depth with this,
00:00
but you want to know what the different pieces are if
00:00
you plan to have administrative duties in Splunk.
00:00
I'm going to click back on the settings button here,
00:00
and go do searches,
00:00
reports, and alerts.
00:00
You'll immediately notice,
00:00
that there are already some items here.
00:00
These are alerts designed to let you
00:00
know when there's a problem with Splunk's health,
00:00
such as if you're at your License Coda,
00:00
or if you're running out of disk space.
00:00
These all pertain to the monitoring console App.
00:00
If I click here,
00:00
I can select all.
00:00
You'll notice that we have several pages
00:00
of saved searches,
00:00
reports, or alerts.
00:00
If I want, I can look at the ones that I've just built,
00:00
which is none right now.
00:00
I'm going to take a look at users by going to settings,
00:00
User Authentication and Access Controls.
00:00
If I click on Users,
00:00
there's just me right now.
00:00
But if I wanted to, I could add
00:00
a new user by clicking here.
00:00
If I go back and click on Roles,
00:00
you can see the different
00:00
default roles that are available.
00:00
You should be set as an admin right now.
00:00
But if you wanted to create more limited roles,
00:00
which is a good idea to only
00:00
give people as much access as they need,
00:00
you have the Ability in Splunk Enterprise to limit
00:00
users to only access certain data,
00:00
and limit their access in other ways.
00:00
You can also tie accounts to
00:00
external authentication methods such as LD App.
00:00
Going back to settings,
00:00
we can also restart Splunk from the Web Console by
00:00
going to settings, server controls.
00:00
Then we can just click
00:00
this restart button if we wanted to.
00:00
Then under activity there are two useful options;
00:00
jobs and triggered alerts.
00:00
Triggered alerts are just what you'd think,
00:00
alerts that I've recently triggered.
00:00
If we want to open up jobs,
00:00
it will show you which jobs have recently completed,
00:00
or currently running, such as searches.
00:00
If I wanted to go back into
00:00
the Search and Reporting app and run on a such,
00:00
we can see it pop up in there.
00:00
While data is stored for a while,
00:00
which is determined by your retention policies,
00:00
specific such as typically aren't kept for very long.
00:00
In this jobs area,
00:00
if you knew that you wanted to store
00:00
specific results for a while and maybe share it,
00:00
that you could extend the life in here,
00:00
by clicking on that button.
00:00
You could also delete the job
00:00
such as if you're in a situation where
00:00
too many searches were run at once and
00:00
it was causing problems,
00:00
you could go through and try
00:00
and delete the unneeded ones.
00:00
Or if you forgot about what
00:00
that perfect search was that you ran
00:00
just a minute ago and had closed out the window,
00:00
it will still show up here.
00:00
In future videos we'll get to a lot of these other items.
00:00
So just looking at data inputs, indexes, and look-ups.
00:00
Now we'll just hop back to my slides for a quiz.
00:00
True or false?
00:00
You can restart Splunk from the Web Interface.
00:00
The answer is true. You can restart
00:00
Splunk by going to settings and server controls.
00:00
In our next video, we'll look at different ways to
00:00
get data into Splunk. Thanks for watching.
Up Next