2 hours 29 minutes
high in this video will monitor data using the universal foreigner we installed in the previous video
to start off. We'll talk about what Splunk configuration or comp files are.
Then we'll go into an example of monitoring some files by modifying input stock. Com file on the machine where I installed the Universal Florida
we'll make sure we configure receiving honor Splunk server in order to get these logs.
Many, but not all configurations can be done on *** Web.
But if you want to pursue any kind of *** administration, you should not a modify these configuration files directly.
You do not want to change con files under the default folder. Instead, create a new file under the local directory
you might remember what stands is from literature class in a spoilt configuration. File stanzas are a section the star with brackets and contain configuration parameters.
Here's an example of two standards and a config file.
Sometimes you may need to restart Splunk after making changes. There are many different rules for when this occurs, but if you aren't seeing your changes, it maybe because blanc needs restarted in order for them to take effect.
There are many important config files, but inputs dot com is a good one to work with.
This file is located under ***. Home, which is
as a standard, is either opt slash blanc or program file flesh blunt and then e TC system local.
I'm gonna pull up the machine. Where have the universal four door installed?
I'm pretending there's important stuff in this folder here in this logs folder
and I want to collect it and ***. I've copied this file path
over to this, um,
no pads, and
it's in the right format for what? We would need
to copy it into the inputs dot com file.
Also given it an index where I want this data to go,
I need to run no pat as an administrator in order to save these changes
in the splint config files. So I'm gonna I right click
on note pad and hit Runas Administrator.
And now I can go file open
going T o c program files
Splunk Universal Foreigner
a t c
And then I'm gonna change us from dot t x t to all files and now we see these in here?
so I automatically gave ah host name in this
impose dot com file. And now I want to add the extra pieces in here.
So I'm going to copy the thin
and click save,
and then I'm gonna open up. Service is right. Click on the *** Florida Service and click Restart.
Now, we want to make sure we're actually getting this data into this work Web interface
before I jump back. Thio, my sponsor, I want to go through a few reminders.
When we installed the Universal four ITER,
we said our deployment server was the same machine
as our search head in our index. Or so we've got it all in one. Ah, that *** server is functioning multiple roles. So when we installed the Universal Foreigner, we said,
That's our deployment server. And it uses the default management port of 80 89.
We also said that machine as an index, sir, that the Florida would send dated Thio over port 9997
If we go to our *** server here,
we can, um, go to settings for their management. Like we did what we install the Universal Foreigner and see that this host is reporting. So
it phoned home or it reported back
a minute ago. So it's communicating to this instance as, ah, deployment server.
However, we're not going to get any events that we just set up on our universal forger because flunk isn't yet configured to receive events. Oven indexer.
If I, uh, opened up a command prompt here
and run the nets Tact command, we can see the 80 89 ports
is our directly, um, set out being listened on. But there's nothing for a report nine and seven
to fix this. I'm gonna go back here,
go to settings,
fording and receiving,
but it can figure receiving
new receiving port
an intern. 9997 Which is what we set up on the Universal four order to send to you for
Ah, this server as an index, sir, I'm gonna save that.
Now, if I open up that command prompt again, run the Net Stat command again,
we see that it's not listening on that port.
So now if we go to the search and reporting AP,
we should be able to run a search for these events. So we set it up as in next two equals ms
and there's nothing here.
So what needs to happen next is we never actually configured that index So is trying to send to an index that, Dominic, this sort of your go to settings indexes,
and we're gonna create a new index.
We call that MS
You must save that.
Go back to search in reporting.
And the other thing
that I needed you is hop over here and actually put something in this fuller. So now that this is being monitored, I'm just gonna save, um, a random note in there
so that we have something to see
on Splunk. So now when I run the search,
we just got this last thing that I added,
So this is kind of a silly example, but this is exactly what the same thing you would do if you were getting longs in this folder and things like that. From there we could go and break out the different fields like we talked about in the last video.
But we've successfully got
events into swung from our universal Ford er
that Ah, we got by monitoring a file path.
after modifying a com file you made to need to blank in order for the changes to take effect.
There are a few possible answers, like Saviour works a good one.
But the one I was looking for was Restart Splunk.
Thanks for watching. In the next video, we'll start Module five World
work to create alert searches, reports and dashboards.
Splunk online test helps to assess knowledge of Splunk which is an advanced, scalable and ...
Event Log Collection
In this lab you will use Splunk Enterprise to ingest logs from a local host ...