Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. This is the beginning of module four, where we'll be discussing configuration files. It's one of the first modules we're gonna get into some really technical stuff. And, well, basically cover some core information about
00:18
***. Variables? What
00:20
configuration files Or in Splunk? How you can set configurations, how configurations are compiled and then when and where they're applied in Splunk.
00:32
So, as you can see from the course outline were still towards the beginning half of this course. This is like I said previously. Gonna be the first really technical deep dive that we do in this course is going to set the pace basically for the rest of the lessons.
00:50
So we'll just get started on this less on this modules. First lesson 4.1, which will be just a quick overview of configuration files in Splunk.
01:00
But before we get started, let's do a quick knowledge assessment. Just check to see what you remember from our discussion about licenses. So the question is, how many consecutive hours must the lice investor be unreachable before searches blocked? So if you need a couple seconds to review the answers and pick one
01:19
you can cause the video here and on the next slide will answer this.
01:23
So the answer is 72 hours. If you're If any Splunk enterprise device goes 72 hours without contacting the license master,
01:34
you will technically be in license violation. Just keep in mind that if you have a Splunk enterprise license, it's a non enforcement license. And so there's really no penalty for that.
01:47
So now on to the actual contents of this course, let's first go over what we're anticipating. Toe learn here. So we're gonna review Splunk home what that variable is. Then we'll talk about the spoon configuration directory structure basically, where you'll find different Splunk
02:04
configuration files on disk
02:06
the different ways that we can change spoon configurations, the preferred method of those ways to actually do the configuration changes. And then we'll talk about configuration files and that the structure that they all follow and basically helped write one in Splunk.
02:23
So why are we learning this? So this is going to be incredibly important. This is gonna be how we configure slowing its to me how we tell what to do for the rest of the lessons. So you really can't
02:32
do any Splunk administration with how understanding these topics? It's probably the single most important topic in
02:44
this entire course, probably.
02:46
So let's get started talking about what is Splunk home? So essentially, it is an environment variable. So for those of you who don't know what that means, basically at the OS level, this Splunk home is a variable that defines the install path of Splunk. So you can reference this. It'll basically be dynamically set
03:07
on the device that *** is installed. So if you don't always install slowing in the default locations like Op Splunk or C program files *** Universal Foreigner,
03:17
then you can just use the *** home variable and know that you're the remainder of your path will always match, So it makes it a little more dynamic and less error prone. That if you were to set an absolute or hard coded path,
03:34
which means explicit explicitly typing out, like up splitting, etc. APS
03:38
uh, so imagine you were on a system where it wasn't installed and up to maybe was installed in,
03:46
uh,
03:46
etc or something. Who? It doesn't matter if it wasn't sold anywhere else, and you had written that absolute path. Then basically, the program you're looking for, the file you're looking for would not be there. So this spring, home variable eliminates that mess.
04:02
As you can see, I listed basically what the
04:05
um,
04:08
homespun home tends to be on both clinics and windows. You can see that if it's a forwarder instance, the name of the install file path will actually be different than if it's a Splunk enterprise. Instance.
04:21
That's basically all we need to know about spoiling home. Now let's talk quickly about the spoon configuration directory structure, so this is basically the two primary locations that you will find Splunk configurations. They'll either be in spring home and see system. And then there will be two folders either default or local,
04:40
and then dot com files will reside
04:42
in either of those directories, and then they're slowing home, etc. APS, whatever the APP name is, and then another default or local directory, where where additional dot com files will exist.
04:56
So the means for changing these configurations you can do one of three options. You can set it in split web, or you could set up a command line. Splunk has a lot of commands that will allow you to make configuration file changes without directly accessing the configuration file.
05:15
For example, you could add a forward server, and that will
05:17
add basically an indexer
05:21
as a recipient in your output. Stop com file, or you can edit dot com files directly. And so
05:29
essentially either of the 1st 2 methods is an indirect means of doing the third method. So when you make changes to insulin web, it's written to a dot com file somewhere. You just have to know where. Same with when you do a command line, a Splunk command line, uh, command.
05:48
It will take whatever commands you dio and translate that into the appropriate file in the appropriate configurations in that file.
05:57
And so because of that, really, modifying the dot com piles is the preferred configuration method. It's definitely Mawr precise, and it allows you are more granular control over which configurations you want to make. But more importantly, there's also certain configurations that you can only make through
06:16
the files directly.
06:18
Um, so
06:20
it's
06:21
it's the best way to do it. And also, in my opinion, when you
06:26
are looking at the actual configuration files and you're reading through the specifications on how the file works and what options are available. I think that it promotes a much better understanding off Splunk and so that in addition to the other reasons, really make this the preferred configuration method. I just have a quick note here
06:46
to never change any files that reside in the default directory.
06:50
If you're going to make direct, if you're gonna make changes, basically you should copy the configuration, make a new file or edit an existing local file and add those configurations there.
07:02
And the reason for that
07:04
is basically if it's an app or if it's so fixing, etc. APS default or if it's in at Cease or Splunk etc. Default,
07:15
then those get things get destructively over written. So like if I pushed an app, a newer version of an app and you had made changes in your default directory when I installed a new version of the APP, it just wipes everything that was in default to and replaces it with the new default, whereas local would persist and won't be touched at all.
07:34
Same same thing happens if you were to upgrade Splunk. It'll destructive overwrite all of the default directories.
07:42
And so if you made your configurations there, they would be lost on an upgrade of either Splunk or upgrade. So definitely stick to making your configuration changes in the local directory.
07:54
So now let's quickly talk about the configured file structure. We understand what the configuration files are, where they resigned. And now let's talk about basically, how they're made or what they're made up of, so that we can get a better understanding of how we could make changes to that. So, first off, every configuration file is going to consist of stanzas, which is basically
08:13
some sort of
08:16
specifications off
08:18
either the name of what the configuration is so that you can reference that later. Or it specifies a scope of the of the data that the following settings will be applied to.
08:28
So this will always look like square brackets with some value in between them. And then every stanza will have a number of attributes basically defined by your dot com file. Each different kind of stands up in each different file will have a different number of options that you can set
08:48
and that's what these attributes are. They're basically key value pairs that sit under a stanza
08:54
and define the specific configurations that apply to that stands up,
09:00
then just doesn't know each dot com pile will be unique. So there's gonna be different ways to specify your stanzas. There's gonna be different attributes for each of those stands. Us. So really, you need to go to the admin manual and reference those spec files for the configuration files toe. Understand
09:18
how to configure things and what to do
09:20
with those files. We'll talk more about individual files and how to configure them throughout the course, so that should help you get a better grasp on this idea. This is just to kind of give you an initial understanding of, like, high level what the's configuration files are like.
09:37
So in summary, we covered what *** home is. We know it's an environment variable that indicates where Splunk is installed. We talked about where the configuration files reside, so we know it's one of two locations it's going to either be in ops. Are *** home
09:52
at sea system default or local or Splunk home, etc. ABS and Apne
10:01
default or local when we talk about how you can change the competitors, you could do it to respond Web or the CLI or directly by using a text editor to edit the dot com files. And we decided, based on a number of factors like just the granularity and the promotion of actually understanding Splunk in its configurations.
10:20
For those reasons, we decided that
10:22
editing configuration files directly is a better way. It's the best way to make. Most configurations will be a slight
10:31
a couple variances from that, but we'll call those out on a case by case basis. So just as a general rule preferred method is to edit the configuration files directly on, we talked about the configuration files structure
10:46
and how they consist of a stanza, a number attributes, and basically they're very different, based on which configuration file you're working with.
10:54
You should reference suspect files to get a better understanding that covers everything from a high level overview that you need to understand about spoke configuration files. So that's gonna wrap up this lesson and we'll see you in the next one

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor