Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome back to the Splunk Enterprise Certified Administrator. Of course, on Cyber, In this video we're gonna be doing a lab on setting up a indexer. So primarily what we're going to do is set up your indexes dot com as well as your inputs dot com for a foreigner, and we're going to set it up so that we deploy
00:20
those abs automatically through the deployment server.
00:24
So let's get started. First, we'll get into the command line on our deployment server, and we will go to our deployment APS directory.
00:36
Okay, So, as you can see, we have some of our abs here. So this is for making our device a license client. We're gonna need that for this one. We have this for sending to our forwarders to get the windows input configured. We have this for enabling outputs dot com for forwarders so that they send
00:56
to Splunk.
00:57
And then we have this for configuring are split enterprise devices are nuts for our Splunk universal foreigners and heavy forgers. And,
01:06
um, if you're in a
01:07
smaller environment where you don't have clustering, you can configure your indexers and search heads as deployment clients to So you consensually man Jim. So now we're going to need to make some more APS
01:23
so we will make all
01:26
Splunk inputs
01:30
and up. I meant to specify default, and then we will also make
01:38
oh
01:41
indexes. So let's start with
01:46
this one
01:48
and a fine.
01:49
What input? Swinging for a device. So this would technically apply to an intermediate forwarder or an indexer. Any device that's receiving data from a Splunk device.
02:02
So all we have to do here is specified that we want to enables point TCP so literally we can do that.
02:10
Uh, with colon
02:14
size for size Colon
02:15
9997 So this is just saying accept traffic. Any spooling traffic coming in from any device on port 9997
02:24
That's all we need there. And then
02:28
we can also change so that we have on index defined. So
02:36
before we do that, let's just quick look at what data we have.
02:42
Only data we have is windows, and we don't want to use the main index basically ever in Splunk except maybe you could use as like, maybe a test. Or you could use it as you're like, last chance or like default index. So if Dad isn't sent to another index, it'll be sent here
02:59
or so that when you're testing data to make sure your settings all right,
03:02
if it comes in junk, it's OK because you could just remove the data from this index and treated as, like, a test or a non production index. But you don't want to actually use this. So in our case, since, well, we have his Windows logs, we're going to make a new index specifically for Windows. And I guess what we're doing this for,
03:22
we'll just pull up this proper documentation.
03:24
So if we need to reference it, make sure we're getting our configurations right. We can,
03:30
so we'll move back over to our index to start come phone.
03:35
Looks like I'm having some trouble
03:37
and we just put the stands the name as whatever we want the index to be called, and then we'll need to define a homeopath, a cold bath off.
03:49
Technically, if we want to make a frozen,
03:53
um, if we want this to freeze and archive, we should
03:57
set that something as well. I think we just set frozen path.
04:03
Let's look for path
04:12
Mayan in Texas.
04:14
There's a lot of path, and
04:17
I don't know if I'm in the right file. No, I'm in props. I needed to go to indexes.
04:25
So
04:26
it was changed that
04:30
indexes
04:31
and then find frozen.
04:41
Yes, so cold.
04:44
Two froze. And there
04:49
she said, that we'll do, um,
04:55
frozen in time here
04:59
in ***. So that tells us how long. Let's just make sure that that's the right
05:08
frozen time period in seconds, and then we'll also use this setting. MAX. Total data size
05:14
and be
05:19
just for consistency sake will change that. So will make this
05:27
Splunk db
05:30
slash.
05:33
You can use this variable to just, although fill whatever that value is
05:40
their home. Devi will always just be called TV,
05:47
and the reason that it's nice using that variable is so you could just copy paste these and every time you make a new index and automatically change that out with the normal in next name. And that way you don't have to, like, actually figure anything you just copy paste,
06:04
and since it's being dynamically filled, it will automatically take care of itself.
06:09
So it's just a little pro tip to kind of save a little bit of time when you're configuring these
06:13
eso, then this one over your cold DB
06:17
and then we'll dio
06:21
actually, So I'm gonna do a separate directory because in the real world, a lot of times it will be a separate directory, but also because there's a couple cool things I want to show you for one. If you have a,
06:38
um, index directory
06:40
that doesn't have the proper permissions and ownership or or doesn't exist and spawned can't create it, then it will actually cause some serious problems with Splunk. So I kind of want demonstrate that so we'll call this our archive
06:58
and we'll put this at will. Put this in or directory.
07:01
That will do.
07:09
We'll do frozen. Do you see something like that? Makes sense to me. Um, so frozen time, period in seconds. That's how many seconds do we want to retain data before it rolls to a frozen? We could do
07:23
like a year. Maybe. Let's just calculate how many seconds Aaron, a year. 60 seconds in a minute. 60 minutes in an hour, 24 hours in the day. 365 days in a year.
07:36
Uh, I missed something.
07:41
It was like a big number.
07:43
60 seconds in a minute.
07:46
Times 60 minutes. And, you know,
07:49
our
07:50
times 24
07:53
times that. No, that looks very
07:56
Look at 315
07:58
36
08:00
31536
08:03
123
08:05
And then we'll just say like,
08:07
I m terribly.
08:11
Is that right? I think so.
08:15
Okay, so it defined our windows Index,
08:18
Get rid of our calculator now.
08:22
So now we have our inputs defined and our index is defined. So that's enough for a baseline to get our
08:31
indexers ready. So I'm going to make
08:35
server classes to deploy these. Now,
08:39
just keep in mind that if you have an index or cluster, you would not use the deployment server To do this, you would use the cluster master.
08:48
But since I have
08:52
just this, this is what I'll be using.
08:54
So we'll call this all indexers. This is gonna be
09:00
the baseline aps that we sent all of our indexers.
09:03
So
09:07
this will already be sent to it automatically. This doesn't apply all indexes
09:13
and this. So these two all indexers will always need
09:20
We'll give this
09:24
technically
09:30
okay, unless
09:33
add clients to this
09:39
indexers,
09:41
we're gonna
09:45
so I can't really demo this exactly. Because my devices, all my own one is my
09:52
deployment server is my indexer. But you were just set this up so that it goes toe. Like if you had a naming convention, that would be ideal idee X or ideas like in stars. However, you're naming convention works. Or if you're on your cluster Master,
10:07
you just put these APS in the master app directory on the cluster master,
10:13
and it'll only push to the indexers in the cluster, so that will work automatically.
10:20
But now, like just to demo the this indexes input, I'm going to copy that app.
10:31
A copy.
10:37
Uh, I guess I'll just copy that indexes dot com
10:41
and I'll overwrite my local one
10:52
and now restore exploring to show you because I don't have that frozen directory made. So that will break Splunk. And I just want to demonstrate that and then fix it so that you can have seen that.
11:09
So let's get full screen for this.
11:13
Yeah, So this so this will break it. Split does not like any and all of its indexes employees. I think it will show us in the air log in the boot up sequence,
11:24
but it might not. It might be a silent
11:26
and
11:28
but something look out for I've run into this problem before.
11:31
Um, so
11:33
it's something good to be cognizant off.
11:37
Just make sure they have your directories bill on in place before
11:43
you go about, you know,
11:46
changing in texas dot com.
11:48
And then maybe once we get this index actually built, we can switch our input over to forward to the new Windows Index instead of the main index, just to demonstrate that it's working.
12:05
It looks like we got a minute here to wait for this toe restart.
12:16
Take a much longer than usual.
12:18
Sometimes when you're indexing, data like Splunk will take a while because it's gotta wait till it's had a good spot and
12:26
who won't lose any data before it shuts down. But I do think that this is kind of unusual
12:35
unless it's already actually
12:39
restarted and it's hanging up on the
12:43
store.
12:46
We can check status should be stopped.
12:50
I don't know. It did not stop.
12:54
What do stone.
13:01
There we go
13:03
now. We'll just do a manual start
13:07
problem. Parsing indexes dot com cannot load this index configuration
13:13
Thought path not configured.
13:16
Oh, clubs.
13:20
Okay. Whoopsie. So we actually missed the setting. So we got a
13:24
fix that first
13:28
specify a thought path
13:37
That system local.
13:45
Well, just dio
13:48
spoke baby
13:54
thought TV
14:00
and let's try starting it up again.
14:05
Uh, see,
14:07
this time it stopped.
14:09
And it doesn't give us a reason why
14:11
if we dig into the logs, we'd be able to find it. But
14:16
I just We know because I have already said that this was kind of an intentional break.
14:22
So if we wanted to fix this, all we would need to do
14:24
is if you remember what our directory waas. We made archive in the opt.
14:31
So we're in the right spot. We just need to make their Although I won't be able to a Splunk.
14:37
So I will make their
14:41
and then
14:43
shown archived Splunk Splunk
14:50
and then check the permissions. And that should be good. So it switched back. Teoh are Splunk user.
14:58
Let's go back to
15:16
And now you can see Splunk,
15:18
who is going still did not stop Start.
15:26
Let's make sure I tucked her right.
15:30
Um
15:31
it's just a local And in texas dot com,
15:39
we've got
15:41
Ops Archive Index name frozen db
15:48
technically, as long as so upped Archive.
16:03
Where did that go?
16:04
Did I actually make it in the wrong spot?
16:10
Oh, yes, I did See this. I didn't put in the leading. Um, I didn't put in the absolute path or like a dot ford slash. So I made that directory in the wrong spot. So we'll go back, Will. First do good clean up and remove this,
16:26
and then we will make her opt archive.
16:32
And then we will,
16:33
uh, shown that just changes Ownership
16:37
test Splunk
16:38
slow.
16:41
Okay, now we've been pseudo back
16:47
Splunk.
16:49
I knew I was forgetting something,
16:52
and then we can start it back up. And this should work this time.
16:56
Sometimes it's ah, sometimes it's a process of trial in the air
17:04
Woo. Okay, so that's all better.
17:07
So now let's do a quick. Um,
17:10
we should make sure that we have the right version now in our lab
17:17
system. Local, uh, indexes confident Will overwrite pop, Splunk, etc. Deployment. Abs,
17:27
Um,
17:30
I forget the name. If you do tab, it'll hop out. Everything. All indexes indexes, Duck.
17:37
Oh, wait. No to fall
17:41
index's dot com over. Right that.
17:44
And now we'll also do a quick change to forward data
17:48
deployment. Abs,
17:52
um, all windows inputs default.
17:56
You can put stock off. We'll change this index now
18:00
two windows.
18:03
I will save that.
18:07
And then we'll use this command
18:15
to reload. The deployment server on this will
18:21
update basically any server classes and changes in APS. And then it will cause the deployment server or the deployment clients to download a new copy, which means basically, or forwarder, which is my actual hosts device. This desktop that I'm on
18:37
will check back into the deployment server, will download the new APP configurations
18:42
and then restart, and then it will start forwarding to our new index.
18:48
So hopefully be explaining that gave us enough time for the settings Teoh
18:55
have gone through. And we can just check on our
18:57
Windows
19:02
Index and see if we get any events.
19:07
Not yet.
19:10
Could be a minute we could do main and make sure that there are events still coming in
19:15
last 15 minutes.
19:18
You could see they stopped so it could just be in the process of restarting.
19:23
Give it another search.
19:27
We could set this to real time to tow watch and wait for something to come in.
19:38
Make sure when you said our settings properly.
19:44
Windows.
19:52
You're just windows.
20:04
Yeah, I was just checking to make sure the spilling is right and everything.
20:07
It's possible. No events that happened, but
20:11
going there could trigger one.
20:15
If I run. This is administrator or something.
20:18
Do you?
20:19
I wonder if that triggers.
20:26
There we go.
20:30
So
20:33
we got some events so we can see that our new index is working properly. We're getting events, and later, on another lab, we'll use that frozen directory to fall some data to, so we'll come back to that.
20:45
But so far, we in this lab, we covered everything we wanted to what showed you how to set up inputs on an index or so that it receives data from another Splunk instance. And we also showed you how to set up a new index and
21:00
talked about a little couple little hiccups you might run into, and some tips and tricks and stuff like using the index token.
21:07
So that's everything you need to know from a basic perspective of setting up an index on and getting an index or ready to receive data. So that ends it for this video, and we'll see you in the next one

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor