6 hours 3 minutes
Hello and welcome back to the Splunk Enterprise Certified Administrator. Of course, on Cyber, In this video we're gonna be doing a lab on setting up a indexer. So primarily what we're going to do is set up your indexes dot com as well as your inputs dot com for a foreigner, and we're going to set it up so that we deploy
those abs automatically through the deployment server.
So let's get started. First, we'll get into the command line on our deployment server, and we will go to our deployment APS directory.
Okay, So, as you can see, we have some of our abs here. So this is for making our device a license client. We're gonna need that for this one. We have this for sending to our forwarders to get the windows input configured. We have this for enabling outputs dot com for forwarders so that they send
And then we have this for configuring are split enterprise devices are nuts for our Splunk universal foreigners and heavy forgers. And,
um, if you're in a
smaller environment where you don't have clustering, you can configure your indexers and search heads as deployment clients to So you consensually man Jim. So now we're going to need to make some more APS
so we will make all
and up. I meant to specify default, and then we will also make
indexes. So let's start with
and a fine.
What input? Swinging for a device. So this would technically apply to an intermediate forwarder or an indexer. Any device that's receiving data from a Splunk device.
So all we have to do here is specified that we want to enables point TCP so literally we can do that.
Uh, with colon
size for size Colon
9997 So this is just saying accept traffic. Any spooling traffic coming in from any device on port 9997
That's all we need there. And then
we can also change so that we have on index defined. So
before we do that, let's just quick look at what data we have.
Only data we have is windows, and we don't want to use the main index basically ever in Splunk except maybe you could use as like, maybe a test. Or you could use it as you're like, last chance or like default index. So if Dad isn't sent to another index, it'll be sent here
or so that when you're testing data to make sure your settings all right,
if it comes in junk, it's OK because you could just remove the data from this index and treated as, like, a test or a non production index. But you don't want to actually use this. So in our case, since, well, we have his Windows logs, we're going to make a new index specifically for Windows. And I guess what we're doing this for,
we'll just pull up this proper documentation.
So if we need to reference it, make sure we're getting our configurations right. We can,
so we'll move back over to our index to start come phone.
Looks like I'm having some trouble
and we just put the stands the name as whatever we want the index to be called, and then we'll need to define a homeopath, a cold bath off.
Technically, if we want to make a frozen,
um, if we want this to freeze and archive, we should
set that something as well. I think we just set frozen path.
Let's look for path
Mayan in Texas.
There's a lot of path, and
I don't know if I'm in the right file. No, I'm in props. I needed to go to indexes.
it was changed that
and then find frozen.
Yes, so cold.
Two froze. And there
she said, that we'll do, um,
frozen in time here
in ***. So that tells us how long. Let's just make sure that that's the right
frozen time period in seconds, and then we'll also use this setting. MAX. Total data size
just for consistency sake will change that. So will make this
You can use this variable to just, although fill whatever that value is
their home. Devi will always just be called TV,
and the reason that it's nice using that variable is so you could just copy paste these and every time you make a new index and automatically change that out with the normal in next name. And that way you don't have to, like, actually figure anything you just copy paste,
and since it's being dynamically filled, it will automatically take care of itself.
So it's just a little pro tip to kind of save a little bit of time when you're configuring these
eso, then this one over your cold DB
and then we'll dio
actually, So I'm gonna do a separate directory because in the real world, a lot of times it will be a separate directory, but also because there's a couple cool things I want to show you for one. If you have a,
um, index directory
that doesn't have the proper permissions and ownership or or doesn't exist and spawned can't create it, then it will actually cause some serious problems with Splunk. So I kind of want demonstrate that so we'll call this our archive
and we'll put this at will. Put this in or directory.
That will do.
We'll do frozen. Do you see something like that? Makes sense to me. Um, so frozen time, period in seconds. That's how many seconds do we want to retain data before it rolls to a frozen? We could do
like a year. Maybe. Let's just calculate how many seconds Aaron, a year. 60 seconds in a minute. 60 minutes in an hour, 24 hours in the day. 365 days in a year.
Uh, I missed something.
It was like a big number.
60 seconds in a minute.
Times 60 minutes. And, you know,
times that. No, that looks very
Look at 315
And then we'll just say like,
I m terribly.
Is that right? I think so.
Okay, so it defined our windows Index,
Get rid of our calculator now.
So now we have our inputs defined and our index is defined. So that's enough for a baseline to get our
indexers ready. So I'm going to make
server classes to deploy these. Now,
just keep in mind that if you have an index or cluster, you would not use the deployment server To do this, you would use the cluster master.
But since I have
just this, this is what I'll be using.
So we'll call this all indexers. This is gonna be
the baseline aps that we sent all of our indexers.
this will already be sent to it automatically. This doesn't apply all indexes
and this. So these two all indexers will always need
We'll give this
add clients to this
so I can't really demo this exactly. Because my devices, all my own one is my
deployment server is my indexer. But you were just set this up so that it goes toe. Like if you had a naming convention, that would be ideal idee X or ideas like in stars. However, you're naming convention works. Or if you're on your cluster Master,
you just put these APS in the master app directory on the cluster master,
and it'll only push to the indexers in the cluster, so that will work automatically.
But now, like just to demo the this indexes input, I'm going to copy that app.
Uh, I guess I'll just copy that indexes dot com
and I'll overwrite my local one
and now restore exploring to show you because I don't have that frozen directory made. So that will break Splunk. And I just want to demonstrate that and then fix it so that you can have seen that.
So let's get full screen for this.
Yeah, So this so this will break it. Split does not like any and all of its indexes employees. I think it will show us in the air log in the boot up sequence,
but it might not. It might be a silent
but something look out for I've run into this problem before.
it's something good to be cognizant off.
Just make sure they have your directories bill on in place before
you go about, you know,
changing in texas dot com.
And then maybe once we get this index actually built, we can switch our input over to forward to the new Windows Index instead of the main index, just to demonstrate that it's working.
It looks like we got a minute here to wait for this toe restart.
Take a much longer than usual.
Sometimes when you're indexing, data like Splunk will take a while because it's gotta wait till it's had a good spot and
who won't lose any data before it shuts down. But I do think that this is kind of unusual
unless it's already actually
restarted and it's hanging up on the
We can check status should be stopped.
I don't know. It did not stop.
What do stone.
There we go
now. We'll just do a manual start
problem. Parsing indexes dot com cannot load this index configuration
Thought path not configured.
Okay. Whoopsie. So we actually missed the setting. So we got a
fix that first
specify a thought path
That system local.
Well, just dio
and let's try starting it up again.
this time it stopped.
And it doesn't give us a reason why
if we dig into the logs, we'd be able to find it. But
I just We know because I have already said that this was kind of an intentional break.
So if we wanted to fix this, all we would need to do
is if you remember what our directory waas. We made archive in the opt.
So we're in the right spot. We just need to make their Although I won't be able to a Splunk.
So I will make their
shown archived Splunk Splunk
and then check the permissions. And that should be good. So it switched back. Teoh are Splunk user.
Let's go back to
And now you can see Splunk,
who is going still did not stop Start.
Let's make sure I tucked her right.
it's just a local And in texas dot com,
Ops Archive Index name frozen db
technically, as long as so upped Archive.
Where did that go?
Did I actually make it in the wrong spot?
Oh, yes, I did See this. I didn't put in the leading. Um, I didn't put in the absolute path or like a dot ford slash. So I made that directory in the wrong spot. So we'll go back, Will. First do good clean up and remove this,
and then we will make her opt archive.
And then we will,
uh, shown that just changes Ownership
Okay, now we've been pseudo back
I knew I was forgetting something,
and then we can start it back up. And this should work this time.
Sometimes it's ah, sometimes it's a process of trial in the air
Woo. Okay, so that's all better.
So now let's do a quick. Um,
we should make sure that we have the right version now in our lab
system. Local, uh, indexes confident Will overwrite pop, Splunk, etc. Deployment. Abs,
I forget the name. If you do tab, it'll hop out. Everything. All indexes indexes, Duck.
Oh, wait. No to fall
index's dot com over. Right that.
And now we'll also do a quick change to forward data
um, all windows inputs default.
You can put stock off. We'll change this index now
I will save that.
And then we'll use this command
to reload. The deployment server on this will
update basically any server classes and changes in APS. And then it will cause the deployment server or the deployment clients to download a new copy, which means basically, or forwarder, which is my actual hosts device. This desktop that I'm on
will check back into the deployment server, will download the new APP configurations
and then restart, and then it will start forwarding to our new index.
So hopefully be explaining that gave us enough time for the settings Teoh
have gone through. And we can just check on our
Index and see if we get any events.
Could be a minute we could do main and make sure that there are events still coming in
last 15 minutes.
You could see they stopped so it could just be in the process of restarting.
Give it another search.
We could set this to real time to tow watch and wait for something to come in.
Make sure when you said our settings properly.
You're just windows.
Yeah, I was just checking to make sure the spilling is right and everything.
It's possible. No events that happened, but
going there could trigger one.
If I run. This is administrator or something.
I wonder if that triggers.
There we go.
we got some events so we can see that our new index is working properly. We're getting events, and later, on another lab, we'll use that frozen directory to fall some data to, so we'll come back to that.
But so far, we in this lab, we covered everything we wanted to what showed you how to set up inputs on an index or so that it receives data from another Splunk instance. And we also showed you how to set up a new index and
talked about a little couple little hiccups you might run into, and some tips and tricks and stuff like using the index token.
So that's everything you need to know from a basic perspective of setting up an index on and getting an index or ready to receive data. So that ends it for this video, and we'll see you in the next one