Splunk Overview

00:00

Hello and welcome to the Splunk Enterprise Certified Administrator course on Sai Buri. So this is module to admin basics, as we mentioned before, this is gonna be a pretty high level course talking about things like, what are what is Splunk? The different components that make up ***.

00:18

I'm also going to *** architectures. So I'll be three lessons in this module.

00:22

We're gonna move ahead into lesson 2.1, which is the overview of Splunk.

00:28

And in this lesson, the plan is to make sure that you know what Splunk iss and then also the three core functions off spoke.

00:37

So why are we learning this? I think before we get into configuring and working with the tool first it's important to understand what it is and what problems it solves. Then also, when we talk about Splunk in terms of its three core capabilities, we're also gonna break that down into the three phases of

00:56

of Splunk,

00:58

you know, and how how data moves through Splunk. And I think that's going to be very important in later lessons based on some common mistakes that I've seen in in environments as a consultant just understanding, you know, which configurations and which components are associate ID

01:15

with which function of Splunk

01:19

will help to make sure that you're placing your configurations in the right place or when you're troubleshooting that you're going to the right device. So I think that it's important to start talking about that concept early and really getting in front of mind.

01:34

So what is Splunk Just bucks a company that provides a number of software solutions, including Splunk enterprise, which is what we're talking about in this course. They also offers phantom and user behavior, analytics, enterprise Security Service intelligence and a number of other

01:53

premium maps that build onto Splunk.

01:56

But Splunk, as a software, is a machine data analysis platform. So basically what that means is, it's, uh it's a software that allows you to bring in

02:07

Boggs or data from tons of different

02:12

computer based devices and then analyze them, build your own correlations and visualizations and alerting rounded on. That's why it's called a platform because of that ability to build and grow it that you have

02:27

now as far as the words Blunk. If you are interested where I came from, it actually is from the word spelunking so imagine if you don't know its plunking is it's when you're underwater in your deep sea cave exploring. So just imagine, that's what you're doing with your dad. And that's the point of Splunk is to basically get under the surface and

02:46

really find the hidden gems in your in your data.

02:51

So before we talk about Splunk and its court capabilities, let's talk about the main pain points behind machine data because that's gonna really explain the problems that Splunk is here to solve and just makes blanc as a whole make a lot more sense. So with machine data, you're gonna run into a problem where

03:07

you have tons of devices located all over the place. They're all producing events.

03:13

And when when you have all those data sources all over the place, it's hard to do any kind of analysis. Or or Tito make anything to gain any actionable insights out of your data because it's all over the place. It's not in one location,

03:30

so that goes into the second point, which is there's no single pane of glass to see all this machine data

03:37

And what what that means. It's I know it's a bit industry jargon. So explain basically just means that there isn't one system. There is a one screen, which is what they us single pane of glass, one

03:50

one view into all of that information

03:53

and that, like I said, those two components lead to a very tedious analysis. Because if you need to investigate something, you have to go to all these different devices separately. Maybe you're using some sort of remote access like rdp, remote desktop protocol or ssh, secure shell toe

04:13

to access all these different devices, collect logs from each of them,

04:16

come back toe your own computer and do your analysis. And that's just not an effective way

04:23

to investigate this kind of stuff. And if it's a security of that, for example, and time is of the essence, then you're really gonna lose a lot of you're gonna have an ineffective response because it's gonna take so long

04:38

that so

04:39

that leaves really well into the functions of Splunk. Because sports basically designed to address all of those problems just bunk provides you with the ability to ingest data from tons of different sources, doesn't really care about the format of the data, doesn't care How you want to bring the data in its very versatile

04:57

and then second function of sport is to store the data.

05:00

So now it's in one central repository, so that gets rid of the highly disparate data, and then it also provides you the ability to investigate or search on that data, which addresses the tedious analysis, allows you to do things much, much faster than if you had access all these devices individually.

05:19

So we're gonna break this down a little bit more in detail, and we're also going to conceptualize it a little differently so

05:27

we can think about all of those core functions as phases and basically the life cycle of slowing. So you know, you start with data ingests where you go to all these different devices and you choose the mechanism for bringing that data in. That's one gives you a lot of options. You can forward it

05:46

over a network court. You could

05:49

have a Splunk forward or installed up forwards The data for you. You could have pools against a P I.

05:58

There's that. There's a ton of different ways Splunk will allow you to bring that in and send it to itself.

06:04

So once all that data is sent from different places,

06:10

you enter the second phase, which is where slowing parses it and indexes the data,

06:15

which

06:15

it assigns a bunch of information about the data itself to the data. So that's what metadata is data about data so assigns things like that. Like where the where the data came from, the name of the file it came from, if its applicability all the time. You know, the things of that nature is that you could identify

06:34

the data more easily,

06:36

then stores it into

06:39

an index, which, in *** is really just a directory where you set some retention and per and visibility permissions which leads into parsing indexing, being part of the security aspect of Splunk. Because this is where you decide who is allowed to see which data on an index by index basis.

06:59

And also, when you're bringing the data and you conform transformations on it to massacre obvious Kate

07:04

Sensitive data. So

07:08

once the data is processed and stored on disk, now, you into the third phase where you actually prefer perform searches on that data.

07:15

So here you could be an analyst, maybe with security event that just went off, and you're doing log analysis to determine more information about the event.

07:26

You could have searches that are running to detect activity from multiple different data sources that might indicate some behavior. For example, it could be a veiled log in, followed by or preceded by a intrusion detection system event,

07:45

and that might indicate that there was a compromised account.

07:49

But basically the key here is that now that you have all that data in one place, you can build higher fidelity more effective searches

08:00

by using multiple data sources. Teoh correlate versus just relying on a single of then

08:07

on that. Also, you can build your dashboards and visualizations because even though it's cliche, a picture really is worth 1000 words. And so being able to take all your data and visualize it in tow charts and graphs and tables really adds a lot mawr at action ability to the data. So

08:26

but that

08:28

wraps up this lesson. So now we've learned what Splunk is. We know that it's a machine. Data announced this platform, and we also know that there's three core functions of Splunk, its ability to ingest data from a large number of disparate sources. Its ability, its ability to store that data in a central repository

08:45

and then the ability to allow users to interface with the data.