Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Sai Buri. This is less than 4.3 when configurations are applied. So learning objectives here are to talk about the three times that configurations are applied and then understand which files apply at which time
00:18
or for files where there,
00:20
our multiple times that could occur. How to figure out on a setting by setting basis when the setting is applied.
00:28
Why are we learning this? So it's important that you understand that there's three phases and three times that settings can be applied and which settings are applied at those times so that you know where to place your configuration files which device to put them on so that the settings actually are used
00:46
because if you place the wrong setting
00:49
on the wrong device, it simply will do nothing. And so a configuration you thought you made will not actually be in
00:58
memory. So
01:00
So as we talked about before, there's three phases to Splunk and that maps up to the three times that configurations are applied. They're either applied at ingest at index or at search time.
01:12
I hear the configurations that are applied it in just time. It's primarily inputs dot com just telling Splunk what to monitor and assigning the metadata values to that data. And then there's also to props dot com
01:26
configurations at this time that are applied at index or in in just time, which are event breaker, enable and event breaker.
01:36
Those are the only settings that are applied in just time, and these will reside on your four winners,
01:42
then configurations that are applied it in next time or primarily props and transforms dot com. And there's a large variety of configurations that could be made. The up props and transforms and props is also one of those files like we mentioned earlier. That can be
02:00
it's on a setting by setting basis can be applied at different times,
02:05
so we'll show you later how to figure that out. But just important to note. And then here's a quick list of some of the settings that would be configured for in next time line breaking timestamp extraction to fault field rerouting. So if your inputs brought in data with
02:23
one source type and you wanted to change the source type based on
02:30
rejects, that's one way you could do that truncation values. And then also, if you want to extract additional in next fields, these are the files that you would do that in and those would apply at index time.
02:45
And here's the list of configurations they're applied its search time. This is pretty expansive. Basically, anything you could configure through Splunk Web that's involved in searching will be a search time configuration. So you got commands macro safe searches, tags, event types.
03:02
And then there's certain props and transforms mostly those that have to do with
03:07
search time fueled extractions, which in Splunk most fields are
03:12
extracted at search time. It's what's phone calls schemo on the fly, so your ability to change the format are the format and the parsing of data at any time. So that's kind of a unique value out of Splunk. Instead of all of these fields being extracted at index time
03:31
and saved on disc,
03:32
only a few key fields like source type source hosts and a couple of their metadata fields are actually extracted and written to disk, and then the rest are done. Basically, each time you issue a search, the field extractions are formed,
03:49
so that's ah, just important side. No.
03:52
So if you were dealing with props dot com and you're trying to determine what, where should I put this file? This is basically this is directly from the documentation, so you can go to the Splunk Admin Manual, and on the left hand side there will be a list of the configuration files. And if you select props dot com, it will give you
04:11
basically a detailed file explaining what configurations you can make. What are the ballad
04:16
attributes for that file? And then this is an excerpt directly from that documentation telling you how to find more information about which settings are index time and which ones are search time. And then they don't mention it on, probably because the two U F settings are fairly new.
04:34
But if you search for U. F as well, that'll surface
04:39
the two settings that are applied at in just time. So here's an example. If you just searched through for search time, you'll see this. So, for example, the report attributes specifically says it used for creating extracted fields, search time, feel distractions. So you know, if you make a report stanza
04:57
than that needs to be on your search head as it is a search time configuration.
05:02
Likewise, if you search for in next time, you'll see that transforms is an attribute that creates index fields and it occurs at index time. So these need to be either on a heavy foreigner or your indexers.
05:16
And finally, if you search for universal forwarder, you'll see this setting is only valid on universal for ITER instances. So obviously, if you're configuring this setting, it needs to be placed on your universal foreigners.
05:30
Now a quick knowledge assessment, just a check that you were paying attention. Why is it important to know what phases a configuration occurs at?
05:40
Read through the answers here and select one. And on the next slide, we will answer this question.
05:46
So the answer is number two. The phase determines which device that configuration should be on. If you put it on the wrong device, the setting will not take effect.
05:56
So to summarize this lesson, we learned that splint configurations can be applied at in just time index time or search time. We also talked about how props dot com can occur at multiple different times, and then we mapped
06:11
a bunch of different files to the proper phase that they apply to. So
06:15
now you know all that information, and that's everything you need to know about configuration files except how to validate some of this information, which will talk about in the next lesson, which will actually be a lab where we do a deep dive on B Tool and I'll talk to you more about what that is, why we use it, what it's for
06:34
in the next video.

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor