SPLK-1003: Splunk Enterprise Certified Admin Certification Video Training Course

SPLK-1003: Splunk Enterprise Certified Admin certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

Installation and Configuration of Splunk Components

1. Prerequisites for Splunk Installation : Part 1

Before starting the installation of Splunk, we need to make sure a couple of prerequisites are met so that after the installation, Splunk should be able to run without any performance issues. Let's begin by discussing Fire Rules, which should be mainly focused on port 8000, which is a Splunk web port, and 8089, which is our Splunkdaemon, also known as the management port. The Splunk web port 8000 should be allowed for HTTP and HTTPS traffic.

There are a few more ports like KvStore, which is 8191, and app server ports like 8065, which are used in specific scenarios locally and shouldn't cause any trouble for our installation. To summarize, make sure HTTP and HTTPS are allowed on ports 80, 80, 89, port deployment, server, and other indexes, heavy forwarders and searches, and any other components of Splunk. One more important Firewall request to take into consideration is the "universal forwarder to index communication on port triple nine seven," that is, 9997, which is used to send logs to our indexes. This port is the default, but it can be customised to any other port, and that should be it for starting the installation once we have the firewall rules set.

So, now that we've completed the first requirement, let's move on to the next. Some of the processes in Linux are known to cause issues during Splunk's regular operations. So it is recommended by Splunk to disable some of these processes on Splunk servers. THPor Transparent Huge Pages is one such process that has been known to cause numerous issues when running alongside Splunk. So it is recommended by Splunk to disable the process before installing Splunk.

And this is the location of the file. If we have transparent huge pages installed on our Reddit machine or Sentos, this is where we can disable the entry in this file. Because we can see if we have Transparent Huge Pages installed or not in our cloud. Let me copy the location of the file. I'll check whether we have that file or the process installed. In our case, neither Transparent Huge Pages nor the THP are installed. It's safe to consider it disabled.

2. Prerequisites for Splunk Installation : Part 2

One more process to consider disabling is ourSELinux, which is also known as Secure Linux. If we do not want to completely disable Se Linux, we must allow Se Linux to run Splunk using other methods, such as whitelisting the Splunk process to be allowed or as an exception from running outside Se Linux. For this example and the simplicity of this course, we can see how to disable Sea Linux. This folder or file contains the Se Linux configurations. Let us see. I'll check for the contents of the file using the Linux command cat, followed by the location of the file. From this file, we notice that it is currently enabled. When you say "enforcing" in SELinux, it is clear that SELinux is enabled to disable. Open the file with any of the text editors available in Linux and change the value targeted. Or you can comment out the targeted value and change the enforcement to disabled. I'm going to set the Se Linux status to disabled. Once you have changed or disabled SELinux, it always requires a reboot to make the changes effective. We now have a disabled SL Linux letter instance. In the meantime, we'll move on to our next prerequisite. The IOPS Testor indexing machine comes next to test the provisioned. IOPS is greater than 200 IOPS, which was as recommended in our previous tutorial. We can test IOPS using a third-party utility known as Bonnie Plus Plus, which is used to test IOPS. You need to install Bonnie Plus Plus by default in Red on Linux, which we'll be using throughout our tutorial. Bonnie Plus Plus is not installed. We need to download this package, install it, and then test it for the IOPS for testing Bonnie Plus Plus. I've already installed Bonnie Plus Plus on our cloud instance. Let us see how we can measure IOPS using Bonnie Plus Plus. This will be your complete command to test your Bonnie Plus Plus, where iPhone D represents the mount points on which you will be installing Splunk. We will install Splunk on Opt and iPhone, as you requested two times the RAM for this instance. As of now, we have only one GB of RAM. Since it is our demo instance, we will multiply it by two and mention the ramp. iPhone U is the user who will be running these read or write operations on these mount points. Throughout the course We'll be creating Splunk as an application account for the Splunk application to run, and it is highly recommended that Splunk run as a non-privileged account such as Root. All you have to do is hit Enter. It will start simulating an IO. As of now, I will not hit Enter because we are going to kill our demo instance since it has just one gigabyte and probably 300 IOPS. Now, considering we have hit Enter, open up another terminal once you have logged in. Now that we've logged in, we can use iostat to check every second to see how many IOPS are in use. Because we are not performing any operations, the number of transactions per second is currently very low, or can be considered very low. You can probably leave Bonnie Plus Plus for ten to fifteen minutes if you see it after we hit enter and it starts simulating the read and write operations on our opt point. You'll most likely see 200—1300 here. Noting that we have achieved our IOPS requirement for a Splunk index Once we have verified the IOPS meets the required condition of being greater than 200 IOPS, we can proceed further to the next prerequisite of setting a limit.

The U Limit has a number of values to set as per Splunk recommendations. The link that we are using takes us straight to the documentation for Splunk. Simply search for "ulimit" options and set all of these options according to Splunk recommendations so that these limits are set on all Splunk instances for Splunk to run at peak performance. Considering we have set our U limits, let me check if any You Limit packages are installed on our Cloud machine; this is our present You Limit size. As you can see, You can start setting all these parameters as per recommendation.

Let us see. First, open the files. You limit iPhone N, which is set to 124 by default. It needs to be as per the recommendation set to 8192. This is as simple as that. Just mention the command, you'll see the value, and then take the recommended value from the Splunk portal and mention it next to the command so that it is set into the U limit. Once you have set all these parameters, we should be ready to install our first Splunk instance. Finally, have your licences ready so that once we complete our installation, we can configure the license.

3. Directory Structure of Splunk

Once we have completed downloading our Splunk packages, let's understand how the Splunk directory structure is placed and go through some of the most important directories by default in the Splunk home, which is referred to as optSplunk or C programme file Splunk in Windows and opt Splunk by default on Linux. It is totally customizable, and throughout this tutorial whenever we mention Splunk home, it will be either optSplunk or C programme file Splunk based on the OS we are using in the context. So let's open up an installation package or a Splunk installation package.

This is what a typical installation package looks like. As you can see from the start, we are using the RPM package from our downloads to go through the directory structure. This will be just inside our Splunk home that is configured to use Splunk. Inside of Splunk, we can see there is a bin directory, which is where all the executables of Splunk are placed. You see, there are a lot of Python executables, and there are scripts that will be run based on the Splunk process's invocation. And once we go inside the bin, there is a custom folder called "Scripts," which is used for placing user-created scripts. We will see how we can utilise this in future discussions. Let me go back to our plan.

The next important directory of Splunk is the Etc directory, where the complete configuration files of a Splunk instance resides under Etc.There are many important directories, like apps, where all the applications of Splunk are installed. The deployment server uses deployment apps to store all client applications and push them into the client master app. It is the indexer cluster, also known as the cluster master, which houses all cluster-related applications.

Slave apps that are used by the members of the cluster or the indexers for holding the configuration Disabled Apps: These are used by apps that have been disabled in the search and will be moved into disabled apps. And there is finally a system that holds all the configurations that are defined or predefined in a Splunk installation. Once you are actively using Splunk, you will become much more familiar with the directory structure of Splunk and get used to it. And here we are missing one more important directory in the Splunk home.

That is our where directory because it will be created when you launch Splunk for the first time. Inside Warcraft, there are two crucial locations: The two important locations inside War will be Splunk's home followed by wire log Splunk, and the second one will be where lib Splunk is. So these two are some of the most important directories under Splunk, which will be created upon starting off Splunk.

The warlock Splunk is where all the logs of Splunk applications are stored, and Lib Splunk is the default database location of Splunk, where all the passive data is stored along with the metadata information that should cover most commonly used directories, which are very important as part of our day-to-day activities as Splunk administrators or Splunk architects. The configuration files, or Splunk, have different hierarchies, and they always end with In our next discussion, we'll be discussing how this configuration file works and what the hierarchy of configuration is when Splunk starts up.

4. Configuration Hierarchy in Splunk.

The configuration file hierarchy that is planned at the beginning can be difficult to understand, but I'll try to make it as simple as I can and also let us test the configuration and validate how the hierarchy works. In our demo instance of Amazon, the hierarchy of Splunk configuration files is arranged as below, as per the hierarchy in Splunk. To overwrite configuration, the system localises the user with the highest privilege. For overwriting configuration, let's say you define some configuration in system local.

When I say system local, it will be under ATC system local, and whatever configuration you define in this directory will be overwritten across the configurations that are defined in these three locations. This will be your highest hierarchy for the Splunk configuration. The second is the local app local. The local app will be located in etc., etc. Apps. One of the apps, let's start with the default app search, does not yet have a local file, but we can create our own.

It will be visible in our demos plank instance, which has already been launched. So let's see if there are any. Let me change the font size. This should be clear enough. Yes, by now we know we'll be using an application account called Splunk throughout our tutorial for running our Splunk instance. Let me check whether we have a Splunk instance running. It is not running. Let me bring it up to start Splunk. This will be your command, the complete path, or you can go to this directory and use the Splunk utility with an start now the Splunk is up. Let's see, let's go to our Splunkhome, etc. apps search.

Locally, there are files that have been created, such as data models and data that the user or administrator has edited. So this is our app's local location, which is under etc. apps, and the app name followed by local. This is the second iOS configuration that Splunk overrides. The next is the app's default. Since we are seeing the search location, we'll see the same default location. I'll go one directory behind. Let me check the default directory. So here is our default directory. So this is the default application directory of application. It has a couple of configuration files, which it can overwrite upon system default.

The system default is our least hierarchical system, and local is the highest. Whatever you define here will be overwritten regardless of what is present in the other three places. Let me quickly go into System local, that is, Splunk home followed by etc. System local contains all the configuration; sorry, it should be System default, which contains all Splunk configurations. so that even if the user misses some of the configuration, it can start from the default configuration. Let's say a Splunk process starts up and chooses a port (http or https). It will first look for System local If it is there, it will ignore all three of these, even though they have mentioned customizing ports, but anything that is mentioned here will be ignored. Similarly, the next step for checking if it couldn't find the configuration for the HTTP or HTTPS ports here is to move to app local.

If it cannot find it here, it will proceed to the default app. If the user has not defined any of the customizations for the HTTP or HTTPS port, then it will automatically pick up from our Splunk default location, where all the configurations required for starting a Splunk instance are defined by default. So this is part of the installation package; you'll get all this default configuration so that Splunk, as soon as you install the package, will get all the configuration from your system default location. So this configuration can be overwritten from any of these locations.

5. Configuration Hierarchy in Splunk : Practical Example

Let's do a lab exercise where we rename the Splunk host name from all four locations. For example, here is the local system local. The VA command or VI editor I'll be using throughout this tutorial and subsequent tutorials for editing the configuration will be named.

If you are unfamiliar with VI, you can use any other editor, such as G Edit, which includes graphics, or Nano, which is similar to VI. You can also use Winch or other FTPtools to download this configuration edit in your Windows environment and then upload it to the server. I'll be using via Editor throughout this tutorial. Let me quickly get into System Local Directory, which is the highest priority. I'll be editing a configuration file called Inputs. As you can see, this is the file I'll be editing under System Local. I'll just rename the host so that we'll be able to see how the configuration works.

I'll just give it the value host under System Local so that when we see this entry in the spun log, we know it got the log from here. That will be our system locally. I laid out the same information with different values in one of the apps. That is a local input search configuration. So this is the Apps Local directory, which has the second highest priority. I will copy the same contents. I'll modify a little so that, for our understanding, it will be better. So this is our app's local directory. I'm opening a Pay file and pasting the same contents, but I'll change the system to "App local" so that we know if this host value is picked up. It means the configuration has been picked up by our second highest priority. Let me go to the default app, Apps.

It will be searched by default at Inputs.com. I'll change the default setting for this app. I'll save and close this file. We have now changed the system-local hostname configuration, the app-local hostname configuration, and the app default. Hostname configuration. Let us restart our Splunk instance; opt for Splunkbin in the Splunk utility, and hit restart. Let us try to log into Splunk by the time it restarts. Let us see. Is it done? Yes, it is done. It has been successfully restarted. Allow me to log in.

Prepaway's SPLK-1003: Splunk Enterprise Certified Admin video training course for passing certification exams is the only solution which you need.