Skip to main content

Indexing with Splunk Enterprise

Hands-On Lab

 

Photo of Myles Young

Myles Young

BigData Training Architect II in Content

Length

02:00:00

Difficulty

Intermediate

To really get an idea of Splunk's search and visualization capabilities, you have to try it out yourself! Splunk makes it easy to index log data from local or remote files so that you can search and visualize log data in an effort to extract information in a more visual way than just reading a log file. In this hands-on lab, you are given the opportunity to exercise the following: Index the /var/log/secure log file with Splunk Search log data with Splunk * Visualize log data using pivots

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Indexing with Splunk Enterprise

Introduction

To really get an idea of Splunk's search and visualization capabilities, you have to try it out yourself! Splunk makes it easy to index log data from local or remote files so that you can search and visualize log data in an effort to extract information in a more visual way than just reading a log file. In this hands-on lab, you are given the opportunity to exercise the following:

  • Index the /var/log/secure log file with Splunk
  • Search log data with Splunk
  • Visualize log data using pivots

Instructions

You are a system administrator who is working on a proof-of-concept project for log aggregation, search, and visualization. You are in the process of exploring the capabilities of Splunk through the use of a single-node Splunk instance. First, you need to index some log data. For this, you will need to index the /var/log/secure log file from the local machine of the Splunk instance. Next, you will need to search and visualize the log events to get a feel for Splunk's search and visualization capabilities.

To log in to your Splunk Web Console, you can browse to your cloud server's public IP address and the default web console port 8000 in your web browser. You can then log in as an administrator with the following credentials:

  • Username: admin
  • Password: $p|unkEnt3rpr!$e

Solution

Log in to the Splunk web console with the credentials provided in the instructions

  1. In your browser, go to http://your_public_ip:8000 and log in as the admin user with password $p|unkEnt3rpr!$e.

Add a local data input for /var/log/secure

  1. In the web console, go to Settings > Data Inputs.

  2. Under Local inputs, click on Files & Directories.

  3. Click New Local File & Directory.

  4. In the File or Directory box, input or browse to /var/log/secure and click Next.

  5. Make sure Source type is set to linux_secure and click Next.

  6. Use all the default input settings and click Review.

  7. Make sure everything looks ok and click Submit.

  8. Click Start Searching to see your newly indexed log events.

Explore your secure log events through search and visualizations

This task is meant to be exploratory. You have plenty of time in this lab to try out searching and visualizing your newly input data however you like.

Try to narrow down your search results to specific types of events.

Try to visualize the data with different types of pivots (tables, charts, graphs, etc). If you can come up with a few visualizations, create a dashboard to see them all on a single searchable page.

One of the best ways to get a feel for searching and visualizing is to just play around with it.

Conclusion

Congratulations, you've completed this hands-on lab!