Splunk lets you index, search, alert and report on any IT data, in real time, for application management, IT operations, security and compliance, and more. Splunk consumes any data: log files, system metrics, applications, configurations...feed any data you want into Splunk.
Click on a topic below to get started.
Splunk's UI is packed with features. Read through the following topics to get a better sense of how to navigate and use your Splunk installation.
Splunk is made up of apps. Apps create different contexts for your data out of sets of views, dashboards, and configurations. Right now, you're in the Getting Started app. You also have the search app, which is where you can create searches, and the default app Splunk Home, which lets you launch other apps. You can also add new apps from Splunkbase, or create your own.
Navigate between apps
To navigate to another app, use the App drop-down in the upper right hand corner:
To see a list of apps that are currently installed in your Splunk instance, you can return to Home by clicking the App menu in the upper right hand corner of this page and choosing Home. This will take you out of the Getting Started app, but you can get back here by choosing Getting Started again from the Home or the App menu.
Used Splunk before? Looking for something a little more familiar?
If you've used Splunk before, you're probably looking for the Search app. To get to the Search app, choose "Search" from the App menu in the upper right-hand corner.
Most of Splunk's management options are available through Splunk Web (Splunk's user interface). Note that some configurations are only available to Splunk users with admin privileges. If you can't access some of the configurations discussed in this app, you may not have permission to access them.
Use Splunk Manager
Manage your configurations and apps with Splunk Manager. Almost every configuration change can be set through Splunk Manager. Get to Manager by clicking on the Manager link in the upper right hand corner:
Use Job Manager
Manage your searches with Job Manager. All of your searches run as jobs. You can list and control all the searches running on your system by clicking the Jobs link in the upper right hand corner:
Add more apps
To browse for and download more apps for Splunk, return Home and click the Find more apps button.
You can make your own apps, too. Refer to the Developer Manual for more information.
If a machine generates it, Splunk can index it. Yep, that's right -- Splunk can index any data, structured or unstructured, without custom parsers, connectors, or adapters. Feed Splunk anything from syslog from Unix servers and network devices, to Event Logs on Windows, to custom application logs and even configurations and system metrics -- you'll get visibility into your entire operation.
You can use Splunk's getting data in workflows to find out all the different types of data you can add to Splunk, and your different options for getting this type of data in. There are lots of ways to get your data into Splunk, depending on where it's located.
Splunk can index any local data, either continuously or just once. Configure Splunk to index a file or directory through Splunk Manager. You can also preview your data before you index it and create custom rules for how Splunk should handle your data.
Use Splunk to gather Windows data from other machines in your network. You have a few options, depending on how your network is set up:
Use Splunk to gather data from other non-Windows machines in your network. You have a few options, depending on how your network is set up:
Use this method to capture data sent over a TCP or UDP port. For example, set up Splunk to listen on UDP 514 to capture syslog data.
There are other ways to get your data into Splunk. Here are a few popular options:
Collect data from several machines in a distributed environment
Wonder how you'll get data to Splunk from a distributed environment, such as a farm of app or web servers logging locally? Splunk's universal forwarder is a lightweight agent that can be deployed to dozens or even hundreds or thousands of servers to capture data in real time and send to a central Splunk indexer. Use Universal forwarders to send data to Splunk from other systems. Set up Forwarding from Splunk Manager.
Script your own inputs
Create a scripted input for your custom data source. Scripted input are useful for command-line tools such as vmstat, iostat, netstat, top, etc. Get data from APIs and other remote data interfaces and message queues and generate metrics and status data from exercising system and app status commands like vmstat, iostat, etc. Lots of apps on SplunkBase provide scripted inputs for specific applications. Set up scripted inputs from Splunk Manager.
Monitor file system changes
Interested in what changes are happening on your file system? Set up file system change monitoring and see every change as it occurs. Use this method to monitor critical files, configuration files, and more as required for many compliance mandates as well as to find system-impacting changes and unauthorized changes for security and operations.
Once you have data in Splunk, you can use the Search app to investigate security incidents, troubleshoot application, server and network problems, or just proactively review system and user activity.
Search for any text that you expect to find in your data.
Search data in real time as it comes into Splunk.
Your search results are just as interactive as the timeline. In this section, you'll see how, with just one click, you can add, remove, and exclude terms from your search.
Free form search is easy and powerful, but it doesn't always give you the answer that you want. For example, you may want to exclude events with the HTTP status code 200. But, if you just search for "NOT 200", you'll also remove events you might want to keep, such as "503" status events coming from IP addresses with 200 in them.
As Splunk indexes every term in your original data, it discovers and adds fields based on name/value pairs, headers, or other information that is otherwise self-explanatory. For example, Splunk automatically adds information about where the data came from into host, source and sourcetype fields. Splunk might also recognize other parts of your data, such as IP addresses, HTTP status codes, etc. You can also add your own fields, as discussed in the Add knowledge section of this app.
Fields that are visible in your search results are listed under the 'selected fields' header. You can select more fields to show. Other fields that Splunk discovered automatically are listed under 'interesting fields'.
The timeline is a visual representation of the number of events that occur at each point in time. Thus, you can use the timeline to highlight patterns of events or investigate peaks and lows in event activity.
Search assistant is a quick in-product reference for users who are constructing searches. It provides details about the search command, including examples of usage, and suggests other commands for you to use.
Splunk takes search where it's never been before by automatically extracting knowledge from your IT data and letting you add your own knowledge on-the-fly. Add knowledge about the events, fields, transactions, patterns and statistics in your data. You can identify, name and tag this data as well.
Splunk maps all this knowledge at search time, so you can add new fields and event types anytime you need them, without re-indexing the data. Go from finding all events with a particular username, to instantly getting statistics on specific user activities.
When you search your data, you're essentially weeding out all unwanted events; the results of your search are events that share common characteristics, and you can give them a collective name or "event type". The names of your event types are added as values into an eventtype field. This means that you can search for these groups of events the same way you search for any field. The following example takes you through the steps to save a search as an eventtype and then searching for that field.
If you run frequent searches to investigate SSH and firewall activities, such as sshd logins or firewall denies, you can save these searches as an event type. Also, if you see error messages that are cryptic, you can save it as an event type with a more descriptive name.
Splunk automatically extracts knowledge for you as you index new data; and you can also add new knowledge anytime you need it -- without re-indexing your data. This section shows you how to use the field extractor to interactively extract and save new fields.
Tags help you group search results that share field values. A tag is a name that you attach to a particular value of a field such as eventtype, host, source, or sourcetype. For example, you can tag a host's values with a service name or a note indicating compliance with regulations like PCI.
Generally, you can use tags to:
There are two ways to search for a tag - against all fields or a particular fielddialog.
There's more that you can do to best use and extend Splunk so that it works with your data in a manner that fulfills the needs of your enterprise. You'll want to consult the Knowledge Manager manual as you optimize, maintain, and expand your Splunk deployment over time.
The Knowledge Manager manual teaches you:
After you use Splunk to identify and locate problems in your system, take advantage of its monitoring and alerting capabilities to keep you notified if those situations recur. Save your searches to run them whenever you want, or set up an alert to do the monitoring for you. Configure alerts to fire when the search results meet conditions that you define. You can even alert on events happening in real time.
You can turn any search into an alert. Alerts notify you by email or RSS. You can also set up alerts to trigger a script.
Create reports with Splunk's built-in visualization tools. Splunk gives you a wide range of options when it comes to reporting. Create simple "top values over time" reports directly from your search results. Use Report Builder to define and format sophisticated charts. Or define reports by hand using Splunk's powerful statistical commands. Finally, you can quickly create dashboards that share your best reports with others.
After you run a search you can quickly launch reports providing basic information about the fields in your search results.
Launch the report builder to create and format your reports.
When you use the Report Builder drop-down lists to define a report, you may notice that Splunk updates the Report Builder search box with the statistical reporting commands Splunk uses to run the report. This section explains how to use these reporting commands directly from the search bar.
When you run a report, Splunk can preview the report results for you as the search runs. This feature saves you time, especially when running searches across large time periods. Note that report preview is enabled by default for searches that use reporting commands, so try it out on a report over a large period of time.
Save and share your searches and reports by creating a dashboard. Dashboards are a place to collect your most useful and informative reports, and make them available to other users. Start a dashboard from scratch, or create one as you create reports.
You can also start by creating your dashboard from scratch.
Looking for more information on what you can do with Splunk? Here are a few more links to Splunk's online documentation.