Splunk automatically clusters millions of log records in real time back into their patterns and finds connections between those patterns to form the baseline flows of each software individually, thus enables you to search, monitor and analyze that data to discover powerful insights across multiple use cases.
This appendix provides a guide on the first steps with Splunk and helps you to begin enjoying reduced time in detecting and resolving production problems.
Getting Started with Splunk
1. Download Splunk and extract the Splunk Enterprise version. (Splunk software is available as an RPM or TGZ.)
2. Create a Splunk User /group. Run:
3. Splunk installation. Run:
4. A new folder called Splunk is created.
Now you can access your Splunk WebUI at http://IP:8000/ or http://hostname:8000/. You need to make sure that port 8000 is open in your server firewall.
In this example we are not using the default UDP port 514 to show that any other port can be also used.
5. In order to add a task, the switch must be configured to send logs to our Splunk server. Run:
Adding a Task
6. The first screen encountered after signing into the Splunk WebUI includes the “Add Data” icon.
7. The “Add Data” tab opens up with three options: Upload, Monitor, and Forward. Here our task is to monitor a folder, so we click Monitor. to proceed
In the Monitor option, the following four categories are available:
- File & Directories – monitor files/folders
- HTTP Event Collector – monitor data streams over HTTP
- TCP/UDP – monitor service ports
- Scripts – monitor scripts
Retrieving Data from TCP and UDP Ports
8. Per our current purpose, we choose TCP/UDP option.
9. Click the TCP or UDP button to choose between a TCP or UDP input, and enter a port number in the “Port” field.
10. In the “Source name override” field, enter a new source name to override the default source value, if required.
11. Click “Next” to continue to the Input Settings page where we will create a new source type called Mellanox-Switch.
12. Click Next > Review > Done > Start Searching
SNMP Input to Poll Attribute Values and Catch Traps
SNMP represents an incredibly rich source of data that you can get into Splunk for visibility across a very diverse IT landscape.
SNMP agents may also send notifications, called Traps, to an SNMP trap listening daemon.
Browse to Splunkbase and download the SNMP Modular Input from https://splunkbase.splunk.com/app/1537/.
To install, simply untar the file to SPLUNK_HOME/etc/apps and restart Splunk.
Login to the Splunk WebUI and go to Manager > Add Data > Monitor > SNMP > New, and set up your input data.
13. After configuration is complete it is recommend to run Mellanox-Switch again: Search > Data Summary > Sourcetypes > Mellanox-Switch.
14. Select “Mellanox-Switch” and “Add to search”.
15. You can add to search any value that is relevant for you.
Patterns can be viewed not on real time and you can create alert on most repeatable events.