Splunk automatically clusters millions of log records in real time back into their patterns and finds connections between those patterns to form the baseline flows of each software individually, thus enables you to search, monitor and analyze that data to discover powerful insights across multiple use cases.

This appendix provides a guide on the first steps with Splunk and helps you to begin enjoying reduced time in detecting and resolving production problems.

Getting Started with Splunk

1. Download Splunk and extract the Splunk Enterprise version. (Splunk software is available as an RPM or TGZ.)

2. Create a Splunk User /group. Run: 

[root@server] groupadd splunk
[root@server] useradd -d /opt/splunk -m -g splunk splunk

3. Splunk installation. Run:

[root@server] tar -xzvf splunk-7.0.0-c8a78efdd40f-Linux-x86_64.tgz
[root@server] ls

4. A new folder called Splunk is created.

[root@server] cp -rp splunk/* /opt/splunk/
[root@server] chown -R splunk: /opt/splunk/
[root@server] su - splunk
[splunk@server] cd bin
[splunk@server] ./splunk start --accept-license

Now you can access your Splunk WebUI at http://IP:8000/ or http://hostname:8000/. You need to make sure that port 8000 is open in your server firewall.

Switch Configuration

In this example we are not using the default UDP port 514 to show that any other port can be also used.

5. In order to add a task, the switch must be configured to send logs to our Splunk server. Run: 

switch > enable
switch # configure terminal
switch (config) # show snmp
SNMP enabled:         yes
SNMP port:            161
System contact:
System location:
  
Read-only communities:
   public


Read-write communities:
   (none)

Interface listen enabled: yes
No Listen Interfaces.
  
switch (config) # snmp-server host 10.212.23.1 informs port 8597
switch (config) # snmp-server host 10.212.23.1 traps port 8597 
switch (config) # snmp host 10.212.23.1 informs 8597
switch (config) # snmp host 10.212.23.1 traps  8597
 
 
Summary configuration:
 
 
switch (config) # show running-config
## Logging configuration
##
   logging 10.212.23.1
   logging 10.212.23.1 port 8597
   logging 10.212.23.1 trap info
   logging 10.212.23.1 trap override class events priority err
   logging monitor events notice
   logging receive
## SNMP configuration
no snmp-server host 10.209.21.221 disable
snmp-server host 10.209.21.221 traps port 8597 version 2c
no snmp-server host 10.212.23.1 disable
snmp-server host 10.212.23.1 traps port 8597 version 2c 8597

Adding a Task

6. The first screen encountered after signing into the Splunk WebUI includes the “Add Data” icon.

7. The “Add Data” tab opens up with three options: Upload, Monitor, and Forward. Here our task is to monitor a folder, so we click Monitor. to proceed

In the Monitor option, the following four categories are available:

• File & Directories – monitor files/folders
• HTTP Event Collector – monitor data streams over HTTP
• TCP/UDP – monitor service ports
• Scripts – monitor scripts

Retrieving Data from TCP and UDP Ports

8. Per our current purpose, we choose TCP/UDP option.

9. Click the TCP or UDP button to choose between a TCP or UDP input, and enter a port number in the “Port” field.

10. In the “Source name override” field, enter a new source name to override the default source value, if required.

11. Click “Next” to continue to the Input Settings page where we will create a new source type called Mellanox-Switch.

12. Click Next > Review > Done > Start Searching

SNMP Input to Poll Attribute Values and Catch Traps

SNMP represents an incredibly rich source of data that you can get into Splunk for visibility across a very diverse IT landscape.

SNMP agents may also send notifications, called Traps, to an SNMP trap listening daemon.

Getting Started

Browse to Splunkbase and download the SNMP Modular Input from https://splunkbase.splunk.com/app/1537/.

To install, simply untar the file to SPLUNK_HOME/etc/apps and restart Splunk.

Configuration

Login to the Splunk WebUI and go to Manager > Add Data > Monitor > SNMP > New, and set up your input data.

13. After configuration is complete it is recommend to run Mellanox-Switch again: Search > Data Summary > Sourcetypes > Mellanox-Switch.

14. Select “Mellanox-Switch” and “Add to search”.

15. You can add to search any value that is relevant for you.