The document provides a comprehensive overview of Splunk, a log collection and data analysis tool established in 2003, detailing its architecture including forwarders, indexers, and search heads. It includes instructions for downloading, installing Splunk, adding data via GUI and CLI, searching logs, generating alerts, and creating reports. Additionally, it emphasizes Splunk's real-time analysis capabilities and data storage practices.

1. By Megha Sahu

2. Contents
• Introduction
• How splunk works
• Download and installation
• Forward data to splunk using CLI
• Add data to the splunk using GUI
• Step to add input files
• Basic Search
• Creating Report
• Network monitoring

3.  Splunk inc. is a California based company that analysis machine generated massive
information and established in 2003 .
Splunk is a log collection and data analysis tool,it can also perform log forwarding to
the remote location.
Splunk does real time syslog analysis. It can also give you real time alert and
notifications. It also store data in database for some particular period of time is called
bucket
You can install Splunk on any server.
 splunk stores data in compressed form.
Various customers are Vodafone , Domino’s etc.
Introduction

4. How Splunk works
• Forwarder : these are responsible of collecting data and forwarding it to another
splunk instances.
• Indexer : where data is being stored either it is coming from real time or not.
• Search head : it will access the data and do the analysis on data. it give you alert
and notification. We interact with search.
• For large amount of data we need more then one Forwarded, Indexer and search
head and to maintain the integrity we required some components such as
Deployed , cluster master and Deployment server.

5. Download and Installation
• Go to the website https://www.splunk.com/
• Navigate to the Product and choose the splunk platform.
• Now fill the registrationn form and click on create account button.
• According to your system click on the download link.
• After clicking it will start automatically.
Install on linux
• tar xvzf splunk_package_name.tgz (OR)
• tar xvzf splunk_package_name.tgz -C /opt
• ./splunk start --accept-license
• ./splunk enable boot-start
• Then open the web interface and go to http://kali:8000

6. This is the GUI looks like of Splunk ,before this you have to put you credentials to login

7. Forward data to the splunk using CLI

8. Add data to the splunk using GUI
 After login either you can add data through home page -there is an option to add
data or go to settings and choose the option to Data .

9. Now choose the file type which you want to add

10. In this step select any local directory or anything you want then click on it and you can
see this and you can make any changes that you want

11. Step to add data logs

12. Select the index type and click on next

13. It will show you the summary if everythings looks fine then click on submit

14. And you successfully created the input file now you can start searchin

15. Now there is so many details you can see , you can search anything you want from this
log and this is totally human readable form

16. There are a lot of things there that u should know about it
There are two type of fields: Selected Field and Interested Field and these are
editable you can remove and add the field according to your requirement.

17. Basic Search
• Wildcard support : fail*
• Search items are case insensitive
• Booleans AND,OR,NOT
• Quote phrases : “login failed”
The search bar looks
like it and you can
put your qeury in it
as specified above

18. Choose the time line according to your need normally used Last 24 hour because we
have billions of data in it.

19. Alert and notification generation
• Go to save as and click on it you can see alert option now select it.

20. Fill all the details and create an alert for rare events so that you can notify when data
needs your attention and click on save .

21. Creating Reports
• Go to the save as and now select report.
• Now give it the title and save it.

22. You also add permission like who can read or write the report and you can also add it
to the Dashboard

23. Network Monitoring
• cd ~
• Mkdir pings
• Mkdir /pings/targets
• Cd targets
• Vim monitor.sh
• Chmod +x monitor.sh
• ./monitor
• Tail –f /targets/googledns.txt

24. Then

25. Browse the directory for the analysis

26. Now click on next and then select next button.

27. Select any one of the option to start the
analysis

28. References
• https://www.youtube.com/watch?v=pA5MFlY
5Klc&list=PL59B00A6F603366EA
• http://docs.splunk.com/Documentation