Presented at Splunk Discovery Warsaw 2018: What Data can Splunk Ingest? How to Ingest Data Apps and Add-ons Demo

1. Copyright © 2016 Splunk Inc.
George Merhej
Senior Solutions Engineer, Splunk
Getting Data In

2. Agenda
 What Data can Splunk Ingest?
 How to Ingest Data?
 Apps and Add-ons
 Demo

3. What Data can Splunk Ingest?

4. Machine Data

5. 5
Machine Data Characteristics
• Splunk works with any human-readable data. In particular, time-series machine
data.
• This data has following characteristics:
 Human-readable: Non-binary data
 Event-separated: There should be a clear separator between the events
 Timestamp: a clear timestamp for each event

6. How to Ingest Data?

7. Different Ways

8. More Modular Inputs

9. Collects Data From Remote Sources
• Splunk Universal Forwarders collect data from a local data source and send
it to one or more Splunk indexers
Scalable
• Thousands of universal forwarders can be installed with little impact on
network and host performance
Broad Platform Support
• Available for installation on diverse computing platforms and architectures.
Small computing/disk/memory footprint
Splunk Universal Forwarder
The Splunk Universal Forwarder is a separate download:
https://www.splunk.com/en_us/download/universal-forwarder.html

10. • DB Connect provides reliable, scalable,
real-time integration between Splunk and
traditional relational databases
– Create value with structured data
– Enrich search results with additional business context
– Easily import data for deeper analysis
– Integrate multiple DBs concurrently
– Simple set-up, non-invasive and secure
Database Inputs
DB CONNECT
JRE
JDBC
DATABASE DRIVER
DATABASE

11. Large-Scale Data Collection Directly From Applications
• Provides a simple, load-balancer-friendly, secure way (token-based JSON or
RAW API) to send data at scale from applications directly to Splunk
Agentless
• Data at scale can be sent directly to indexer tier, bypassing forwarder layer
Broad Development Platform Support
• Logging drivers available for many platforms (Docker, AWS Lambda, etc.) and
simple HTTP endpoint compatible with all development environments
Splunk HTTP Event Collector (HEC)
The newest way to collect data at scale

12. • Twitter
– Stream JSON data from a Twitter source to Splunk using
Tweepy
• Amazon S3 Online Storage
– Index data from the Amazon S3 online storage web service
• Java Messaging Service (JMS)
– Poll message queues and topics through JMS Messaging API
– Talks to multiple providers: MQSeries (Websphere MQ),
ActiveMQ, TibcoEMS, HornetQ, RabbitMQ, Native JMS,
WebLogic JMS, Sonic MQ
• Splunk Windows Inputs
– Retrieve WIN event logs, registry keys, perfmon counters
Example Modular Inputs

13. • Create your own custom inputs
– Scripted input with structure and intelligence
– First class citizen in the Splunk management interface
– Appears under Settings > Data Inputs
• Benefits over simple scripted input
– Instance control: launch a single instance or multiple instances
– Input validation
– Support multiple platforms
– Stream data as text or XML
– Secure access to mod input scripts via REST endpoints
Modular Inputs

14. Stream has two deployment architectures and two collection
methodologies
• Deployment:
– Out-of-band (stub) with tap or SPAN port
– In-line directly on monitored host
• Collection:
– Technical Add-On (TA) with Splunk Universal Forwarder (UF)
– Independent Stream Forwarder using HTTP Event Collector (HEC)
Wire Data with Stream

15. Stream Deployment: Dedicated Collector
Search Head Linux Forwarder
Splunk_TA_Stream
Splunk
Indexers
TAP or SPAN
ServersEnd Users
Internet
Firewall

16. Stream Deployment: Run on Servers
Search Head
Splunk
Indexers
End Users
Internet
Firewall
Physical Datacenter,
Public or Private Cloud
Physical or Virtual Servers
Universal Forwarder
Splunk_TA_stream

17. Splunk Connect for Kafka

18. Apps and Add-ons

19. Getting Data in With Apps & Add-Ons
 Your first choice when getting
new data in
• Clean and ready to go out-of-the-box
 App is a complete solution
• Typically uses one or more TAs
 Add-on
• Abstracts collection methodology (log file,
API, scripted input, HEC)
• Typically includes relevant field extractions
(schema-on-the-fly)
• Includes relevant config files
(props/transforms) and ancillary scripts
binaries
1600+ apps and add-ons:
https://splunkbase.splunk.com/

20. Where do you get Apps and Add-ons?

21. • Logs – access to application
logs, syslog UDP forwarding,
JournalD
• Stats – data from Docker
containers
• Search – troubleshoot Docker-
related problems
• Dashboards and alerts –
proactively monitor Docker
environments
Visibility Into Your Container Environments
Many ways to get Docker-based machine data –
choose what’s best for you

22. • Monitor changes – identify
changes in containers, updates
to container deployments
• Gain usage insight – insight
into containers, clusters and
nodes
• Analyze and correlate –
changes, usage, errors and
configuration
Visibility Into Your Container Environments
Improve Docker container compliance,
availability and performance

23. Demo

24. October 1-4, 2018
• 8,750+ Splunk Enthusiasts
• 300+ Sessions
• 100+ Customer Speakers
Plus Splunk University:
• Three Days: September 29-October 1, 2018
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
Walt Disney World Swan and Dolphin Resort in Orlando
co nf.s p l u n k .co m
SAVE THE DATE!