To get the most out of a Splunk® trial you not only want to demonstrate Splunk’s value but you also want to configure Splunk for your environment so that you can quickly convert from trial mode to production mode. Consider the following when planning for your trial:
What logs are you currently looking at?
The initial use case for Splunk is often to streamline manual or scripted log parsing. For example, tracking down customer activity at the request of customer support, or documenting application errors for developers who don’t have access to the production environment. During your trial configure Splunk to automate the log parsing that is currently done manually and leverage Splunk’s reporting, alerting and dashboarding capabilities to provide a self-service portal to your end users.
Are there additional logs that could speed up troubleshooting or improve security monitoring?
While the initial use case may be to automate existing log parsing, Splunk’s ability to create a central location for all the machine data in your environment streamlines troubleshooting and provides a comprehensive overview of operations. For example, Splunk can cross reference firewall logs and security logs in order to identify low and slow attacks that might otherwise not be detected.
If you’re not already doing so, configure Splunk to index the following data inputs during your trial:
- Windows Event Logs
- Firewall Logs
- Antivirus Logs
- Web Server Logs
Start by collecting data without filtering to determine data volume and to differentiate between useful information and noise.
How much data are you indexing?
In Splunk Enterprise, go to Settings → System → Licensing and click on the green Usage Report button. The License Usage page will have tabs for Today and the Previous 30 days. Click on Previous 30 days and in the Split by dropdown menu select Source type. This breakdown of how much of each type of data you’re indexing can be used to plan the scale you will need for your production deployment.
Keep in mind:
- By default Splunk will collect all the data that exists for a data input on the first collection – so if you have several years of Apache logs, all of that data will be indexed by Splunk. After that first collection you will get a more accurate reading for average daily volume by source, and you can observe the effects of filtering on collection volume.
- It may take several minutes for Splunk to finish indexing older data, so clicking on the link to search data immediately after configuring the collection can return “No results found.”
- Splunk's trial version allows you to index 500MB per day, but you can contact a Splunk sales rep in order to get a trial license with an indexing limit more appropriate to your environment. If you index more data in a day than your license allows Splunk will display an alert. If you exceed your licensing capacity more than 5 times in a 30 day period, you will need to contact your Splunk sales rep to have your license reset. Splunk will continue to collect and index data but you won’t be able to search the data until the reset.
Should you filter your data?
Ideally avoiding filtering would be best as there is always a possibility that you might later need information you’ve filtered out and Splunk’s big data architecture can efficiently filter the data at query time. However sometimes licensing and disk constraints may require you to filter out data. Splunk provides the ability to create whitelists or blacklists for collections, and the ability to truncate message data in Windows Event log events.
Where should I install Splunk during the trial?
A Splunk Enterprise trial can use a single instance of Splunk without Universal Forwarders (Splunk collection agents). In that scenario:
- Installing Splunk on a VM will allow you to adjust resources as needed.
- For Splunk to collect network data such as syslog or SNMP traps the servers or network devices producing the data need to be configured to send the data to Splunk. Any firewalls between Splunk and the syslog/SNMP Trap producers should be configured to allow the data to pass through to the Splunk server.
- Collecting Windows Event Log and Performance data is done via WMI and Splunk will use the permissions of its service account (Splunkd). Set up the Splunkd service account to have at least local administrator privileges on the Windows servers being monitored.
- File collections can be done using a UNC path. If the Splunkd service account has admin privileges, it can map to administrative shares – e.g. \\web-server\c$\inetpub\logs\...\*.log
Keep in mind that a Splunk installation scales using commodity based servers, so your initial Splunk deployment can be readily scaled up to meet production requirements.
Want to learn more?
Download a FREE trial of Splunk - Download a copy today and see how Splunk makes it simple to collect, analyze, and act upon the untapped value of big data.