Getting Started With Splunk
Part 1: Docker Install Of Splunk And A Walk Through Of The Interface
For 2019, we thought we would get back to basics. A lot has changed in Splunk over the past year or so, especially now with different ways to work with, deploy and interact with Splunk as an Administrator, User or Developer. We thought we would start off the year with a Getting started with Splunk Series. One of the best ways to get started using Splunk is by installing the application on your PC or work environment to help you get the basics down. In this post, we’ll take things one step further and install Splunk via Docker. Why? Well, Splunk on Docker has come a long way in the past year with Splunk now officially supporting it. As well, it is definitely the easiest and fastest way to get it running on test or development environment for you to trial, or start to work with.
If your looking for ways to install Splunk using Ansible, checkout our latest book on the subject:
Why Use Splunk On Docker?
If you haven’t used Docker before, you’ll love it trust me. Docker lets you run services and applications on your own system, just like you would a larger system, without the larger resource overhead of a VM. Don’t get me wrong, Docker isn’t perfect, but it gives you a great way to simply run, test and try something out pretty quickly with little fuss. You’ll see in once we install the Splunk docker image, its easy to use, just as you would a stand alone installation. If you have not installed Docker on your working environment, do this first. For more details on installing Docker on your System, go to the following link: https://docs.docker.com/install/
Install And Start Splunk On Docker
Once you have Docker installed on your System, grabbing the latest latest version of the Splunk image and running it is easy. You can do pretty much everything you need in two steps:
1.Pull the latest image from Docker Hub
docker pull splunk/splunk:latest2. Now run the following command to have your image running on your local System:
docker run -d -p 8000:8000 -e ‘SPLUNK_START_ARGS=--accept-license’ -e ‘SPLUNK_PASSWORD=<admin_password>’ splunk/splunk:latestIf you haven’t used Docker much before, the following is a breakdown of the command you just performed: docker run with the -d option means your image is going to run in detached mode, where it won’t stop after the image has finished starting up. The -p option lets you specify the ports you want to map your image on, in this instance you are connecting port 8000 on your local machine to port 8000 on the image. The -e option then lets you specify environment variables that will help Splunk know how to start up, in this case, you are accepting the user license and you are setting the admin password.(Make sure to add something different than <admin_password>). Finally you are telling Docker to use the latest Splunk image you have on your system.
Give the start up about 2 minutes, but that’s about all you need to do for now, as you can now go into your web browser and enter in localhost:8000 and wait for the Splunk login screen to be provided to you.
This isn’t really a document on running Docker, but in case you need to, you can look for all your running Docker containers using the ps option, like this:
docker psIf you need to restart a container for any reason, you can do so with the following command:
docker restart <container_id>Walk Through of the Interface
Now that we have Splunk running, it’s a good idea to give a run down on what each part of the interface does and how you can start to manipulate the environment.
If you have the above login screen, thats a good start. To login, use the admin user and the password will be the one you added in you Docker command with the -e option as ‘SPLUNK_PASSWORD=<admin_password>’
If your login was successful, you should see a similar page to the one above. This is your main home and will be displayed when you access to the Splunk Web Interface. It may look the same, or slightly different, but there are four main sections you need to get to know when working with Splunk:
- splunk>enterprise button: When ever you are moving around in the interface and think you may be a little lost, you will always have access to this button on the top left of the screen. This button takes you back to your login screen.
- Apps Menu: This is located on the left side panel, with the heading of “Apps”. This provides a list of all the Splunk Apps you have installed on your interface. It also gives you the option to install, configure and create your own. For now, all you need to know is that Splunk Apps are a collection of data, dashboard, searches and other things that may be related to a similar subject. We will make a more in depth post on Splunk Apps soon.
- Main Work Space: This is where you’ll be doing your main work, including searching and displaying data. It’s the big grey mass in the middle of the screen.
- Menu Bar: Depending on your access, the main menu that runs along the top of the screen will provide you with information and allow you to perform specific tasks on the system. If you’re following along with our Docker installation, you should see all of the available options.
More On The Menu Bar
The menu bar provides functionality to the user to allow all of your configuration management of your Splunk installation. As we said above, the options available to you will change depending on the access you’ve been granted. We’ll do a quick run through now, assuming you’ve installed from Docker and are logged in as the admin user.
- The first menu on the menu bar will reflect the user account you have logged in as. As you can see in the image above, it’s the Administrator and allows you to change your account settings, change preferences and logout of the web interface.
- Next along is the Messages menu. This will provide you with specific warnings, alerts and messages on the Splunk environment you are running on. As an administrator account, you will get notifications on services being down, upgrades and restarts needed and other high level messages. As you can see below, with a brand new installation, we have not messages available.
- Next up its Settings. As you can see below, there is a lot of information in there and thoughtfully separated into subsections. KNOWLEDGE to handle all of your searches and query configurations, SYSTEM to manage the overall system configurations, DATA to allow you to manage the data, DISTRIBUTED ENVIRONMENT for managing a clustered Splunk installation and finally USERS AND AUTHENTICATION to control access to the system but your users.
- The Activity menu provides information on what searches and work is currently going on in your environment. For example, if someone is doing a particularly large search, you will be able to see it in the Activity drop down.
- Lastly Splunk provides a handy Help tool to search across all the relevant Splunk help tools like the Splunk Answers, Tutorials and help pages.
Adding A New User
We’ve gone through a lot of screenshots and text and I’m sure you actually want to do something by now. To finish off the first part of this series, we’ll create a new user. So if you are not logged into your account as your admin user, do it again and we’ll set up a new user:
- Click on the Settings menu.
- Then select Access controls.
- Click on Users and then click on the Add User button.
- Fill out the form for the new user, we have an example below, as you can see you can add the user to specific roles, in our example, we have used the “user” role which limits what the user can do.
- Click the Save button to create the new user.
If you have not logged out of the admin account do so, and see if your new account is able to be logged back in. You’ll first notice the account has the new users name at the top of the screen, as well, if you click on the Settings menu, you will see a lot less options available.
https://leanpub.com/ansibleanswers/
Found this post useful? Kindly tap the clap button below! :)
About The Author
