Splunk

 AWS app and AWS add-on

=========

1. Indexer clustering

2. Search head clustering

3. Deployment server

4. AWS app and AWS add-on

===

Log data - has valuble data -> eg. hardware failure.

- not easily human readable.

- complex, raw data

Search, analyse, visualize in dashboard as charts/graphs.

Captures log data from - server, router, embedded systems, - multiple resources.

Splunk pulls out relevant data - 

Cloudwatch vs Splunk -> Cloudwatch -> can't analyse log data - can't have customized view.

==

Products of Splunk:

====

Splunk Light - Free version - monitor, search and analyze. Has limited functionality.

Splunk Cloud -

Splunk enterprise - mostly used in IT environment. Paid - free for learning.

Splunk Components:

======

Forwarder -> Captures and forwads the log data to the indexer.

Indexer -> accepts log data as it is and stores it in hard-disk

Search head -> visualizes, searches, analyses log data in Indexer

Master Node -> Manages Indexer and search head. - Search Head talks to Indexer through Master Node ( manager ).

Indexer Clustering:

===

Generally 3 indexers are configured. For high data availability - feedability - replication factor = 3; search factor =2; security label...

All components are in one packages - expect - "universal forwader" - heavy forwarder.

web port - 8000 ( splunk dashboard? )

management port - 8089  (master node)

replication port - 997 default.

ssh - 22

Task:

====

AWS monthly cost file -> 

configure master node ->

upload .csv file to heavy forwarder -> push that to indexer, auto replicate -> 

configure search head ->

validate push -> server restarts ( master node ) -> can check the data using search head.

=

Can have multiple search heads - can combine multiple indexer clusters ( multi-site )