By: Michael L’Abbe
Welcome to part 2 of my Splunk education. In case you didn’t read part 1, I’ll give you a quick overview of what I’m doing here. I work for a company that specializes in Splunk implementations across multiple platforms and in any conceivable configuration. I have only been with the company a short time and am trying to get up to speed as quickly as I can. To do so, I am documenting everything I learn as I go through the training and certification process. I’d just like to point out that most of what you read here can be found on splunk.com. This blog is meant to expand on the material that is already available and at the same time document my mistakes and lessons learned. By the end of this blog series I hope to be a Splunk Certified Architect.
Last week we got through the process of creating a Splunk account and getting Splunk Enterprise installed on a Windows 10 machine. This week I am continuing with the free Splunk Tutorials. The following is a list of what’s covered:
- Part 1: Getting started
- Part 2: Uploading the tutorial data
- Part 3: Using the Splunk Search app
- Part 4: Searching the tutorial data
- Part 5: Enriching events with lookups
- Part 6: Creating reports and charts
- Part 7: Creating dashboards
Each part of the tutorial builds on the previous part so it is important to have a clear understanding of the material before moving on to the next section. Let’s get started.
Part 1: Getting Started
This part is broken down into 4 sections. The following is a list of those sections:
- What you need for this tutorial
- Install Splunk Enterprise
- Launch Splunk Web
- Navigating Splunk Web
Part 1 of this blog series covers the first two sections so I’ll start with launching Splunk Web. I’m using Windows 10 and will cover the methods to launch Splunk from that platform. If you are using something different I recommend taking a look at the online tutorial for details on your specific operating system.
Start Splunk Enterprise
This where the tutorial doesn’t do a great job of explaining things. On my Windows 10 machine Splunk Enterprise is the splunkd service and is set to start automatically. That doesn’t mean that it will launch in the browser automatically, but the service will start. In the event the service doesn’t start and you try to launch Splunk Web you will get an error as seen in figure 1.
Just in case you get this I’ll go over a couple different ways to start Splunk. The first method is from Windows Services Manager. There are a million ways to get there, but you can just use the path, Control Panel > System and Security > Administrative Tools > Services, to get there. Scroll down the list until you find Splunkd Servic and either right click and click start, or single click to select and click the Start the service link in the upper left. Figure 2 is a capture of what you should see. Notice that there are 2 different Splunk services (Splunkd and splunkweb). Figure 3 is the Windows Services Manager description of splunkweb. The only one we need to worry about for this example is Splunkd Service.
Once the service is started, you can use the same method to stop or restart Splunkd. The second method is to use the Windows Command Prompt. To do this navigate to and open a Command Prompt. In some cases you may have to right click and open as administrator as seen in figure 4.
Once in the Command Prompt change directory to \Program Files\Splunk\bin and then type splunk start. Figure 5 is an example of starting Splunk with the Command Prompt. You can also use the command prompt to stop and restart Splunk using splunk stop and splunk restart respectively.
So now we have Splunk Enterprise Services started on our system and can move on to launching Splunk Web.
Launching Splunk Web
After Splunkd is started, it’s just a matter of launching Splunk Web in a browser. At the time of this blog, Splunk Enterprise supports the following browsers:
- Firefox (latest)
- Internet Explorer 11
- Safari (latest)
- Chrome (latest)
At the end of the command line start up (shown in figure 5) you can see the URL used on your specific machine to launch Splunk Web in your browser of choice. You can either use the local workstation name or replace with localhost. The first method is to open your browser (I am using Chrome) and type or paste in the URL. I am going to enter http://localhost:8000 in the address bar and hit enter. The second method is to navigate to the Splunk Enterprise folder in the start menu and click on Splunk Enterprise. Figure 6 shows what it looks like on my Windows 10 machine. This will open your default browser and launch Splunk.
Either method will bring up the Splunk login page as seen in figure 7. From here just type in your username and password you set up on installation and select ‘Sign in’.
Navigating Splunk Web
This is the last section in part 1 of the tutorial. Splunk.com does a pretty good job of explaining this section so I’m not going to go into too much detail here. When you log in and upon successful authentication, you should be directed to your Splunk Home page as seen in figure 8.
The Splunk Home page consists of the following sections as highlighted above.
- Apps panel
- Explore Splunk panel
- Splunk bar
We’ll get in to more detail on each of these sections as we move forward. I do however, want to change what displays where it says Administrator in the Splunk bar to my name. This can be done by clicking Administrator and selecting Account Settings. From there you will be directed to the account settings page seen in figure 9. Simply change the Full name line to your name and click save. You should now see your name displayed in the Splunk bar.
That’s it for part 1 of the online tutorial. We are now ready to get started on ingesting some data and executing searches against it. Part 2 is titled Uploading the Tutorial Data and is where we’ll start for part 3 of this series. Until then please feel free to drop some words of wisdom in the comments. Thanks for reading and see you next time.
VP and COO
Keyes Information Technology