Contents
Inform Yourself About Splunk and Splunk at Illinois
- Inform yourself both about Splunk and the Splunk at Illinois Service.
- Firm up your understanding of what you want and can expect from Splunk.
- Train up: Visit our page full of Splunk Training Videos, Courses, Documentation and Other Online Resources.
- Search “Splunkbase” for technology-specific “apps” (most are free!). Apps can help Splunk better ingest and present to you the data generated by the technology solutions in use in your environment.
Request Service
- Send email request to splunk-support@illinois.edu.
- To prepare yourself for the service “setup” conversation(s) please read our Naming Conventions document, especially the sections on “indexes”, “collections”, and “sourcetypes”, and explore Splunkbase (reference mention immediately above) for apps/add-ons relevant to your environment.
- Prepare to provide netIDs of persons from your team(s) who fit the following roles (presented below in decreasing order by capabilities):
- Data Manager: (required) Needed for each data source you have sending to Splunk. Data Managers are persons responsible for ensuring event data is flowing to Splunk. Ideally there is a primary and a backup. We will contact the members of this role/group when questions or issues arise with your data source or the Splunk service.
- Analyst: (optional, recommended) Persons on your team not responsible for data ingest (Data Manager) but responsible for searching and developing Reports, Alerts, Dashboards. Implies access to “production” indexes and write access to team app(s).
- Developer: (optional) Exactly the same as the more common “Analyst” role (below) but implies access only to test/dev indexes. (Note: “Developer” here refers to a developer of the solution generating the event data, not developer of Splunk solutions.)
- User: (optional, recommended) Members of team not responsible for data ingest and not responsible for (and/or trained on) developing Reports, Alerts, Dashboards, but who should have read access to team (production) index(es) and app(s).
- Viewer: (optional, if/when needed) Persons who need view access to certain reports or dashboards from your team – but no access to team indexes. (For example, organizational executives external to your “team”.)
Get Data In to Splunk
There are many ways to get data in to Splunk. Please see the Getting Data In page for more information including instructions.
Log In to Splunk at Illinois
Visit https://illinois.splunkcloud.com to log in. You should be redirected to the familiar U of I SSO login screen (Shibboleth).
You may receive from us different URLs for special use cases. Alternative URLs for logging in to Splunk in our hybrid environment include…
- https://illinois.splunkcloud.com/en-US/account/login?loginType=splunk (For special-purpose, internal “Splunk Accounts” on our primary Splunk Cloud instance.)
- https://dev-illinois.splunkcloud.com (Our test/dev environment in Splunk Cloud.)
- https://splunk-on-ramp.machinedata.illinois.edu. (Our “try things out” environment in AWS – a stand-alone Splunk Enterprise instance, not a Splunk Cloud instance.)
Access Your App(s)
Once in Splunk, you may see a University-specific Welcome app, or a generic Splunk Home App. You might also see one of the apps set up for you or your team (an app identified as your “default” app).
Use the left menu or the Apps drop-down menu to navigate to the app of your choice. This will be an app set up for your team (or unit or project), or an app set up for a specific technology.
Review the tabs available from within the app.
App Order
You can change the order of your apps from the “Launcher” app. Simply drag and drop apps in the left pane to change app order.
Important: See “Save Stuff” below. Saving stuff in the right place is all about being in (or saving to) the right app context.
Search and Explore Your Data
Within the context of your team (or technology-specific) app, perform a search. (If your technology-specific app does not have a search tab (menu item), please navigate to your team app.)
It is likely you have a query from your data ingestion work that includes things like index, source, host, sourcetype.
From your team app’s search page, run a quick search – for example…
- Using the time-picker on the right side of the search bar, select “Last 15 Minutes” to limit the resources consumed by your test search. (TIP: Always reduce your time-period to the smallest period possible to minimize resource consumption.)
- In the search bar, enter the search string you were given before, or something like “sourcetype=<sourcetype of one of your sources>” to return all matching events.
- Click on the magnifying glass icon (next to time-picker).
- Confirm that you get results. Adjust time-period as appropriate – especially if you know that your data is not coming in real-time.
- Explore result set (events) by browsing the left pane (with list of fields) and trying out different views of your events (Raw, Table, List).
Note that clicking on certain things will automatically reduce the found set to match on that term.
You can also click on the timescale graphic to dynamically adjust your time-period (within the original time-period of the search).
<insert small video of the above>
Save Stuff (Reports, Alerts, Dashboards, etc.)
Once you’ve got results from your search, save the search as a “Report” to demonstrate an important concept about “saving” relevant not only to reports, but to all knowledge objects within Splunk.
- Click on Save As → Report. (Upper right.)
- Give it a test name like “First Report Deleteme_techsvc_jd” and leave description blank, leave everything else as is. (This is just a test/demo to get to “Permissions” screen.)
- Click on Save.
- Click on Permissions.
Note the Display For options:
- “Owner” means “Private”. I.e., it will be saved under your “user” context and invisible to everyone else, even others sharing your app. Unfortunately, this is the “Default” selected option. You should feel free to use this when you truly want something “hidden”, but consider yourself encouraged to use “App” context instead. It is a common frustration (and leads to sometimes embarrassing exchanges with teammates and Splunk support) to realize that what one meant to create to share with team-members is still “Private”.
- “App” means this app – the app context in which you performed the search before you clicked “Save As”. We recommend this choice, App, be your default. This is also why we recommend you actively choose your desired app context for your searches whenever possible.
- “All apps” means that this object will be available in other app contexts.
Screenshot sample:
- Cancel out of this screen. You should now see the saved report.
- Select Edit → Delete to delete this demo/test report. (You can also find it under the Reports tab of your app.)