All Splunk SPLK-1001 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the SPLK-1001 Splunk Core Certified User practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Advanced Splunk Concepts

1. Deployment Servers and Forwarder Management

Welcome back. In this segment, we are going to talk about deployment and forwarder management in a distributed environment. You set up a Splunk deployment server that manages groups of Splunk enterprise instances, forwarders, indexers, and the like from a central location. It identifies clients and subscribes them to certain server classes. If you have used other automation tools like Chef or Puppet, you're familiar with this type of model. And by the way, you can use Chef or Puppet to do the same thing. A server class defines a group of Splunk deployment apps and adds them to its member criteria. Each client of a server class reconciles its apps with the server, so if any are missing, it pulls them from the deployment server.

For example, if you created a server class called Microsoft Windows Domain Controllers and those domain controllers required a Splunk heavy forwarder, each domain controller that communicated with the Splunk deployment server would reconcile whether it had the appropriate app or not. If it doesn't, the client will retrieve it from the deployment server. Deployment apps are located in Etsy deployment apps on the Splunk deployment server. In smaller instances of Splunk, the Splunk searchhead might double as the deployment server. like this, for example. Consider the Splunk app for Windows Infrastructure, which is very popular. If the Splunk search head is on the same machine as the Splunk deployment server, you'll have a directory called Apps, where the regular Windows apps lie (Microsoft Active Directory and the DNS app). And then you'll have another folder called "Deployment Apps," where it will have Windows, Windows Domain Controllers, and Windows PowerShell. Deployment apps?

To manage deployment servers, go to Settings, Distributed Environment, and then forward our management. and let's take a look at how that works. All right, in our Splunk instance, if we go to Settings under Distributed Environment, let's go to Forwarder Management. And, first and foremost, it will display a list of forwarders who are currently calling home. And I can create server classes by clicking on the Server Classes tab. So I have a server class for AdDomain controllers, and it has three apps. Let's take a look at that. So the three apps each add-on domain controller needs that I've specified are this PowerShell app, the Indexer app, and the Tate add-on domain controller 2012. And once I add the servers that I want in this server class to the Include box, including wildcards, I simply click on Save. And then Splunk says, "Okay, all apps have been deployed successfully." We have these three Windows deployment apps, we have this action taken after installation, and then it counts the number of clients deployed. So that's how you set up a basic server class within Forwarder Management. And as always, I thank you for joining me in this segment, and I'll see you next time.

2. Users, Roles, and Authentication

Welcome back. In this segment, I'm going to talk about user roles and authentication in Splunk. To get to this area in the SplunkWeb interface, you simply go to Settings and then access controls at the bottom right. Users can be defined locally, and they can also be defined in a directory service like LDAP or Active Directory. In Splunk, just like in many other pieces of software, users are assigned to roles, and those roles take on specific capabilities.

Splunk comes with five built-in roles, and you can also make your own roles if you are an administrator. Admin, which has rights to everything by default, except the Can Delete role, which I'll talk about in a minute. We have a power user, we have a standard user, we have the ability to delete, and we have the Splunk system role. The Splunk System role is the one that Splunk uses sort of in the background to run the Splunk engine. The "can delete" role is not assigned to any user by default, and I actually recommend you leave it unassigned unless you actually want to delete an index. Then you can assign it to yourself temporarily, delete an index using the search tool, and just query that index. Index equals whichever index you want to delete, and then pipe, and then the word delete. And if you have that capability, you will be able to delete that entire index. As I said, Splunk administrators can create custom roles.

Some apps come with custom roles as well. So Win for Admin comes with the Splunk app for Windows infrastructure and VMware. Admin comes with the Splunk app for VMware. If you install these apps and you do not sign users up for either of these roles, your users will not be able to view the contents of those apps. There are several authentication options in Splunk, as I said earlier: local, which is just an authentication method on that particular Splunk environment, and you manage all user roles and permissions locally on that environment. There are two options: LDAP and Active Directory. You can use a Sam'l token, or you can do a scripted single sign-on. The first two are the ones that are important for this class, and actually, Splunk recommends the second one on that list. Splunk recommends using LDAP to manage user authentication, either LDAP or Active Directory, because then you can manage roles and users the same way that you manage roles and users within your organization. And so it ties into that central directory and management tool that you probably already have in your organization. So let's look at setting up an LDAP server.

And Spin calls it a strategy. So we go to Settings, Access Controls, and an Authentication Method, and we choose LDAP on the external part there; we choose LDAP, and then we click that blue link that says LDAP Settings. And here's the screen where Splunk displays all of our current LDAP strategies. And if there are no LDAP strategies, we simply click on "New" to create one, and it brings up a bunch of fields that we need to fill in. So the LDAP strategy name can be any name that you want. The host is your LDAP domain controller. The default ports under port are either 389 if you're not using SSL or 636 if you are using SSL. You may need to talk to your Directory Services group at your organisation in order to find out which ports they are using and tick that box there.

If SSL is enabled, the Bind DN is an administrator account or a service account in LDAP. And I personally recommend setting up a service account that's not tied to a specific user for this. Because if you set up an administrator account that's tied to a specific user, then the user leaves the organization. You'll have to come back here and change it, and in the meantime, Spunk will stop working. You'll have to fill in the password, obviously, for that account as well, and the BindDN password a little further down. We need to fill in the user settings and the user base DN.

This is where our users are located within the organisational units, the OUS. We have to type this in, in what I call "LDAP speak." Ou is the same as DC. DC is our domain controller, and organisational units are ours. So if our domain was test.dot.local, we would have DC equals test and DC equals local. And if we had, let's say, one organisational unit in that domain that was users, we would just have one. Ou stands for users. if that's what it was called. We can add a filter; it's not necessary, but if you have a large organization, it's recommended that you have a search filter.

The username attribute for LDAP recommends setting this to UID. For advertisements, we must use the sam accountname, with the real name attribute set to CN for common name, which displays the user's real name in the email attribute set to the mail group mapping attribute simply set to DN. And for group settings, we're going to set the group based on the location of your LDAP groups. So it's the same for you and DC. So we'll still have a DC test, where DC equals local, and an ou test for groups, where ou equals whatever our group's name is. So we might have a group of Splunk administrators. So we'd have our "equals" Splunk admins groupname attribute set to CN static member attributeset to member, and that's really all there is to it, if you can believe it. Thanks for joining us in this section, and I'll see you next time.

3. Configuration Files

Welcome back. In this segment, I want to talk about Splunk configuration files. Configuration files govern almost every aspect of how Splunk behaves. Any time you change something or create something in the web GUI, it writes it to a configuration file. A Splunk app is nothing more than a set of configuration files. Configuration files contain settings, knowledge objects, and other behavioural attributes of Splunk, including forwarding information, indexing information, receiving information, parsing information, and everything else that governs Splunk's behavior. So you can sort of see the importance of knowing what configuration files and Splunk are; they are Linux-like, but we can edit them and use them in Windows; they end in.com, and they are multilayered, as we will see here in what a typical Splunk installation directory structure looks like.

We have Splunk Home, which is in Windows Program Files (Splunk in Linux, it's Opt Splunk; and in that Splunk Home folder, we have the Binfolder, the Etsy folder, and the VAR folder, and our indexes are stored in Varleb Splunk. Our licence and configuration files are in the Etsy folder, and our executables are in the Bin folder. If you remember, we used the Bin folder to do things like stop and restart Splunk. So if we navigate to our Etsy folder, then system, and then local, this is where our main configuration files exist, the ones that come with Splunk. Each app has its own set of configuration files as well. So the search app has a set of configuration files. The launcher app and any other app we install are really just a collection of configuration files, and you'll notice that configuration files have the same names.

So, how does Splunk determine which configurations to use when and in which app context? First of all, let's take a look at what a very basic configuration file might look like. Configuration files are really just text files; they end in ".txt," not ".conf," and they have sections and attributes. The stanza or stanza header is in square brackets, and then underneath it are all the attributes for that stanza. So attribute equals value. Here's an example of a very simple output configuration: This is the spawn configuration file that tells an app where to send its data. And of course, we usually, at least in this class, configure this within the Splunk GUI. But it actually writes this to the outputs.com file. The stanza is TCP out splunk underscore indexer, and the attribute is server equals, and then the IP address colon, and then the port. So that is a legitimate outputs.com file, although that's a very simple example. There are default configuration files that don't have specific settings.

They're meant for you to copy over into the local directory if you want to modify them. Do not modify the configuration files found in Default. These are the ones that come with Splunk and; they're similar to the example configuration files, which you can modify. You should copy the files from the default directory into the local directory before you modify them. And here's an important point to make: When Splunk starts, configuration files are merged into a single runtime model. Remember all those files that have the same file name? Well, Splunk is not really looking at the file name. It's looking at the stanzas inside the configuration files. And, if there are no duplicate stanzas, the resulting runtime model is the union of all files. That is, if the same stanza appears in multiple files, the setting with the highest precedence is used. And here's how Spot determines precedents: The number one precedent is the system local directory.

The second is the app's local directories. Third are the app default directories, and fourth are the system default directories. So if you installed Splunk and didn't do any configurations or anything, it would fall all the way down to number four because there would be no other configurations or apps, and it would just run Splunk in the default mode right after installation. There are four main configuration files, and some apps have additional ones. But Inputs.com defines data as "inputs." Outputs.com defines forwarding behavior. Props.com defines indexing property configurations, customsource type rules, and much more. Props.com is a very important configuration file. And Limits.com defines various limits for search commands. That was a brief overview of configuration files, and going into a deep dive of configuration files is kind of beyond the scope of this class. But there are so many resources out there for understanding configuration files. I would recommend going to Docs.Splunk.com first of all. And I thank you for joining me in this segment, and I'll see you next time.

4. Knowledge Objects

Welcome to Splunk knowledge objects. This is going to be a brief video about what Splunk knowledge objects are and what they can do. In the next video, called Lookups, we'll do a demo of one of the most important types of knowledge objects, called a Lookup. Knowledge objects add knowledge to and enrich your data. They are created by you, the user, or an app that you have downloaded and installed.

They can include saved searches, field extraction tags, event types, lookup reports, alerts, data models, and more. What's a saved search? Well, as we know, once you search for something, you can click on Save As and save it as a report alert, a dashboard panel, or an event type. You've just created a knowledge object, which will be defined in Savedsearches.com. Field extractions are something we've discussed previously in the course.

So if you need a refresher, go ahead and go back to that video. But basically, fields can be extracted using the Field Extraction Editor, and most often we do regular expressions. But Splunk also gives us the option of doing it by delimiter. Props.com also defines field extractions. I love tags. Tags are so cool. They allow you to take a specific field combination and assign a friendly name to it. So, for example, you might have inherited a server that has this weirdly long name that nobody can remember. But you know, for example, that this is the mail server for the Eastern UK region, and it resides in building 1433, and that's why it has that weird name with 1433 in it.

But other people who are using Splunk probably don't know that and don't want to type that in every time. So create a tag that has the field value pair "host equals," then the full server name, and the tag name can be really whatever you want. In this case, I sent mail to East UK. To use this server, simply type tag equals mail East UK in the search box. I also love different event types. kind of like a named save search and kind of like a tag on steroids. In other words, you can tag an entire searchstring before the first pipe with an event type.

So, let's say you have this search, and if your company uses it frequently, you might want to give it a friendly name, such as and Event Type. So we've created an event type for east US errors, and event types can even include tax. So event types are very powerful. Lookups add custom fields to events from external sources like CSV files. So suppose your data has region codes, and you want Splunk to replace region codes with corresponding region names. So you make a region code CSV. In one column, you put the not-user-friendly region codes, and in another column, you put the region name that you want Splunk to replace them with. And then you do a lookup in your Splunk search, and stay with us because in the next video, we're going to actually do a demo of lookups. Thanks for joining me in this segment, and I'll see you in the next one.

5. Lookups

Welcome. In this short video, I'd like to discuss splunk lookups, specifically lookup tables. Lookup tables add custom fields to events from external sources like CSV files. A lookup table, in its most basic form, is a CSV file with two columns, as shown here. Now say you have a region code in your Splunk data, and it's not really that user-friendly because it's just a number. And suppose you want to tell Splunk that every time you see a particular region code, replace it with a particular region name. So as you can see there, on the left we have example region codes, and on the right we have example region names. So every time Splunk sees that the region code equals 2443, it will add another column next to that, which is the region name and says East US. We could also have it replace the existing value. It's pretty easy to add a lookup table to Splunk.

We go to Settings, then Lookups, and then, where it says Lookup table files, choose Add New. And on step number three, we can browse and actually upload the CSV file. And here's how a lookup command in Splunk looks; notice that it's after the pipe because it is a command. So we do look up the lookup table name, look up field one, and then output and look up field two. And again, lookups have a lot of different options and are very powerful. But for this demo, we're just going to do a very, very simple lookup with two columns. And for our lookup, we'll do a region codes CSV lookup. Table name. And in this case, if that's the name of the CSV with those two columns, region code, output, and region name, we might want to do a lookup region codes CSV. It's really quite simple. Let's look at how to actually implement this.

So in our Splunk environment, what I'm going to do is create a simple CSV, a comma-separated document just in Justin Notepad, and I'm going to call it "Test." And I'm simply going to make two column names: call name one, comma call name two. And I'm going to put some placeholders in here because we haven't actually looked at our data yet to see what values we want to replace. So vowel one and val two will be added later. But just to make sure that this thing is working, let's output a message that says that whatever the value is, it has been converted. And likewise for the second value, let's look at what data we actually want to replace here.

And since we have no data coming into Splunk yet, we can just use the index equals underscore internal to look at the Splunk logs, and we'll choose an event that has a few factors like log level, perhaps. Now, this is already very user friendly at the log level, but let's say that information warning and error aren't what we want to see or that we want to convert them in some way. So we'll start by calling name one. We'll do log, value one information, and value two war. just like this data is showing here.

And for column two, we'll put "Info has been converted" and "Warn has been converted," and let's save that as a test dot CSV. Now back in Splunk, we simply go to settings lookups, where it says "look up table files, add new," and we'll browse and upload that test CSV that we just created with the destination file name. I'd like to leave it the same, and let's change the permissions so that everyone can do everything on this st CSV thatSo now we have our test CSV, the owner's admin, and we have our permissions set. Let's take a look at our Splunk search and report app. And we'll search again for "index equals underscore internal." And this time we'll specify the log level and put a wildcard there.

So we want to bring in all log levels so that this will match any events that actually have that log level field. So now let's do a Linux pipe, and we'll start our lookup string. So look up, and then the table name is "test dot CSV." And then the lookup field one will be "log underscore level" for the word output. The output will be called "name two." Great, now let's make a simple table with the table command, and we'll do log level, which will show us the original values, and call name two, which should show us the new values. So we have data that has been converted; specify that we also want Warren Warren converted. So that's how you add and implement a very simple lookup table on Splunk. Thank you for joining me in this demo.

Splunk SPLK-1001 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass SPLK-1001 Splunk Core Certified User certification exam dumps & practice test questions and answers are to help students.