Contents |
Splunk Overview
Splunk is a pretty killer tool that lets you search through whatever logs you specify. It essentially creates an indexed database of log entries which you can then search against and analyze. Additional tools include a time line view of log activity you can zoom in and out out and several other nifty components.
Installation
The install documentation on the official site is so good there is really little to add. Find the full instructions at http://www.splunk.com in the Documentation section.
You may however want to review the "Before you install" section and understand the option of installing as the root or non-root user.
There are .rpm and .deb packages to install from (this will be installed as the root user) and this makes install a very easy process.
Once installed you may start Splunk with:
/opt/splunk/bin/splunk start
Once started, point your browser to:
http://mysplunkhost:8000
And splunk the depths of your server logs where no man may have gone before.
Things to Know . . .
The free version does not include authentication, so once the service is stared anyone who goes to port 8000 will also be able to see you logs. You might prevent this with some creative solutions, or just turn splunk off when you are doing splunking about. Or you can turn off the web interface, enable ssl, etc. see the admin section when you log in.
IMPORTANT NOTE:
You want to install it some place where you are going to have a few gigabytes of space. So, if you install it in the default /opt (which perhaps is under root on your system?), and you have a small root directory you may run out of room. Easy enough - just make /opt/splunk a symlink to a directory on a partition you have plenty of room on (maybe like /home?). Set this up before you install so that your symlink is already in place:
[root@tardis opt]# pwd /opt [root@tardis opt]# ls -lha total 12K lrwxrwxrwx 1 root root 24 Dec 19 06:54 splunk -> /MyBigPartition/splunk
Added Coolness
So how do you make it even more cool? By adding the Splunk toolbar plug in for Firefox of course!
http://www.splunk.com/doc/3.1.4/installation/InstallFirefoxToolbar
Then you can just configure your hosts in the Firefox toolbar and be able to search logs on any of your servers lickety split - though make sure you have lickety split 1.2.x installed first <joke>.
Configuration
So you like to play around with config files for stuff like this eh? Yea, us too. However, read up on this first for splunk as it is a bit different. Firstly, you will find the configs someplace like:
/opt/splunk/etc/bundles
You might want to check out the README directory there and read up in the admin guide at splunk.com for more information on this.
NOTE: Splunk 3.0+ also allows you to search these config files using Splunk itself. Yea, cool.
