Getting Started with Splunk
Overview
This wiki article discusses how to get started with Splunk, accessing the OpenMethods Splunk instance, how Splunk is being used at OpenMethods, resources for Developer/Test Splunk license, and an overall walkthrough of using the Splunk Search app and the Splunk search language (SPL).
1. How Splunk Cloud is used in OpenMethods Cloud
The diagram “Figure 1.” below provides a high level architecture diagram and the connection points between Splunk Cloud and OpenMethods Cloud. To date, there are 2 touch points into Splunk Cloud,
The OpenMethods MediaBar, a browser extension loaded into Oracle Service Cloud BUI onto a contact center agent’s workstation, sends data directly to Splunk Cloud using their Http endpoint (referred to as Http Event Collector, HEC).
OpenMethods personnel login to the Splunk Cloud portal via https://openmethods.splunkcloud.com/ to administer and run searches.
|
Figure 1. Splunk and OpenMethods Cloud Architecture Overview |
1.1 A Splunk Architecture Brief
The flow of data collection, processing, and making it available in Splunk Cloud is supported by 3 major components:
Splunk “Forwarders” collect data, perform some filtering, parsing, and extracting and then sends data to the “Indexers”.
Splunk “Indexers” process and reduce data to make it available for fast searching (via an index).
Splunk “Search Heads” expose the data to the presentation layer for search (e.g., Splunk Search App) and display/visualization
2. Resources for Accessing Splunk
2.1. OpenMethods Instance of Splunk Cloud
OpenMethods employees need to open an IT Help Desk support request to get access to Splunk Cloud. The Splunk Cloud instance authentication is connected to the OpenMethods corporate Active Directory so a user account just needs to be added to the proper Active Directory group.
2.2. Developer/Test Free License
All OpenMethods employees have rights to a free Developer/Test license which provides the right to install your own version of Splunk software either download and install or through AWS Marketplace*. More guidance will be provided here as soon as we have more experience in the process.
Splunk Dev/Test License: https://www.splunk.com/en_us/resources/personalized-dev-test-licenses.html
Free license (must be renewed every 6 months via same link)
Please see the Dev/Test FAQ for additional information
Everyone at Open Methods is entitled to their own 50gb license
3. About Splunk Cloud Portal
This section is a brief overview of login and navigating the Splunk portal and documentation resources.
Splunk Cloud Login
Login with your Openmethods corporate account (email/user without the “@openmethods.com”).
 Figure 2. Splunk Cloud Login Portal |
Splunk Cloud Portal Landing Page
After first login accepting terms of service, the Splunk Home page is shown in Figure 3.
Figure 3. Splunk Cloud Home Page |
The Splunk Landing Page is customizable, so yours is likely to look different.
Element | Description |
|---|---|
Apps Panel | The Apps panel lists the apps that are installed on your Splunk instance that you have permission to view. The Search app is the App “Search & Reporting”. |
Splunk Bar | Access to system settings, notices, and user preferences (the down arrow next to your login on far right). Note: timezone preferences are relevant when using the Search app, make a note of it as you will come back to it. |
Explore Splunk Panel | Content here is customizable with some pre-populated. Note, when you login this Panel is typically collapsed (note the “Close” button on the bottom right of the Panel. |
Recommendations on Resources (Documentation) for Exploring Splunk
There is a sea of information on Splunk, here are some tips for making use of the best.
The “Search Manual” link on the current version’s home page, references a link of the form /SplunkCloud/7.2.9/Search/. Note the version in the link, instead bookmarks/links should only be used with the moniker /latest/ in the URL.
The Splunk Cloud Documentation Home, Figure 4., is a big picture view of the available content. Most people, depending on role, will spend 95+% on the Search app, and additionally some on Getting Data In or Adding Data, and some on Reporting/Dashboards.
With that focus of Search app, the only source of Splunk documentation ever needed is the Search Reference page, Figure 5.
The navigation on this page is slick and avoids page turns or opening new Tabs/Windows. The left hand side navigation has access to anything that would be needed, the center panel is the main content, and the right panel shows a dynamic table of contents in a consistent manner by command, usage syntax, examples.
A specific case of that is shown in snippet of Figure 6. When first landing on Search Reference, the Introduction Section is expanded, click on the 2nd nav-panel below it, Evaluation Functions which displays that section. As the nav-panel is further expanded it will list every search command/function in the Splunk language.
Figure 4. Splunk Cloud Docs Home |
Figure 5. Splunk Search Reference |
|
4. Search App
With a few background items out of the way, go back to the Splunk Portal Home Page and click Search & Reporting to get over to the Search App.
The next wiki page in this series will focus only on the technical elements of searching,
5. Next Article: Splunk Search App Primer
This document may contain confidential and/or privileged information belonging to OpenMethods. If you are not the intended recipient (or have received this document in error) please notify the sender immediately and destroy this document. Any unauthorized copying, disclosure, or distribution of the material in this document is strictly forbidden.