- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Things to do when you first install Splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Things to do when you first install Splunk?
What are the things that you normally do as part of a Splunk server installation?
David Carasso published a nice list at http://www.innovato.com/splunk/GettingStarted.htm (and wrote a book too!)
But that list is about a lot of things besides a Splunk server set up.
I am not asking about forwarder setup here, although forwarders will probably be similar. I am looking for the things that you do to make sure that your Splunk server is "good" in the initial setup.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Review the Things I wish I knew wiki page and visit #splunk!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @dshpritz! I asked this question partly because I couldn't find this page!
I knew there were things out there, but my Google searches didn't turn up what I expected!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share your checklist!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Lisa,
Can a CSV file already uploaded be changed or edited? I would like to know the best approach to treat currency ($ and negative in parenthesis) that gets moved as a string into Splunk, besides these two options:
1. Convert currency to numeric before loaded into Splunk
2. Do the conversion in the search
Here is some sample data:
Contract_Date Amount Vendor_Id Contract_Services
"Sep 25, 2012","$9,843.00","CN99999","FS SERVICES"
"Sep 25, 2012","$4,631.16","CN99999","FS SERVICES"
"Sep 25, 2012","($52,479.99)","CN99999","FS SERVICES"
Thanks! Juan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my personal list.
- Create a user account to run Splunk.
- Install Splunk and start it. Accept the license terms.
- Install a license.
- Stop Splunk.
Edit the following configuration files in $SPLUNK_HOME/etc/system/local
inputs.conf server.conf web.conf ui-prefs.confDownload and install the following apps:
Sideview Utils SOS SOS add-on Timewrap Splunk Common Information Model Splunk Deployment Monitor Splunk DB Connect Anything else that seems useful at the timeFor a development server, also install
Splunk 6.x Dashboard Examples Splunk Web Framework Toolkit Splunk Dashboard Examples for 5+ (older)Check indexes and inputs on all apps
Start Splunk
Set Splunk for bootstart (Linux)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, here is the ui-prefs.conf that I like
[search]
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
[default]
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
I got it from this very useful question-and-answer
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
