Splunk

The Splunk tab contains various areas of management related to your Splunk installation. It allows you to perform common tasks, edit configuration files, and manage Splunk applications.

Daemon

Allows you to review and modify settings related to Splunk Enterprise’s splunkd process without using the command-line. Here you may stop or restart Splunk; upgrade Splunk; reset the Splunk Admin password; enable or disable boot-start; and review and modify advanced configurations.

Web Interface

Allows you to review and modify settings related to Splunk Enterprise’s web interface, Splunk Web. Here you may

  • Disable or enable Splunk Web.
  • Launch Splunk Web in your browser.
  • Review and modify advanced configurations such as enabling encryption and configuring the default port.

Hunk

Splunk Analytics for Hadoop, formerly known as Hunk, provides seamless search and report functionalities on data stored in HDFS. As a minimum, Hunk requires HDFS with one NameNode and at least one DataNode, as well as MapReduce or Yarn (recommended).

The Hunk section in Manage allows you to configure the required, so-called Hadoop Providers to connect to HDFS and verify the required permissions (optional). Specify a Provider Name to identify the configuration later back in Splunk. The HDFS NameNode FQN requires a URL in the format hdfs://:/.

The port is optional and defaults to 50070. To operate, Hunk stores a handful of files on HDFS in an intermediate directory. First, create the path on HDFS per Search Head to be connected to HDFS manually and define read/write permissions for the splunk user (Splunk Enterprise runs as non-privileged user splunk, so as all HDFS operations performed by Hunk). Hunk in Manage will also automatically create additional parameters to the Virtual Index Provider in order to run Hunk. Review the configuration manually in /opt/splunk/etc/system/local/indexes.conf.

After successfully adding the provider, go to Splunk Enterprise administration, make sure that the Splunk Analytics for Hadoop license is installed and choose Settings > Virtual Indexes to add a new Virtual Index using the provider created in the wizard above.

Apps

Apps provides a list of all Splunk Apps currently installed on your Gemini appliance. Each app may be downloaded to your desktop as a tarball file. Drilling down on the app directs you to the app’s directory listing in the Splunk Config Editor.

Splunk Diag

Splunk diagnostic allows you to quickly create a Splunk Diag file [./splunk diag] on-demand. Multiple copies of Splunk Diag files may be stored for later retrieval and download.

Optimizer

Allows you to select a predefined Splunk role for your Gemini appliance automatically updating all the .conf files for you. Options include:

  • Splunk Default
  • Indexer
  • Heavy Forwarder
  • Search Head
  • All In One

Config Editor

The Config Editor allows you to edit, create, or upload Splunk configuration files within the $SPLUNK_HOME/etc/ file path from the Manage web interface. The editor provides file path navigation links and complete versioning of all file revisions.

Splunk Versioning

Enabling the Splunk Configuration Repository allows you to manage changes, and retain multiple versions of configuration files. This provides roll-back capability after making changes.

Command

Splunk Command allows you to issue Splunk commands directly from your browser. Additionally, the Splunk Command Helper provides for easy, interactive building of complex Splunk commands which may then be issued within the browser.

Splunk Environments

Using Splunk Environments you can manage a multiple site, full-clustered Splunk environment with ease. You can build an environment with Splunk Indexer Clusters and Splunk Search Head Clusters created in one or more locations. When new Splunk versions are released, you can upgrade the whole environment easily.

Prerequisites:

  • Splunk must not be installed on all the nodes which are waiting for assignment by Splunk Environments.
  • If you want to create a Splunk Indexer Cluster, the following conditions must be met:
    • At least three nodes needed for an indexer cluster; one for cluster master and others for peer nodes.
    • If multi-site clustering is enabled, there must be at least two indexers in each site.

If you want to create a Search Head Cluster, the following conditions must be met:

  • A Splunk Indexer cluster must be created. It will be used when creating a Search Head Cluster.
  • At least four nodes needed for a Search Head Cluster; one for deployer and others for peer nodes.

Add Nodes and make sure all the nodes are waiting for assignment.

The configuration procedure is as follows:

  1. Specify the environment name, sites, and upload the Splunk binary
  2. Create one or more Splunk clusters for this environment.
  3. Organize the nodes to the relevant clusters.
  4. Specify the sites for each cluster.

Add Node

Nodes can be added in two ways:

  • Bulk Provisioning. All the bulk provisioned nodes will be added automatically.
  • Manually add. You may add other Manage nodes manually. Note that the Manage version must be the same as the host running cluster management.

Build Environment

This is a four-step wizard to build a Splunk environment and complete all necessary settings.

Create Environment

In this step several attributes need to be determined:

  • Deployment Type. Select Deploy Multi-Use Environment to continue.
  • Environment Name.
  • Available Sites. Refer to Splunk documentation for more information.
  • Splunk Software. The running Splunk version in this environment. Only one Splunk version is used in an environment.

Create Cluster

Two types of Splunk clusters can be created:

  • Splunk Indexer Cluster
  • Splunk Search Head Cluster

Refer to the Splunk Architecture Best Practices documentation for more information about how clustering works in Splunk.

Organize Nodes

In this step you need to search and select unassigned nodes and add them into the created clusters. Please note each cluster has its minimum requirements. If the condition can’t be met, there’ll be a warning in the status field. In Your Clusters”, you can specify the desired Master Node for an indexer cluster and Deployer for a search head cluster.

Locate Nodes

Specify where the nodes are located especially if there are multiple sites available in this environment.

Choose Deploy to begin the deployment. The time frame for completion epends on the number of nodes and the size of each cluster in this environment.

Deploy Independent Stream Forwarder

You can also deploy Splunk Independent Stream Forwarder onto multiple Manage nodes located in multiple sites by leveraging Splunk Environments. There’s also a wizard to guide users to deploy independent stream forwarders and complete the necessary settings.

Create Environment

Similar to Splunk cluster deployment, but select Deploy Independent Stream Forwarder Only when determining the deployment type.

Organize Nodes

Select the nodes in Available Nodes and assign the Independent Stream Forwarder role to them by selecting Assign Standalone Role.

Configure the settings to specify how to acquire the binary and where the program reports to when it’s running. You can obtain the required information from Distributed Forwarder Management in Stream Forwarder App.

Locate Nodes

Specify where the nodes located especially if there are multiple sites available in this environment.

Environment Administrations

Once the environment has built and deployed, we can do the following administrations to this environment:

  • Redeploy - If any errors occurred during deployment, use this option to fix the issue and complete the deployment.
  • Upgrade - Upgrade the Splunk version on all the nodes in this environment.
  • Delete - Delete the whole environment.
    • Note: All the installed Splunk instances in this environment will be removed.
  • Remove cluster from existing cluster.
    • Note: All the installed Splunk instances in this cluster will be removed.
  • Add nodes into a cluster
  • Remove nodes from existing cluster.
    • Note: All the installed Splunk instances in this node will be removed.

Upgrade Splunk

This will upgrade all the Splunk instances running in this environment. Take note of the following:

  • All the running Splunk version in an environment are managed and should be kept consistent. Splunk running on these nodes should not be upgraded individually.
  • To keep zero down time, the upgrade process follows a rolling upgrade by following the Splunk recommended upgrade procedure. Only one node will go down for upgrade at a time. This may take a while if the environment is large.
  • Only upgrades to a newer minor version are accepted. Upgrading Splunk to a next major version is forbidden. For example, upgrade Splunk from version 6.4.1 to 6.5.3 is accepted, however an upgrade from version 6.5.3 to 7.0.0 is forbidden. NOTE The "Upgrading Splunk to its next major version is forbidden" is a restriction applies only when the upgrade is performed through GEM webGUI. Please contact support@geminidata.com for any questions.