Splunk SEs: Your "HowTo" Team
| Topics: | Homepage, SEs, consultants, how-to |
|---|---|
| Tags: | |
| Share: |
Recently, I received an email from a client that was struggling with a Splunk configuration issue. He was a sysadmin trying to figure out how to setup Splunk-2-Splunk within his private testing environment. The specific issue he was encountering was not so much related to the Splunk software not working or throwing an exception, etc. But rather, it was more about him trying to understand the “how to” part of Splunk-2-Splunk.
I think anytime you have a technical IT tool like Splunk combined with the ability for a technical person to download, install, and evaluate it for FREE, you will also have plenty of “how to” questions that will naturally accompany those evaluation efforts.
With this said, I want to remind all you technical folks, especially those of you who may still be struggling with the HowTos of Splunk, that as Sales Engineers, it’s our job to provide you with the HowTo support you need during your evaluation of Splunk. In a way, you can think of us as Splunk’s HowTo Team, always willing and able to discuss and recommend the best ways to configure and test out Splunk. It’s our job to make sure you understand all of the technical features and how best to leverage them for your specific needs. And, it’s also our job to help you develop a strong business case for purchasing a Splunk license based on the technical benefits. That way, your manager or director can more easily justify the purchase of that license for you. And, if you are like me, more often than not you need all the justification you can get.
On a side note, I am curious about your initial experience with evaluating Splunk.
Therefore, please leave your comments and let me know the following:
1) When you FIRST downloaded Splunk and began your evaluation, what features or concepts did you find yourself struggling with the most?
2) What concept or feature were you NOT aware of at first, but later “discovered”? How did you discover it?
3) If you could go back in time and start your evaluation of Splunk over again, what would you do differently?
Thanks for participating. Your feedback is greatly appreciated!
May 1st, 2007 at 5:32 am
Great questions!
I’ve been evaluating Splunk for a day and half, and so far have been pretty pleased with the outcome - however, of course, there have been a couple of head-scratching moments!
After unsuccessfully trying a preconfigured VM appliance (my preferred way to evaluate), I started from scratch with a clean install of Ubuntu server. Upfront - the documentation talks about a .deb installation package - but clearly this has been dropped for the latest version?
I think a little more hand holding here, or an officially supported virtual appliance would be great.
A little bit in the dark (with no Debian / Ubuntu instructions) I was pleasantly surprised how quick and easy it was to get Splunk up and working from the .tgz distro (no additional packages required).
After messing around with some archived log files (from a custom application we have) I felt confident enough to tail a folder on a remote windows share, mounted using CIFS. Once again - surprised how easy this was.
Difficulties were encountered however in the fine tuning. Later I ended up discovering the bundles folder, and making a custom collector with a _whitelist parameter (very underdocumented by the way, only useful hints were in the forums).
I’m going to Splunk a bit more time tomorrow. So far I couldn’t get the LDAP authentication working against Active Directory (SOAP parser exception - strange as the config isn’t XML?), I don’t like depending on samba mounts for my alerting - so I’m going to try some sort of remoting - maybe splunk2splunk?
I still want to see if I can tell Splunk about our custom logfiles (I saw something on the bundles page about = alluding to arbitrary log configuration, but again - the documentation was scant.
Oh - and I’ll have to work out another way of emailing alerts. Unfortunately I work in a banking environment, and for security reasons I can’t just add a random MTA into the mix. It really would be better if Splunk could use an addressable SMTP server (one that isn’t on the same host).
I’m pretty sold already though, I’m just working out strengths and weaknesses so that I can find a real sweet spot to get this thing bedded in.
One final thing - the Wiki hasn’t been very helpful to me so far - I’d consider porting your manuals to the wiki, and adding the wealth of info that google digs-up from your forums into one big KB.
I expect the SEs would have been a great help - although we’re located in Australia, and so the timezone is a bit of an issue.
Oh! that’s another thing!! Windows logs are often local time, Unix logs are often UTC - I haven’t found a way to configure this yet?
All the best - keep up the momentum!
Richard