So, my boss says:
“Write an article called ‘Getting Started with Splunk.’”
“What, you think I know all this stuff? This really would be a getting started article.”
But here it is and WOW is Splunk cool!
My only experience with Splunk up to a couple days ago was seeing a T-shirt with “Log is my copilot”. I knew it had something to do with gathering log files and making them easier to read and search. In about an hour I had gone to Splunk’s website to research the product, downloaded and installed it, and started viewing logs from my own system. The Splunk folks have made getting their product into their customer’s hands easy and getting started even easier.
What is Splunk?
Simply put, Splunk can gather just about any kind of data that goes into a log (system logs, website metrics, etc.) into one place and make viewing that data easy. It’s accessed via web browser so it’s accessible on any computer or mobile device such as an iPad.
What do I need to run Splunk?
Practically any common operating system today can run Splunk: Mac OS X, Linux, Windows, FreeBSD and more.
How much does Splunk cost?
Don’t worry about that right now. Download and install the free version. It takes minutes to install and is a no-brainer. Let’s get started.
IT managers and directors may be interested in watching the introductory and business case videos with the corporate speak (“operational intelligence” anyone?) and company endorsements. Techs will be interested in getting started. Right on their home page is a big green Free Download button. Go there, click it and locate the downloader for your OS of choice. I downloaded the Mac OS X 10.7 installer to test (and installed it on OS X 10.8 without any issues).
This does require a sign-up to create an account. It takes less than a minute to complete. After submitting the information the 100 MB download begins right away.
While waiting for the download…
When the download is on its way the Splunk folks kindly redirect to a page with some short videos to watch while waiting. Watch this first one called Getting data into Splunk. It’s only a few minutes and this is the first thing to do after getting into Splunk.
Installing and starting Splunk
The download arrives as a double-clickable Apple Installer package. Double-click and install it. Toward the end it opens a simple TextEdit window with instructions for how to start, stop and access the newly installed Splunk site.
Files are installed in
/Applications/splunk and resemble a UNIX file system.
Open the Terminal application found in
/Applications/Utilities and run the command
/Applications/splunk/bin/splunk start. If this is the first time running Splunk it prompts to accept its license agreement. Tap the spacebar to scroll through and read the agreement or type “q” to quit and agree to the license.
Accepting the agreement continues to start Splunk where it displays some brief setup messages.
The setup then provides the local HTTP address for the newly installed Splunk site. Open this in a web browser to get to the login screen. The first login requires that the administrator account password be reset.
Following along with the Getting data into Splunk video, Splunk will need some information. Mac OS X stores its own log files. Let’s point to those.
Click the Add Data link to begin.
Since Mac OS X’s log files are local to the machine, click A file or directory of files.
Click Next to specify local files.
This opens a window that exposes not only Mac OS X’s visible folders but its invisible folders as well. Browse to
/var/log/system.log and click the Select button.
For now, opt to skip previewing the log file and click Continue.
Now, let’s opt to monitor not only the
system.log file but the entire
/var/log folder containing dozens of other log files as well. Note that Splunk can watch rotated and zipped log files too. Click Save to finish adding logs.
Let’s start searching!
The Search window initially displays a list of all logs Splunk is monitoring. To narrow the search change the time filter drop down menu to Last 60 minutes. This will make the results a little easier to see on a system that’s only been running a short while.
Now, search for install*. Splunk will only search for the word “install” without providing the asterisk as a wildcard character. Splunk supports not only wildcard searches but booleans, parentheses, quotes, etc. It will return every instance recorded in the logs that matches the search criteria. It also creates an interactive bar chart along the top of the page to indicate the number of occurrences found for the search at particular times.
To further refine the search, Option+click most any word in the log entries below and Splunk will automatically add the necessary syntax to remove an item. In this case the install* search returned install, installer and installd. Option+clicking installd changed the search criteria to install* NOT installd.
Continue exploring the videos to understand Splunk’s possibilities and take advantage of its Splunk Tutorial, which is available online as well as in PDF format for offline viewing. They do a great job leading users through setup and creating reports.
Still asking about price? Good.
The free version remains free but doesn’t include many features that really make it sing such as monitoring and alerts, multiple user accounts and support beyond the Splunk website. Cost depends primarily on the amount of data you want to suck into Splunk and have it watch. It’s not cheap but for an enterprise needing to meet certain service level requirements it beats browsing through multiple servers trying to find the right log with the right information.
FYI, putting together this 1,000-word article probably took me 10 times longer than performing the Splunk install itself and beginning to learn it. It’s really well-done and easy to use. Splunk makes getting started simple.