Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 10


Day 3
- Vikram Yadav (VY)

Your attendance & progress of the course will be calculated based

on the completion of the assignments and quiz.
Agenda – Day 3
• Getting data in
• Understanding Data
• Upload, Monitor and forward
• Configuration File
• Lab
Getting Data in
• JSON File
• XML File
• Log File
• Log File with Timestamp
• TXT File
• Proprietary format
• CSV File
• ZIP/GZ compressed files
Getting Data in
• Host: This is used to identify the host from where the data is coming

• Index: This is used to set the path where you want the data to be stored

• Source: This is used to identify the path from where you are collecting data

• Sourcetype: This is used to determine the format of incoming data

Getting Data in

Upload Monitor Forward

Local/Remote Event Logs
Performance Monitoring
Registry Monitoring
AD Monitoring
Scripts/PowerShell input
Configuration Files
• Where will you find this files?
• $SPLUNK_HOME/etc/system/default
• $SPLUNK_HOME/etc/system/local
• $SPLUNK_HOME/etc/apps/default
• $SPLUNK_HOME/etc/apps/local

• Precedence
• System local directory — highest priority
• App local directories
• App default directories
• System default directory — lowest priority
Configuration Files
• What is stored in this config files? ( example - \etc\system\README)
• System Settings
• Authentication
• Authorization
• Indexes
• Deployment Configurations
• Cluster Configurations
• Saved Searches
Configuration Files
• Common/Mostly used Configuration Files?
• inputs.conf
• outputs.conf
• props.conf
• savedsearches.conf
• indexes.conf
• authentication.conf
• authorize.conf

• Upload any Log File/Windows Source on Splunk

• Monitor files / Directory
• Local Performance Monitoring

Please submit an email with a screenshot of the assignment before the commencement of the next class, Also in order to
move forward with the course, it is important to complete this assignment. If you are unable to complete the assignment or
need any assistance regarding the same, please email me at
Question & Answer.....

You might also like