You are previewing Implementing Splunk: Big Data Reporting and Development for Operational Intelligence.

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence

  1. Implementing Splunk: Big Data Reporting and Development for Operational Intelligence
    1. Table of Contents
    2. Implementing Splunk: Big Data Reporting and Development for Operational Intelligence
    3. Credits
    4. About the Author
    5. About the Reviewers
      1. Support files, eBooks, discount offers and more
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
    8. 1. The Splunk Interface
      1. Logging in to Splunk
      2. The Home app
      3. The top bar
      4. Search app
      5. Using the time picker
      6. Using the field picker
      7. Using Manager
      8. Summary
    9. 2. Understanding Search
      1. Using search terms effectively
      2. Boolean and grouping operators
      3. Clicking to modify your search
      4. Using fields to search
      5. Using wildcards efficiently
      6. All about time
      7. Making searches faster
      8. Sharing results with others
      9. Saving searches for reuse
      10. Creating alerts from searches
      11. Summary
    10. 3. Tables, Charts, and Fields
      1. About the pipe symbol
      2. Using top to show common field values
      3. Using stats to aggregate values
      4. Using chart to turn data
      5. Using timechart to show values over time
      6. Working with fields
      7. Summary
    11. 4. Simple XML Dashboards
      1. The purpose of dashboards
      2. Using wizards to build dashboards
      3. Scheduling the generation of dashboards
      4. Editing the XML directly
      5. UI Examples app
      6. Building forms
      7. Summary
    12. 5. Advanced Search Examples
      1. Using subsearches to find loosely related events
      2. Using transaction
      3. Determining concurrency
      4. Calculating events per slice of time
      5. Rebuilding top
      6. Summary
    13. 6. Extending Search
      1. Using tags to simplify search
      2. Using event types to categorize results
      3. Using lookups to enrich data
      4. Using macros to reuse logic
      5. Creating workflow actions
      6. Using external commands
      7. Summary
    14. 7. Working with Apps
      1. Defining an app
      2. Included apps
      3. Installing apps
      4. Building your first app
      5. Editing navigation
      6. Customizing the appearance of your app
      7. Object permissions
      8. App directory structure
      9. Adding your app to Splunkbase
      10. Summary
    15. 8. Building Advanced Dashboards
      1. Reasons for working with advanced XML
      2. Reasons for not working with advanced XML
      3. Development process
      4. Advanced XML structure
      5. Converting simple XML to advanced XML
      6. Module logic flow
      7. Understanding layoutPanel
      8. Reusing a query
      9. Using intentions
      10. Creating a custom drilldown
      11. Third-party add-ons
      12. Summary
    16. 9. Summary Indexes and CSV Files
      1. Understanding summary indexes
      2. When to use a summary index
      3. When to not use a summary index
      4. Populating summary indexes with saved searches
      5. Using summary index events in a query
      6. Using sistats, sitop, and sitimechart
      7. How latency affects summary queries
      8. How and when to backfill summary data
      9. Reducing summary index size
      10. Calculating top for a large time frame
      11. Storing raw events in a summary index
      12. Using CSV files to store transient data
      13. Summary
    17. 10. Configuring Splunk
      1. Locating Splunk configuration files
      2. The structure of a Splunk configuration file
      3. Configuration merging logic
      4. An overview of Splunk .conf files
      5. User interface resources
      6. Summary
    18. 11. Advanced Deployments
      1. Planning your installation
      2. Splunk instance types
      3. Common data sources
      4. Sizing indexers
      5. Planning redundancy
      6. Working with multiple indexes
      7. Deploying the Splunk binary
      8. Using apps to organize configuration
      9. Configuration distribution
      10. Using LDAP for authentication
      11. Using Single Sign On
      12. Load balancers and Splunk
      13. Multiple search heads
      14. Summary
    19. 12. Extending Splunk
      1. Writing a scripted input to gather data
      2. Using Splunk from the command line
      3. Querying Splunk via REST
      4. Writing commands
      5. Writing a scripted lookup to enrich data
      6. Writing an event renderer
      7. Writing a scripted alert action to process results
      8. Summary
    20. Index

An overview of Splunk .conf files

If you have spent any time in the filesystem investigating Splunk, you have seen many different files ending in .conf. In this section, we will give a quick overview of the most common .conf files. The official documentation is the best place to look for a complete reference of files and attributes.


The quickest way to find the official documentation is with your favorite search engine by searching for splunk filename.conf. For example, a search for splunk props.conf pulls up the Splunk documentation for props.conf first in every search engine I tested.


The stanzas in props.conf define which events to match based on host, source, and sourcetype. These stanzas are merged into the master configuration ...

The best content for your career. Discover unlimited learning on demand for around $1/day.