New to Splunk Enterprise?
This topic introduces the most important Splunk Enterprise concepts to understand for installing and using Splunk apps.
Splunk Enterprise and Splunk apps work together
The key points to understand are:
- All Splunk apps run on the Splunk Enterprise platform.
- Understanding how Splunk Enterprise works helps you understand how Splunk apps work.
- Depending on your requirements, you might need to prepare your Splunk Enterprise deployment before you install the app.
- Careful planning can help you achieve a successful app deployment.
Splunk Enterprise basics
Splunk Enterprise is a software program that accepts data from many different sources, such as files or network streams. Splunk Enterprise stores a unique copy of this data in a Splunk Enterprise index. Once your data is there, you can connect to Splunk Enterprise with your web browser and run searches across that data. You can even make reports or graphs of the data, right inside your browser.
Splunk apps can help you extend the capabilities of Splunk Enterprise. Splunk apps include searches, reports, and graphs for products that are common to most IT departments. The capabilities that Splunk apps provide can significantly reduce the time required to get value from your Splunk Enterprise deployment.
Before you can really understand how Splunk apps work, you should understand how Splunk Enterprise works.
If you're new to Splunk Enterprise, then the best place to learn more about it is in the Search Tutorial. It helps you learn what Splunk Enterprise is and what it does, as well as what you need to run it and get step-by-step walk-throughs on how to set it up, get data into it, search with it, and create reports and dashboards on it.
The next thing you want to learn about is the licensing model of Splunk Enterprise. Splunk charges you based on the amount of data you index. The licensing introduction from the Admin Manual is a great place to start learning about how licenses work. You can also find out the types of licenses that are available, how to install, remove, and manage them, and what happens when you go over your license quota.
In the context of Splunk apps, the amount of licensing capacity you need depends on how each app defines the individual data inputs that it uses. Splunk apps use inputs to tell Splunk what data it needs to collect for the app's purpose. Some apps, such as the Splunk App for Enterprise Security, collect a lot of data, which your license must cover in order for you to be able to search that data without interruption. When planning for your app, make sure you include enough licensing capacity.
Much of the extensibility of Splunk Enterprise is in how configurable it is. You must configure Splunk Enterprise before it can collect data and extract knowledge. All Splunk apps use configuration files to determine how to collect, transform, display, and provide alerts for data. The Admin Manual shows you how to configure those files and includes a reference topic for each configuration file that Splunk uses. In some cases, you can also use Splunk Web or the CLI to make changes to a Splunk app's configuration.
Splunk Enterprise also uses configuration files to configure itself. When Splunk Enterprise initializes, it finds all of the configuration files located in the Splunk Enterprise directory and merges them to build a final "master" configuration, which it then runs on. When you install a Splunk app on a Splunk Enterprise instance, Splunk Enterprise must determine which configuration files to use if it encounters a conflict. This is where configuration file precedence comes in.
It's important to understand how precedence works. In many cases, if there is a configuration file conflict, Splunk Enterprise gives priority to an app's configuration file. In some situations, installing an app might inadvertently override a setting in a configuration file in the core platform, which might lead to undesired results in data collection. Be sure to read the previously mentioned topic thoroughly for details.
Splunk Enterprise search
Splunk Enterprise provides the ability to look through all the data it indexes and create dashboards, reports, and even alerts. All Splunk apps rely on Splunk Enterprise search, so it's a good idea to read the overview on search in the Search Manual to learn how powerful the search engine is (the Tutorial is also a good place to learn about Splunk Enterprise search.)
You should also have an understanding of the search language of Splunk Enterprise. Splunk apps use the search language extensively to put together search results and knowledge objects which drive their dashboards, reports, charts, and tables.
Finally, it's a good idea to familiarize yourself with the search commands in the Search Reference. That manual describes the commands that both Splunk Enterprise and your Splunk app can use.
Sources and source types
When Splunk Enterprise indexes data, it does so from a source, which is an entity that provides data for Splunk Enterprise to extract, for example, Windows event logs, or *nix syslogs. Splunk Enterprise tags incoming data with a "source" field as it gets indexed. The source type is an indicator for the type of data, so that Splunk Enterprise knows how to properly format and extract the data as it comes in. Source types are also a way to categorize data, because you can use Splunk search to display all data of a certain source type.
Splunk apps use sources and source types to extract knowledge from the data they index. Many views in an application depend on searches with specific sources and source types defined in them. Splunk apps sometimes use the source types that come with Splunk Enterprise, and sometimes they define their own.
Capacity planning and distributed Splunk Enterprise
Another important factor to consider when using a Splunk app: Do you have enough hardware to realistically support a deployment for the Splunk app you're using? Read our capacity planning documentation for a head-start on ensuring you have the machinery in place to run your Splunk app deployment at peak performance.
Learning about capacity planning is a perfect time to introduce another concept with which you should be familiar: distributed search. Nearly every Splunk app available can use distributed search, and many were developed with distributed search in mind. What this means is that you must working with multiple Splunk Enterprise instances at once - with each instance playing a specific role - to use the app to its full potential. Initially, you add indexers to increase indexing performance, then you add search heads to increase search performance. The Distributed Deployment Manual provides details on how to add more Splunk Enterprise instances to keep up with your app's performance demands.
From this point, you are ready to plan your app deployment. Continue reading for information about how to install and use the Splunk MINT App.
About the Splunk MINT App
Learn more and get help
This documentation applies to the following versions of Splunk MINT™ App: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 3.0.0, 3.0.1