Splunk® Enterprise

Splunk Tutorial

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Welcome to the Splunk Tutorial!

Splunk is powerful and versatile IT search software that takes the pain out of tracking and utilizing the information in your data center. If you have Splunk, you won't need complicated databases, connectors, custom parsers or controls--all that's required is a web browser and your imagination. Splunk handles the rest.

Use Splunk to:

  • Continually index all of your IT data in real time.
  • Automatically discover useful information embedded in your data, so you don't have to identify it yourself.
  • Search your physical and virtual IT infrastructure for literally anything of interest and get results in seconds.
  • Save searches and tag useful information, to make your system smarter.
  • Set up alerts to automate the monitoring of your system for specific recurring events.
  • Generate analytical reports with interactive charts, graphs, and tables and share them with others.
  • Share saved searches and reports with fellow Splunk users, and distribute their results to team members and project stakeholders via email.
  • Proactively review your IT systems to head off server downtimes and security incidents before they arise.
  • Design specialized, information-rich views and dashboards that fit the wide-ranging needs of your enterprise.

What's in this tutorial?

If you're new to Splunk, this tutorial will teach you what you need to know to start using Splunk, from a first-time download to creating rich, interactive dashboards. This tutorial includes a sample data set composed of web server and MySQL logs for a fictional online store. Follow the detailed instructions to add this data to your Splunk instance. Learn the different ways you can search the data, save reports, and create dashboards targeted to meet different business needs.

Using a PDF of the tutorial

Do not copy and paste searches or regular expressions directly from the PDF into Splunk Web. In some cases, doing so causes errors because of hidden characters that are included in the PDF formatting.

An overview of Splunk

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Hi, Afroben, there's a brief installation topic in this tutorial that includes Linux instructions (http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/InstallSplunk). For more detail and other forms of Unix, take a look at the Installation Manual; for example http://docs.splunk.com/Documentation/Splunk/latest/Installation/InstallonSolaris.

Cgales splunk, Splunker
August 5, 2013

Hello plunkers, can someone give me a step-by-step (commands) guide on how to install splunk on a unix for the first time. I am a window guy and need to do some quick installation on some unix's. Thanks

July 31, 2013

Akshathapandu: This topic merely explains what you will find in this tutorial. Please continue reading for more detailed examples and procedures to start using Splunk.<br /><br />Jem Jensen: Thanks for leaving a comment. Your instructions seem more relevant for Splunk administrators who need to set up distributed search. Forwarding and receiving are discussed in another manual, the Distributed Deployment Manual. <br /><br />Additionally, you might be interested in the Search Language Quick Reference Card, http://docs.splunk.com/images/1/17/4.2.x_search_language_refcard.pdf

Sophy, Splunker
June 3, 2013

please explain it with snapshots and examples.

May 27, 2013

===== RHEL Client ==========<br />yum -y --nogpgcheck install splunkforwarder-5.0.2-149561.i386.rpm<br />yum -y install sysstat<br />export PATH=$PATH:/opt/splunkforwarder/bin<br />splunk start --accept-license --answer-yes --auto-ports --no-prompt<br />splunk add forward-server example.com:9997<br />splunk set deploy-poll example.com:8089 -auth admin:changeme<br />splunk enable boot-start<br />splunk edit user admin -password tmp123 -auth admin:changeme<br />splunk restart<br />splunk display deploy-client <br />(Wait up to 5 mins for the app to download and the data to push back to the server)

April 5, 2013

====== RHEL Server ==========<br />(edit hosts files on both server and client or ensure FQDN)<br />yum -y --nogpgcheck install splunk-5.0.2-149561.i386.rpm<br />yum -y install sysstat # for unix app<br />export PATH=$PATH:/opt/splunk/bin<br />splunk start --accept-license --answer-yes --auto-ports --no-prompt<br />splunk enable boot-start<br /><br />http://example.com:8000/<br />Install *nix app (unix.tar.gz)<br />Manager->Forwarding and receiving->Receive data->Configure receiving->New<br />* Listen on this port: 9997<br />Edit: /opt/splunk/etc/system/local/serverclass.conf<br /> [global]<br /> stateOnClient = enabled<br /> blacklist.0=*<br /> continueMatching = true<br /><br /> [serverClass:forwarders]<br /> machineTypes = linux-i686,linux-x86_64<br /> [serverClass:forwarders:app:unix]<br /> restartSplunkd = true<br />ln -s /opt/splunk/etc/apps/unix /opt/splunk/etc/deployment-apps/unix<br />splunk restart<br />splunk display deploy-server

April 5, 2013

As a newbie I left the tutorial as virginal as I was when I arrived. It would be helpful to see how it is used with specific cases layed out for us to step through. Then I could know what the product is for. As it is, I know it can index anything for any purpoe. That is like telling me Superman has amazing powers. I still wouldn't know if I should reach out to him if I got stuck on a math problem in school. He could deflect bullets, but does he know algebra? A tutorial can also step us through a real life problem that Splunk was used to solve an we could then watch how it was done.

March 14, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters