New to Splunk
If this is the first time you have used Splunk Enterprise, then read on...this topic introduces the most important concepts you need to understand when installing and using Splunk apps.
Splunk Enterprise and Splunk apps work together
The key points to come away with are:
- All Splunk apps run on the Splunk Enterprise platform.
- Understanding how Splunk Enterprise works will greatly help you understand how Splunk apps work.
- Installing and configuring the app is only part of the experience. You might need to prepare Splunk Enterprise before you install your app.
- Careful planning helps achieve a successful app deployment.
Splunk Enterprise basics
Splunk Enterprise is a software platform that accepts data from many different sources, such as files or network streams. Splunk Enterprise stores a unique copy of this data in a index. After the data is there, you can connect to Splunk Enterprise with your web browser and run searches across that data. You can even make reports or graphs on the data from within the browser.
You can extend Splunk Enterprise capability by installing apps. Splunk apps come with searches, reports, and graphs about specific products that are common to most IT departments. These searches, reports, and graphs reduce the amount of time it takes to glean real value from installing and running the Splunk Enterprise platform.
Before you can understand how Splunk apps work, you should understand how Splunk Enterprise works.
If you are new to Splunk Enterprise, then the best place to learn more about it is in the Search Tutorial. It helps you learn what Splunk Enterprise is and what it does, as well as what you need to run it and get step-by-step walk-throughs on how to set it up, get data into it, search with it, and saving and sharing reports and dashboards on it.
Licensing
The next thing you want to learn about is the Splunk Enterprise licensing model. Splunk Enterprise charges you based on the amount of data you index. The licensing introduction from the Admin Manual is a great place to start learning about how licenses work. You can also find out the types of licenses that are available, how to install, remove, and manage them, and what happens when you go over your license quota.
In the context of Splunk apps, the amount of licensing capacity you need depends on how each app defines the individual data inputs that it uses. Splunk apps use inputs to tell Splunk Enterprise what data it needs to collect for the app. Some apps, such as the Splunk App for Enterprise Security, collect a lot of data, which your license must cover for you to search that data without interruption. When you plan for your app, make sure you include enough licensing capacity.
Configuration
Much of Splunk Enterprise extensibility is in how configurable it is. You must configure Splunk Enterprise before it can collect data and extract knowledge. All Splunk apps use configuration files to determine how to collect, transform, display, and provide alerts for data. The Admin Manual shows you how to configure those files and includes a reference topic for each configuration file that Splunk Enterprise uses. In some cases, you can also use Splunk Web or the CLI to make changes to a Splunk app's configuration.
Splunk Enterprise also uses configuration files to configure itself. When Splunk Enterprise initializes, it finds all of the configuration files located in the Splunk Enterprise directory and merges them to build a final master configuration, which it then runs on. When you install a Splunk app on a Splunk instance, Splunk Enterprise must determine which configuration files to use if it encounters a conflict. This is where configuration file precedence comes in.
It's important to understand how precedence works. In many cases, if there is a configuration file conflict, Splunk Enterprise gives priority to an app's configuration file. In some situations, installing an app might inadvertently override a setting in a configuration file in Splunk Enterprise, which might lead to undesired results in data collection. Be sure to read the previously mentioned topic thoroughly for details.
Splunk Enterprise Search
Splunk Enterprise lets you look through all the data it indexes and create dashboards, reports, and even alerts. All Splunk apps rely on Splunk Enterprise search. See the overview on search in the Search Manual to learn how powerful the search engine is. The Tutorial is also a good place to learn about Splunk Enterprise search.
You should also have an understanding of the Splunk search language. Splunk apps use the search language extensively to put together search results and knowledge objects which drive their dashboards, reports, charts, and tables.
Finally, familiarize yourself with the search commands in the Search Reference. That manual describes the commands that both Splunk Enterprise and your Splunk app can use.
Sources and source types
When Splunk Enterprise indexes data, it does so from a source, which is an entity that provides data for Splunk Enterprise to extract, for example, Windows event logs, or *nix syslogs. Splunk tags incoming data with a "source" field as it gets indexed. The source type is an indicator for the type of data, so that Splunk Enterprise knows how to properly format and extract it as it comes in. It is also a way to categorize data, because you can use search to display all data of a certain source type.
Splunk apps use sources and source types to extract knowledge from the data they index. Many views in an application depend on searches with specific sources and source types defined in them. Splunk apps sometimes use the source types that come with Splunk, and sometimes they define their own.
Capacity planning and distributed Splunk
Another important factor to consider when using a Splunk app: Do you have enough hardware to realistically support a deployment for the Splunk app you're using? Read our capacity planning documentation for a head-start on ensuring you have the machinery in place to run your Splunk app deployment at peak performance.
Learning about capacity planning is a perfect time to introduce another concept with which you should be familiar: distributed search. Nearly every Splunk app can use distributed search, and many were developed with distributed search in mind. This means that you must working with multiple Splunk instances at once - with each instance playing a specific role - to use the app to its full potential. Initially, you add indexers to increase indexing performance, then you add search heads to increase search performance. The Distributed Deployment Manual provides details on how to add more Splunk instances to keep up with your app's performance demands.
What's next?
From this point, you are ready to plan your app deployment. Continue reading for information about how this app fits into the Splunk picture, platform and hardware requirements, and other deployment considerations.
Learn More and how to get help | Is it for me |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0, 3.0, 3.0.1, 3.0.2, 3.1
Feedback submitted, thanks!