Managing your Splunk Enterprise deployment
The information in this article will help you discover methods for deploying and administering Splunk Enterprise. The best practices indexed here are gathered from Splunk customers, partners and employees.
Monitoring system health
To help you monitor Splunk Enterprise deployment health, use this quick reference list that highlights how Splunk administrators can use the Monitoring Console to gain insight into system health, including indexing and search performance, OS resource usage, and license usage.
- Set up the Monitoring console in a multi-instance for a distributed Splunk Enterprise deployment or single-instance for a standalone instance. Review your data retention capacity and configure the Splunk platform to generate an alert when the value exceeds your usage license.
- Locate the Monitoring Console and get familiar with the dashboards and the information they show. From the Overview dashboard, check the CPU usage of your indexer(s). Is it in the green (0-59%), orange (60-79%), or red (80% or more) status range? Are there any triggered alerts? From the Topology view under Indexers, toggle to show the indexing rate per second.
- As a best practice, incorporate the monitoring console dashboards into a regular schedule of health maintenance checks. For example, you can monitor search efficiency on a weekly interval, and monitor overall deployment health every month. You can also configure the priority of the scheduled reports.
- Ensure you have healthy searches for optimal performance of your entire Splunk Cloud Platform environment. Check for skipped searches, review searches by user, and review long-running searches. Check for and resolve data quality issues, such as line or event breaking issues.
- Search Splunk Answers for answers, or ask a question of your own. If you're still not sure, contact Splunk support by submitting a case on the Splunk Support and Services portal! Don't forget to generate a diagnostic file to give Support insight into your configuration and performance history.
Configure your Splunk Enterprise deployment to use Splunk Assist
Splunk Assist will reach end of sale on September 10, 2024. No new activations will be available after that date. Splunk Assist will reach end of life on January 30, 2025. At that time, the app will be shut down and the cloud connection disabled.
Splunk Assist comes as a part of the Monitoring Console and provides you with a single place to monitor your deployment and see recommendations to improve your security posture. It keeps track of all security vulnerabilities, helping identify unpatched applications, expiring TLS certificates, and insecure configuration settings. Splunk Assist comes with three helper packages:
- App Assist: Monitors the apps in your deployment to ensure they are up-to-date and secure.
- Certificate Assist: Identifies certificate expiry issues and provides suggested actions to mitigate certification expiries according to Splunk security best practice.
- Config Assist: Monitors the configurations in your deployment and provides insights about those configurations according to Splunk best practices.
Managing configurations
This reference list highlights how customers can best manage configurations in Splunk Enterprise. Splunk Enterprise has about 50 configuration files that define and manage everything from alerts to workflow actions, including tags, custom time ranges, REST endpoints, indexing properties, and data inputs.
- Get familiar with the configuration files and when to restart Splunk Platform after a configuration file change for a direct .conf edit to apply.
- Find an especially important source type and resolve data quality issues to make sure it's set up for success.
- Use btool to troubleshoot configurations. A command line tool that can help you troubleshoot configuration file issues or see what values are being used by your Splunk Enterprise installation.
- Review at the timestamps in your data. Configure timestamp recognition to make sure Splunk Enterprise doesn't waste time trying to figure out the right date-time stamp to use
- Define and tune event breaks. You almost certainly have some multi-line events. Figuring out what's mutli-line can be taxing on the indexers. Set the segmentation for event data to optimize your source types with what you've learned about .conf files.
- Create a source type using .conf files.
Onboarding new users
This reference list highlights how customers can best start onboarding new users in Splunk Enterprise.
- Head on over to Splunk Education to find all the training you need.
- Make your role-based access control more granular by organizing user access requirements into functional categories, such as data access or search restrictions.
- Build user group workspaces for a specific role or user group to enable users to search, explore, and create without distractions from other teams and users.
- Set up knowledge management practices now to avoid costly misinterpretation of your data later. Get started with “What is Splunk knowledge?”
- Define a knowledge manager role. This person can create guidelines to manage knowledge objects, normalize event data, and create data models for Pivot users.
- Review your company's requirements. Identify who needs access to which data sets, if there are any that should be private, such as data with PII, and so on. You can add and edit roles with Splunk Enterprise based upon requirements.
- Map LDAP groups to Splunk roles. Splunk Enterprise users can work with the repository administrator to set up user authentication with LDAP and configure Single Sign-On with reverse proxy.
Using add-ons and apps
This reference list highlights how customers can best start using apps and add-ons in Splunk Enterprise. Apps are collections of knowledge objects that address specific use cases. You access them from the Home page or the Apps menu. A Splunk app can include elements such as a custom UI with dashboards, reports, and custom search commands. Add-ons are a type of app that provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros for use by one or more apps. Add-ons do not contain a full UI, and often provide some custom configurations or data inputs.
- Listen to Splunk experts give a Tech Talk that explains how to navigate Splunkbase to find valuable apps.
- Deploy an add-on and an app from Splunkbase. Instructions for how to deploy and install the app come with it at download time, or you can refer to the general instructions on how to install Splunk add-ons.
- Contact Splunk Support if the app you want is not listed or if self-service app installation is not supported.
- Discover the knowledge objects in the apps you downloaded. Go to the dashboards tab to view the dashboard knowledge objects.
- Check out the Apps & Add-ons section in our community.