Low Orbit Flux Logo 2 F

Splunk

Even if you don’t use it you have probably at least seen adds for Splunk. I remember back when it was relatively new. I know of its existence mainly because the adds were everywhere. You couldn’t visit a technical site without seeing an add for Splunk. This wasn’t too long before I was responsible for running a POC on our servers.

These days everybody knows about Splunk although not everybody has a full understanding of what it does.

What is Splunk

In short, Splunk is a log collection system. It does a whole lot more than that though. The main goal was to solve the problem of having logs spread across multiple different systems with no good way to correlate events from different systems. Basically, Splunk collects logs from any number of different sources and ingests them into a centralized system. The logs can then be searched allowing for the correlation of events across different systems. It also features a powerful but easy to use search language for creating custom queries. This allows you to search for anything you want and manipulate the results in all sorts of ways.

Typically data would be gathered from an agent running on a server. This would be configured to forward logs to a centralized server. Data can be taken from a large number of different source types.

Learn Splunk

Install Splunk Enterprise

Find our guide covering how to setup Splunk Enterprise here:

Splunk Universal Forwarder Install and Setup

We also cover setting up the Universal Forwarder here:

Splunk Create Index

Splunk Minimum Free Disk Space

If you see a message like this:

The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch.

You have a few options:

You can decrease the threshold like this:

sudo vi $SPLUNK_HOME/etc/system/local/server.conf


[diskUsage]
minFreeSpace = 50
pollingFrequency = 100000
pollingTimerFrequency = 10