Like most things we do for the first time in life we are bound to make some mistakes. This blog series is here to help you learn from our past mistakes so that your Splunk installation goes as smooth as possible. Below are a few tips to help you with your first Splunk deployment.
5 More Tips for Installing Splunk Right the First Time:
- If receiving syslog data, use an intermediary instance of syslog-ng to prevent data loss during Splunk instance restarts. It is inevitable you will need to restart your Splunk nodes from time to time. If you are simply monitoring syslog from these nodes, you are missing data during reboots. Utilizing an intermediary for this process greatly reduces the impact.
- Make changes to your .conf files via a full editor and copy to the instance via WinSCP or other transfer tool. While vi and nano are great tools, it can be somewhat cumbersome to edit a muti-line conf file within a command-line editor. Utilizing a tool such as Notepad++ makes the process much easier and will allow you to save a copy locally for easy editing later.
- Write your regular expressions manually rather than utilizing the built-in expression generator for more reliable extractions. While the built-in tool is valuable, it isn’t as reliable as a manually written regular expression. Further regular expression training can be found for free here: http://www.regular-expressions.info/tutorial.html
- Don’t write lazy searches. It’s easy to think of Splunk as Google for logs, and in a lot of ways that is true. However, you never simply want to type in “failure” and hit search. Always specify as much information as possible when crafting your search. These should include index, sourcetype, host, IP, etc. The time it takes to craft a fine tuned search far outweighs the time you’d spend on the backend of a poorly crafted one.
- Utilize a dedicated Deployment Server and license master for multi-node instances. This ensures you get the same configuration each and every time without the need to install from scratch.
Be sure to check back often for additional insight s and tips to make the most out of your Splunk instance. In case you missed it, read the first installment with 5 additional tips: Part 1: Things I Wish I Knew Before Installing Splunk
Are you about to install Splunk for the first time? We are offering free consultation from one of our Certified Splunk Engineers to help you set-up your Splunk Architecture right the first time.