Installing Splunk and uberAgent Components

Today I want share the steps that are necessary to install the prerequisites for Helge Klein´s uberAgent. We will start with the installation of Splunk. After this first step is done we will go on and install the server components of uberAgent.

What is Splunk?
That exactly was my problem some months ago. I had heard a few times about it but didn´t really know what to do with all of the information. After watching Helge´s presentation at E2EVC I decided to have a deeper look into this topic.

What Splunk does…
Basicallly it captures data from the machines you want and makes them readable be using Splunks Search Processing Language (SPL). You can collect nearly any data and whatever form it has and create reports and interactive Dashboards.
The capabilities reach from monitoring and searching to correlating data with customizable Dashboards and Views. From my point of view this system is so powerfull and customizable that a first look at it makes me think of so many use cases I never could have imagined. You get unlimited possibilities with the data that was lying dead on your servers before.

How do I get it?
Splunk is available in three editions. You can get a Free, Enterprise and Cloud edition. The main difference is the amount of data you are allowed to analyze. The Free edition has a limit of 500 MBs per day. Additional differences can be found in the Clustering capabilities. The installation files are easily obtainable at http://www.splunk.com. There is a “Free vs. Enterprise” comparison available on Splunk´s website.

Why should I use it?
My main focus are Proof of Concepts and Troubleshooting scenarios along with performance comparisons. The Free edition should help you in many cases searching for errors and optimization points. In huge enterprise environments it can help you get insights you have not seen before in such an easy way.

Installing a basic Splunk Server
I have a Windows Server 2012 R2 Server without any other software components in place. To start we need to click on the “splunk-6.2.1-245427-x64-release” that was downloaded before.

Tick the checkbox to accept the License Agreement and click CUSTOMIZE OPTIONS. I am doing this only to document the different steps you can configure. Otherwise click INSTALL.

1_Splunk

Choose the path were you want the files to be located. I´m leaving it as it is. NEXT.

2_Splunk

In this case we will use the local system because it is sufficient for a first laptop test environment. You should use “Domain Account” if you want to do any of the following actions with Splunk Enterprise:

  • Read Event Logs remotely
  • Collect performance counters remotely
  • Read network shares for log files

Further information can be found here. NEXT.

3_Splunk

Yes, create a Start Menu Shortcut. INSTALL.

4_Splunk

Click FINISH to start a browser with the Splunk website.

5_Splunk

Now we need to sign in to the website. Type the default credentials in the fields.
Username: admin
Password: changeme
SIGN IN.

6_Splunk

We need to change the password after login. SAVE PASSWORD.

7_Splunk

We are in. The Splunk server is running and ready for further mess.
If you need to change the transport type to HTTPS you can easily change this under Settings >Server Settings >General Settings.
You see how easy it was to install the basic Splunk server. It won´t get any harder with the other components.

Install uberAgent components
Now let´s install the “uberAgent_indexer.tgz” and the “uberAgent_searchhead.tgz”. To do this we need to click on the small wheel shown below.

8_Splunk

What is a search head?
This is a Splunk Enterprise instance that handles search management functions.

What is the Indexer?
This is Splunk Enterprise instance that indexes data, transforms raw data into events and places the results into an index. It also searches the indexed data in response to search requests.

Click on INSTALL APP FROM FILE.

9_Splunk

Now browse to the place you downloaded the uberAgent files to and choose “uberAgent_indexer.tgz”. You don´t need to tick the checkbox below if you haven´t already an uberAgent package uploaded to your Splunk server.

10_Splunk

Do this step again to upload the “uberAgent_searchhead.tgz”. Restart your Splunk server afterwards.

11_Splunk

It is running, what´s next?
The next blog will deal with the uberAgent installation and configuration. Until then you can have a look at the other available Splunk apps here: https://apps.splunk.com

Cheers,
Sinisa

By:

Posted in: