Introduction
Some time ago I started studying Splunk, so I’d like to look back on the past and summarize useful study methods and useful site information, about splunk which I used when I started studying Splunk.
First few thing to do
If you want to study Splunk from now on, first prepare an environment where you can study.
- Install Splunk and import sample data: Splunk is free to use as long as you capture 500MB of data per day. If you just study, it will be enough capacity. The computer to install is also compatible with Windows / Linux / Mac, and if you have enough resources of about 1core / 1GB, you can withstand it enough, and if you do not need it, you can turn off the service and no extra resources will be used.
- Preparing the environment: Splunk Cloud can be used immediately with Trial for up to 2 weeks, but we recommend that you keep the environment handy for a long time, so we recommend using the Splunk Enterprise version. You need to download and install the binary here. Alternatively, you can deploy from the Marketplace on AWS / Azure, and if you are a container enthusiast, an image of Splunk is also available. Splunk Enterprise version download (User registration required. Please use other than IE). Enterprise version has a 60-day trial license and then a free license It is possible to switch to.
- Importing sample data: Once the environment is ready, include sample log data for studying next. Splunk has tutorials and tutorial data, so import this data.
Introducing free training to learn Splunk
Splunk Foundation 1 Training (Free)
Splunk official training eLearning courses are available free of charge. Since it is on-demand, you can study in your spare time, and you can concentrate on listening to what you do not understand. There is no reason not to use this free environment! !!
Splunk Infrastructure Overview Training (Free)
This is also a free eLearning course. Foundation 1 mentioned earlier is for users who mainly focus on basic knowledge of SPL and analyze it, but this Infrastructure course is mainly training for installation and data acquisition. Please take this together with Foundation1
Introducing books about Splunk
Site content useful for Splunk SPL learning
Splunk Community
It is a site that comes out when you google about how to search. If you ask a question in the Q & A format on this site, volunteers will answer it. You can see the history of past questions so that you can find a solution for most problems. It is one of the sites that I find useful.
Go Splunk
You can also see a sample search here, but while Answers answers questions in a Q & A format, Go Gplunk posts interesting queries and searches. It is in the form of voting like a like button. Since you can search by Source type or purpose, you may find a good idea in your own data, but I personally feel that Answers has more useful information.
Splunk Power of SPL
One of the Splunk Apps for learning SPL. It’s basically the same as the tutorial, but how about using it for review? You need to add an app to Splunk to use it.
Splunk Blog
This is the official Splunk Blog. If you can afford a lot of technical articles, you can find interesting articles by looking at them.
Splunk .conf online materials
You can search and download Splunk’s annual event .conf materials for the past three years. There is a lot of user case studies and product information, but there are also a lot of maniac technical topics and best practice stories such as how to speed up without using Join.
Conclusion
So far, we have introduced the reference sites etc., but if you can learn the minimum operation, please take in various data and analyze it. Anyway, I think the best way to improve your skills is to touch and worry about it. Also, since Splunk is just a tool, I don’t think it’s very useful to know only Splunk, so I think it’s important to combine your expertise and data.
- Splunk is free to use as long as you capture 500MB of data per day. If you just study, it will be enough capacity. The computer to install is also compatible with Windows / Linux / Mac, and if you have enough resources of about 1core / 1GB, you can withstand it enough, and if you do not need it, you can turn off the service and no extra resources will be used.
