Database Reference
In-Depth Information
Starting up Splunk
Before getting into the practical details of Splunk, it is important to know what is really go-
ing on behind the scenes. When you start up Splunk, you are really starting up two different
processes: splunkd and splunkweb. Here is the difference between the two:
• In the name splunkd, the d stands for daemon, meaning a process that is started up
and then runs in the background, without interaction with the user. Splunkd is actu-
ally a C or C++ server that can process and index data even if it is streaming, or
even if it is quickly moving data. It can also process and index static data files, of
course. Splunkd is responsible for searching and indexing, which it does through
the Splunk API, or Application Programming Interface ( API ). Everything that
you do in Splunk requires the API, and it is also through the API that the two ser-
vices communicate with each other.
• Splunkweb is the service we will interact directly with most often. It is a web inter-
face, based on Python, which gives us a way to give commands to Splunk to get
the data analysis we need. It also lets us start up and stop Splunk.
The functions of Splunk
Now it's time to look at the four main functions that Splunk carries out. These are collect-
ing data, indexing data, searching for data, and analyzing data:
Data collection : The process of collecting data with Splunk is enhanced, as its sys-
tem makes it easy to get data from many different types of computerized systems,
which are increasingly becoming the producers of most data today. Such data is
frequently referred to as machine data. And since much of this is streaming data,
Splunk is especially useful, as it can handle streaming data quickly and efficiently.
Additionally, Splunk can collect data from many other sources. The use of special-
ized apps and add-ons to do this will be discussed in Chapter 4 , Reports in Splunk .
Data indexing : Before data can be searched, it needs to be indexed. To create an
index actually requires two steps: parsing and indexing. Parsing, which is basically
separating the data into events, involves several steps.
Note
Some of this discussion is beyond the scope of this text, but more details can be
found at http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Howindex-
ingworks .
Previous Page
Next Page
Splunk Essentials
Search WWH ::




Custom Search
Home