Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,050 --> 00:00:17,600
[Music]
2
00:00:15,039 --> 00:00:19,919
hello friends welcome back to my channel
3
00:00:17,600 --> 00:00:22,320
and uh today we are back with another
4
00:00:19,920 --> 00:00:24,640
exciting tutorial so this will be a
5
00:00:22,320 --> 00:00:26,560
splunk tutorial for beginners and there
6
00:00:24,640 --> 00:00:28,399
has been a lot of queries a lot of
7
00:00:26,559 --> 00:00:32,159
requests on how to
8
00:00:28,399 --> 00:00:34,159
troubleshoot splunk issues so like if we
9
00:00:32,159 --> 00:00:36,558
had done a lot of tutorials like how to
10
00:00:34,159 --> 00:00:38,799
set up splunk and writing queries and
11
00:00:36,558 --> 00:00:41,039
all those things but there was a request
12
00:00:38,799 --> 00:00:43,199
like if in a real productive scenarios
13
00:00:41,039 --> 00:00:45,039
they may face some issues with
14
00:00:43,200 --> 00:00:47,760
splunk environment how it can be
15
00:00:45,039 --> 00:00:49,679
troubleshoot so in that cases you know i
16
00:00:47,759 --> 00:00:51,599
just wanted to show you some of the tips
17
00:00:49,679 --> 00:00:53,840
or you know what are the log files what
18
00:00:51,600 --> 00:00:55,840
kind of indexes you know what kind of
19
00:00:53,840 --> 00:00:58,800
queries you know you can use what kind
20
00:00:55,840 --> 00:01:00,719
of uh extra tools like b2 uh which you
21
00:00:58,799 --> 00:01:03,280
can use it for uh you know
22
00:01:00,719 --> 00:01:05,680
finding out some of uh splunk issues how
23
00:01:03,280 --> 00:01:08,719
you can analyze that okay so some of the
24
00:01:05,680 --> 00:01:10,880
common splunk issues which you uh come
25
00:01:08,719 --> 00:01:13,280
across or face would be like some data
26
00:01:10,879 --> 00:01:15,920
quality issues or it can be a search
27
00:01:13,280 --> 00:01:18,159
performance or capacity issues or some
28
00:01:15,920 --> 00:01:20,560
license issues with the splunk or you
29
00:01:18,159 --> 00:01:22,960
know it can be a server usage issues so
30
00:01:20,560 --> 00:01:24,960
these are some common issues or splunk
31
00:01:22,959 --> 00:01:26,640
crash issues there are a lot of more but
32
00:01:24,959 --> 00:01:29,039
these are some common issues which you
33
00:01:26,640 --> 00:01:30,960
may come across and the way you know how
34
00:01:29,040 --> 00:01:32,880
you can analyze i will just show you
35
00:01:30,959 --> 00:01:35,359
some tips like you know what kind of log
36
00:01:32,879 --> 00:01:37,118
files you can go and check and in which
37
00:01:35,359 --> 00:01:39,680
your log file you can easily find out
38
00:01:37,118 --> 00:01:41,519
what so let's uh check out on those
39
00:01:39,680 --> 00:01:43,280
things so before i get into that i would
40
00:01:41,519 --> 00:01:45,438
request you like if you are new to my
41
00:01:43,280 --> 00:01:47,680
channel or if you have not subscribed to
42
00:01:45,438 --> 00:01:51,438
my channel click on the subscribe button
43
00:01:47,680 --> 00:01:53,439
also like my videos share and comment
44
00:01:51,438 --> 00:01:56,798
so let's get started with some of the
45
00:01:53,438 --> 00:01:59,359
common splunk logs okay so that would be
46
00:01:56,799 --> 00:02:01,118
the best place to start so you splunk
47
00:01:59,359 --> 00:02:03,118
always write you know most of its
48
00:02:01,118 --> 00:02:05,359
contents into some of the logs or some
49
00:02:03,118 --> 00:02:07,840
of the internal indexes which we will
50
00:02:05,359 --> 00:02:10,399
see so some of the common logs which you
51
00:02:07,840 --> 00:02:12,800
can go and identify these issues are
52
00:02:10,399 --> 00:02:14,878
like one is log file is called splunk
53
00:02:12,800 --> 00:02:17,840
dot log and another one is called
54
00:02:14,878 --> 00:02:21,199
metrics dot log and auric.log and
55
00:02:17,840 --> 00:02:22,719
license usage.log and splunk access dot
56
00:02:21,199 --> 00:02:25,359
log there are other locks as well but
57
00:02:22,719 --> 00:02:27,759
these are some uh major logs which you
58
00:02:25,360 --> 00:02:30,239
can be helpful and out of this splunk
59
00:02:27,759 --> 00:02:32,560
dot log is the main one where it will
60
00:02:30,239 --> 00:02:35,759
write all the contents what splunk d is
61
00:02:32,560 --> 00:02:38,080
doing and let's go and check out this
62
00:02:35,759 --> 00:02:40,479
where it will be saved
63
00:02:38,080 --> 00:02:42,480
since i'm using windows machine and i
64
00:02:40,479 --> 00:02:45,598
have installed splunk on this machine
65
00:02:42,479 --> 00:02:47,439
this uh log files are located under your
66
00:02:45,598 --> 00:02:50,159
splunk installation folder so if it's
67
00:02:47,439 --> 00:02:51,840
under c program files splunk uh so that
68
00:02:50,159 --> 00:02:54,000
would be your splunk home and that
69
00:02:51,840 --> 00:02:55,680
should be underwater log and splunk so
70
00:02:54,000 --> 00:02:58,318
that will be the place where the logs
71
00:02:55,680 --> 00:03:00,159
will be installed available where in the
72
00:02:58,318 --> 00:03:01,919
case of linux installation it would be
73
00:03:00,158 --> 00:03:05,039
like your splunk home for example if
74
00:03:01,919 --> 00:03:07,679
your splunk home is slash opt
75
00:03:05,039 --> 00:03:09,598
slash splunk then you know the log file
76
00:03:07,680 --> 00:03:10,400
will be under you know
77
00:03:09,598 --> 00:03:12,799
log
78
00:03:10,400 --> 00:03:15,519
splunk so it'll be slash opt slash
79
00:03:12,800 --> 00:03:17,519
splunk or slash war slash log slash
80
00:03:15,519 --> 00:03:20,400
splunk so that would be the place where
81
00:03:17,519 --> 00:03:22,158
all these logs file will be there so
82
00:03:20,400 --> 00:03:24,239
as you as you can see there are so much
83
00:03:22,158 --> 00:03:26,239
of log file here right so mainly you
84
00:03:24,239 --> 00:03:28,560
know what we want to do is we
85
00:03:26,239 --> 00:03:30,719
we want to start with the splunk d dot
86
00:03:28,560 --> 00:03:33,360
log that would be the main log where the
87
00:03:30,719 --> 00:03:35,519
splunk will write all its uh you know
88
00:03:33,360 --> 00:03:37,360
information and you have other logs
89
00:03:35,519 --> 00:03:39,120
likes plan the access dot log you know
90
00:03:37,360 --> 00:03:42,959
which i mentioned you have something
91
00:03:39,120 --> 00:03:45,680
called audit.log you have metrics.log
92
00:03:42,959 --> 00:03:47,199
license usage.log so all these locks
93
00:03:45,680 --> 00:03:49,200
there are other locks as well but these
94
00:03:47,199 --> 00:03:52,719
are some major lock now if you go to
95
00:03:49,199 --> 00:03:54,959
this splunk dot log as i mentioned it
96
00:03:52,719 --> 00:03:57,120
will start writing all these uh
97
00:03:54,959 --> 00:03:59,519
activities what it doing like splunk d
98
00:03:57,120 --> 00:04:02,239
starting what the system info what is
99
00:03:59,519 --> 00:04:03,519
the you know uh system information you
100
00:04:02,239 --> 00:04:05,680
know
101
00:04:03,519 --> 00:04:08,719
all those details it's trying to put it
102
00:04:05,680 --> 00:04:10,239
here you can see that right uh you can
103
00:04:08,719 --> 00:04:12,239
read through it you know when you want
104
00:04:10,239 --> 00:04:14,000
to find and you know it will also tell
105
00:04:12,239 --> 00:04:16,879
you you know what it's trying to do with
106
00:04:14,000 --> 00:04:18,560
each you know uh splunk uh
107
00:04:16,879 --> 00:04:20,399
about you it's uh
108
00:04:18,560 --> 00:04:22,560
indexing and all those things you can
109
00:04:20,399 --> 00:04:25,279
see it's the stanza which is looking for
110
00:04:22,560 --> 00:04:28,000
even log right and also it will be
111
00:04:25,279 --> 00:04:31,359
talking about the uh i know what file
112
00:04:28,000 --> 00:04:33,680
it's watching so if i search for
113
00:04:31,360 --> 00:04:33,680
watch
114
00:04:36,240 --> 00:04:40,478
so you can see if i search for watch it
115
00:04:38,319 --> 00:04:43,360
will tell you like you know different
116
00:04:40,478 --> 00:04:46,079
files which is watching so when splunk
117
00:04:43,360 --> 00:04:47,759
is looking uh those files mean it will
118
00:04:46,079 --> 00:04:50,639
watch those files and if there is any
119
00:04:47,759 --> 00:04:53,360
changes it will uh get that into the
120
00:04:50,639 --> 00:04:55,680
index as per our configurations right so
121
00:04:53,360 --> 00:04:57,919
that's how it's be done for example i
122
00:04:55,680 --> 00:04:59,759
have windows
123
00:04:57,918 --> 00:05:02,319
update dot log
124
00:04:59,759 --> 00:05:04,240
which i am uh having it so you can see
125
00:05:02,319 --> 00:05:07,038
you know uh there is a log which is uh
126
00:05:04,240 --> 00:05:08,319
you know added into this so it will be
127
00:05:07,038 --> 00:05:10,639
watching that
128
00:05:08,319 --> 00:05:12,399
file and it's also writing you know it's
129
00:05:10,639 --> 00:05:15,280
different kind of buckets
130
00:05:12,399 --> 00:05:16,799
all those things it's also look for crc
131
00:05:15,279 --> 00:05:19,038
right so all those details will be
132
00:05:16,800 --> 00:05:20,800
available in this log so it's not
133
00:05:19,038 --> 00:05:23,038
mandatory that you need to open this
134
00:05:20,800 --> 00:05:25,918
file and uh read through it there you
135
00:05:23,038 --> 00:05:28,399
can also directly access this from your
136
00:05:25,918 --> 00:05:30,159
splunk instance you can write a query
137
00:05:28,399 --> 00:05:31,279
and you can find out those information
138
00:05:30,160 --> 00:05:34,000
here
139
00:05:31,279 --> 00:05:35,758
so when we talk about splunk dot log
140
00:05:34,000 --> 00:05:38,160
which i mentioned splunk dot log
141
00:05:35,759 --> 00:05:40,879
provides an overview of what splunk is
142
00:05:38,160 --> 00:05:43,199
doing so all the events are logged uh
143
00:05:40,879 --> 00:05:45,519
for all the splunk components in this uh
144
00:05:43,199 --> 00:05:47,680
splunk dot log and as i mentioned it's
145
00:05:45,519 --> 00:05:49,680
available in this folder like splunk
146
00:05:47,680 --> 00:05:51,759
home which is you know in windows should
147
00:05:49,680 --> 00:05:53,280
be under program file splunk whereas
148
00:05:51,759 --> 00:05:56,560
linux it should be the place where you
149
00:05:53,279 --> 00:05:58,478
install war log splunk right and this is
150
00:05:56,560 --> 00:06:00,879
a query which you can run
151
00:05:58,478 --> 00:06:03,038
okay and i'll show you what we get and
152
00:06:00,879 --> 00:06:05,120
uh if you see yeah this is a sample
153
00:06:03,038 --> 00:06:07,199
which i show like in the splunk d dialog
154
00:06:05,120 --> 00:06:10,160
it's watches the file which is we want
155
00:06:07,199 --> 00:06:12,240
to index so if you have a scenario like
156
00:06:10,160 --> 00:06:14,720
you know your file is not getting
157
00:06:12,240 --> 00:06:16,639
indexed uh the best thing is you go and
158
00:06:14,720 --> 00:06:18,720
check in the log where you have the file
159
00:06:16,639 --> 00:06:20,960
is getting watched and also if you have
160
00:06:18,720 --> 00:06:23,199
a forwarder which is sending the file
161
00:06:20,959 --> 00:06:24,318
you can also check the splunk d log in
162
00:06:23,199 --> 00:06:25,840
the
163
00:06:24,319 --> 00:06:27,759
forwarder client so that you know you
164
00:06:25,839 --> 00:06:29,519
can see what is happening from there as
165
00:06:27,759 --> 00:06:32,240
well
166
00:06:29,519 --> 00:06:34,318
so if i run this uh query over here on
167
00:06:32,240 --> 00:06:36,079
the splunk instance you can see i'm
168
00:06:34,319 --> 00:06:39,120
running on the source
169
00:06:36,079 --> 00:06:39,120
and if i run it
170
00:06:39,439 --> 00:06:43,759
you can see it will give you the whole
171
00:06:41,038 --> 00:06:47,199
components what we are having in inside
172
00:06:43,759 --> 00:06:49,680
the splunk dot log so it's give you a
173
00:06:47,199 --> 00:06:53,120
bunch of you know details what is done
174
00:06:49,680 --> 00:06:55,038
so if you see the bucket roll over if i
175
00:06:53,120 --> 00:06:58,079
check it it will tell you all the
176
00:06:55,038 --> 00:07:00,959
components or the locks based on that so
177
00:06:58,079 --> 00:07:03,038
you can see a roll to the hot db bucket
178
00:07:00,959 --> 00:07:05,758
for you know uh
179
00:07:03,038 --> 00:07:08,399
from this one right and you can see here
180
00:07:05,759 --> 00:07:10,720
finished moving hot to one so all those
181
00:07:08,399 --> 00:07:12,560
informations are written in this uh
182
00:07:10,720 --> 00:07:14,960
log file like how the buckets are moved
183
00:07:12,560 --> 00:07:17,199
from hot to warm and all those things so
184
00:07:14,959 --> 00:07:19,918
you can see all the details over here
185
00:07:17,199 --> 00:07:21,840
when i just search for that component
186
00:07:19,918 --> 00:07:24,399
right so similar way you can check what
187
00:07:21,839 --> 00:07:26,159
the components so it's just a simple way
188
00:07:24,399 --> 00:07:28,478
like you just put a stats on the count
189
00:07:26,160 --> 00:07:30,639
by component and you will be getting you
190
00:07:28,478 --> 00:07:32,478
know the details so it's not mandatory
191
00:07:30,639 --> 00:07:34,879
that you need to go to the splunk dot
192
00:07:32,478 --> 00:07:37,199
log and then you search it there
193
00:07:34,879 --> 00:07:39,279
so before we go into the other log files
194
00:07:37,199 --> 00:07:42,000
i also want to show you like some of the
195
00:07:39,279 --> 00:07:43,918
indexes which will be you know very
196
00:07:42,000 --> 00:07:46,000
useful for analyzing so some of the
197
00:07:43,918 --> 00:07:48,318
index like underscore internal and
198
00:07:46,000 --> 00:07:51,279
underscore audit so these are two main
199
00:07:48,319 --> 00:07:52,879
uh indexes other than the other indexes
200
00:07:51,279 --> 00:07:55,279
which you will create these are system
201
00:07:52,879 --> 00:07:57,520
indexes which will be very useful for
202
00:07:55,279 --> 00:07:59,918
your analysis or troubleshooting a lot
203
00:07:57,519 --> 00:08:01,758
of splunk issues so one of a simple
204
00:07:59,918 --> 00:08:03,918
query like if you put the
205
00:08:01,759 --> 00:08:06,720
underscore internal and if you skip the
206
00:08:03,918 --> 00:08:08,399
stats by source type and source we can
207
00:08:06,720 --> 00:08:09,360
get some information from the let's see
208
00:08:08,399 --> 00:08:11,679
that
209
00:08:09,360 --> 00:08:13,840
so if i go and put
210
00:08:11,680 --> 00:08:16,478
the source and source type so it will
211
00:08:13,839 --> 00:08:18,318
give us the details on what are the
212
00:08:16,478 --> 00:08:20,318
contents we have it in the underscore
213
00:08:18,319 --> 00:08:22,400
internal so you can see you know there
214
00:08:20,319 --> 00:08:25,199
are different kind of source type and
215
00:08:22,399 --> 00:08:27,359
where the source the file is coming for
216
00:08:25,199 --> 00:08:29,280
example splunk d is the source type
217
00:08:27,360 --> 00:08:31,360
where it's how multiple log files
218
00:08:29,279 --> 00:08:34,478
getting returned so splunk d dot log is
219
00:08:31,360 --> 00:08:36,320
one utility metrics license usage health
220
00:08:34,479 --> 00:08:39,680
dot log so all these things are written
221
00:08:36,320 --> 00:08:41,680
by splunk d right and we have ui
222
00:08:39,679 --> 00:08:44,879
access which is the splunk ui access dot
223
00:08:41,679 --> 00:08:47,120
log and we have config we have mongodb
224
00:08:44,879 --> 00:08:48,958
scheduler right so there are web access
225
00:08:47,120 --> 00:08:50,720
which will be web access dot log so the
226
00:08:48,958 --> 00:08:52,719
different kind of log where it is
227
00:08:50,720 --> 00:08:55,600
written by which component it give you
228
00:08:52,720 --> 00:08:57,360
the detail using this query
229
00:08:55,600 --> 00:09:00,080
if i want to simplify it a little bit
230
00:08:57,360 --> 00:09:02,000
more for a splunk d uh case alone so if
231
00:09:00,080 --> 00:09:04,800
i go i like index
232
00:09:02,000 --> 00:09:07,519
internals source type is splunk d and
233
00:09:04,799 --> 00:09:09,278
source with the splunk dot log
234
00:09:07,519 --> 00:09:12,399
because there are different logs let's
235
00:09:09,278 --> 00:09:14,159
see what we get from output from there
236
00:09:12,399 --> 00:09:16,159
so this should be similar like what you
237
00:09:14,159 --> 00:09:18,319
go and search in the splunk dot log
238
00:09:16,159 --> 00:09:19,600
because we are finding uh all the
239
00:09:18,320 --> 00:09:22,160
details for
240
00:09:19,600 --> 00:09:24,560
splunk d dot log right so now uh
241
00:09:22,159 --> 00:09:26,319
whatever we see in that log file we are
242
00:09:24,559 --> 00:09:28,799
going to get it here for example you
243
00:09:26,320 --> 00:09:30,879
know reading the file you know
244
00:09:28,799 --> 00:09:33,919
all those in details we will have it
245
00:09:30,879 --> 00:09:36,799
here right and you'll have different
246
00:09:33,919 --> 00:09:38,799
filters over here like
247
00:09:36,799 --> 00:09:40,958
let's see we have source type right we
248
00:09:38,799 --> 00:09:43,439
have a file so you can see different
249
00:09:40,958 --> 00:09:44,399
kind of files you can filter with that
250
00:09:43,440 --> 00:09:46,560
right
251
00:09:44,399 --> 00:09:49,039
so if i go and select
252
00:09:46,559 --> 00:09:51,759
one of the file here
253
00:09:49,039 --> 00:09:54,159
you can see uh it is it will show you
254
00:09:51,759 --> 00:09:55,919
that file alone so for example if i go
255
00:09:54,159 --> 00:09:57,120
and change this to
256
00:09:55,919 --> 00:09:58,399
windows
257
00:09:57,120 --> 00:10:01,720
update
258
00:09:58,399 --> 00:10:01,720
dot log
259
00:10:04,720 --> 00:10:09,519
so you can see if i run with this
260
00:10:07,078 --> 00:10:11,919
windowsupdate.log we get some locks
261
00:10:09,519 --> 00:10:15,440
based on that right so if you see the
262
00:10:11,919 --> 00:10:16,879
file is watched uh you know at this time
263
00:10:15,440 --> 00:10:19,279
right and
264
00:10:16,879 --> 00:10:21,200
also parsing the content because it's
265
00:10:19,278 --> 00:10:24,320
coming from this uh
266
00:10:21,200 --> 00:10:26,800
you know uh stance of our you know
267
00:10:24,320 --> 00:10:28,160
uh configuration right so that's what
268
00:10:26,799 --> 00:10:30,719
it's trying to do
269
00:10:28,159 --> 00:10:32,799
uh so you can change the value of from
270
00:10:30,720 --> 00:10:35,120
24 hours to which or so then you'll get
271
00:10:32,799 --> 00:10:36,879
more uh details as well so there are
272
00:10:35,120 --> 00:10:39,360
different ways you can simply you know
273
00:10:36,879 --> 00:10:41,600
find out which log is uh you know
274
00:10:39,360 --> 00:10:43,759
in splunk d so it's not that you have to
275
00:10:41,600 --> 00:10:45,680
open the splunk dot log
276
00:10:43,759 --> 00:10:47,439
from the location and you read through
277
00:10:45,679 --> 00:10:49,599
it so you can easily
278
00:10:47,440 --> 00:10:50,800
filter it using your splunk search as
279
00:10:49,600 --> 00:10:52,639
well
280
00:10:50,799 --> 00:10:55,439
and the same way like you can do it for
281
00:10:52,639 --> 00:10:57,278
a matrix logs as well so let's find what
282
00:10:55,440 --> 00:11:01,839
we get there
283
00:10:57,278 --> 00:11:01,838
so if i go and search for metrics
284
00:11:04,958 --> 00:11:09,599
so you can see like we get a lot of
285
00:11:07,440 --> 00:11:11,040
output here as well so metrics you can
286
00:11:09,600 --> 00:11:13,920
see there are more metrics like
287
00:11:11,039 --> 00:11:15,919
throughput you know instantaneous kb
288
00:11:13,919 --> 00:11:17,759
right so different other parameters you
289
00:11:15,919 --> 00:11:19,838
get it from metrics
290
00:11:17,759 --> 00:11:22,639
so if you talk about metrics this
291
00:11:19,839 --> 00:11:24,160
metrics log is where the splunk stores
292
00:11:22,639 --> 00:11:26,399
all the information
293
00:11:24,159 --> 00:11:28,958
of various group of splunk activities
294
00:11:26,399 --> 00:11:31,679
such as like throughput skew sizes
295
00:11:28,958 --> 00:11:33,599
response time job counts so this the
296
00:11:31,679 --> 00:11:35,759
kind of whole information is getting
297
00:11:33,600 --> 00:11:37,360
stored on the metrics dot log so if you
298
00:11:35,759 --> 00:11:40,000
want to analyze some of those you need
299
00:11:37,360 --> 00:11:41,600
to check these logs metrics dot log so
300
00:11:40,000 --> 00:11:43,440
that's why i just want to show you now
301
00:11:41,600 --> 00:11:44,879
there is also other way like all these
302
00:11:43,440 --> 00:11:46,880
informations if you see it's getting
303
00:11:44,879 --> 00:11:48,639
stored to the index underscore internal
304
00:11:46,879 --> 00:11:50,320
right so if you don't want to search
305
00:11:48,639 --> 00:11:52,879
whole information if you want to get
306
00:11:50,320 --> 00:11:54,879
some like errors or warnings you can
307
00:11:52,879 --> 00:11:57,919
even query with you know
308
00:11:54,879 --> 00:12:00,000
that kind of query in the splunk uh
309
00:11:57,919 --> 00:12:01,919
search you can also advance that you
310
00:12:00,000 --> 00:12:04,480
know if you want to specifically do for
311
00:12:01,919 --> 00:12:06,879
splunk the dot log so you can do that
312
00:12:04,480 --> 00:12:08,240
and you can table it with some log
313
00:12:06,879 --> 00:12:09,519
message and all those things so this is
314
00:12:08,240 --> 00:12:11,600
a sample
315
00:12:09,519 --> 00:12:13,919
query which you can run so i will just
316
00:12:11,600 --> 00:12:17,440
run it and show you what we get
317
00:12:13,919 --> 00:12:20,479
so if i run this query for
318
00:12:17,440 --> 00:12:20,480
error or warning
319
00:12:22,320 --> 00:12:26,240
so you can see we get uh some output so
320
00:12:24,799 --> 00:12:29,199
where you know the
321
00:12:26,240 --> 00:12:30,799
message will be based on that so
322
00:12:29,200 --> 00:12:33,120
you can see the search has been
323
00:12:30,799 --> 00:12:35,199
cancelled right so that's uh one of
324
00:12:33,120 --> 00:12:36,000
error message you can see we have error
325
00:12:35,200 --> 00:12:37,920
right
326
00:12:36,000 --> 00:12:40,078
so it's giving a here if you see it's a
327
00:12:37,919 --> 00:12:42,719
warning message right the message search
328
00:12:40,078 --> 00:12:44,958
has been cancelled so based on that
329
00:12:42,720 --> 00:12:46,160
those uh content also we can do some
330
00:12:44,958 --> 00:12:48,239
search
331
00:12:46,159 --> 00:12:50,078
so these are some samples i just want to
332
00:12:48,240 --> 00:12:52,720
show you like you know what you can make
333
00:12:50,078 --> 00:12:53,679
use of this uh kind of queries to find
334
00:12:52,720 --> 00:12:55,519
some
335
00:12:53,679 --> 00:12:58,638
output so you can see you know host
336
00:12:55,519 --> 00:13:00,720
component the level warning level info
337
00:12:58,639 --> 00:13:03,120
error you know this which server it's
338
00:13:00,720 --> 00:13:05,440
happening so this kind of queries you
339
00:13:03,120 --> 00:13:07,519
can write when you have some issues so
340
00:13:05,440 --> 00:13:09,760
based on what is if you are want to find
341
00:13:07,519 --> 00:13:12,000
some error messages or warning message
342
00:13:09,759 --> 00:13:14,399
you can try to run this kind of queries
343
00:13:12,000 --> 00:13:16,799
and you will get some kind of uh input
344
00:13:14,399 --> 00:13:19,919
from this which you can analyze it
345
00:13:16,799 --> 00:13:21,519
so similar like matrix logs or splunk
346
00:13:19,919 --> 00:13:24,159
dot log we have something called
347
00:13:21,519 --> 00:13:26,480
audi.log so if you want to find some
348
00:13:24,159 --> 00:13:29,360
information about any user activity such
349
00:13:26,480 --> 00:13:31,920
as logins or search
350
00:13:29,360 --> 00:13:35,278
run and all those things the auric.log
351
00:13:31,919 --> 00:13:38,240
is the best place so this audit.log is
352
00:13:35,278 --> 00:13:40,480
not for uh web-based ui login uh
353
00:13:38,240 --> 00:13:43,360
activities this audit is for other user
354
00:13:40,480 --> 00:13:46,399
activities okay so we'll also talk about
355
00:13:43,360 --> 00:13:49,120
there's another called audit access.log
356
00:13:46,399 --> 00:13:51,679
which will be mainly used for ui login
357
00:13:49,120 --> 00:13:53,759
things okay so license usage is also
358
00:13:51,679 --> 00:13:56,000
another log which you can make use of it
359
00:13:53,759 --> 00:13:58,799
to find out how much index the volume of
360
00:13:56,000 --> 00:14:00,879
buys per license indexes source source
361
00:13:58,799 --> 00:14:04,159
type those kind of things are happening
362
00:14:00,879 --> 00:14:06,399
using site license usage dot log and as
363
00:14:04,159 --> 00:14:09,679
i mentioned splunk the access dot log
364
00:14:06,399 --> 00:14:12,159
this gives you the details of splunk d
365
00:14:09,679 --> 00:14:15,519
through ui is logged in like uh web
366
00:14:12,159 --> 00:14:16,799
splunk web cli or post get uh delete
367
00:14:15,519 --> 00:14:18,959
search so when you do it through the
368
00:14:16,799 --> 00:14:21,919
splunk ui login those things will get
369
00:14:18,958 --> 00:14:24,239
started in the splunk the access dot log
370
00:14:21,919 --> 00:14:26,799
okay so you can see you know there are
371
00:14:24,240 --> 00:14:28,639
other scenarios also like uh you may
372
00:14:26,799 --> 00:14:31,439
face some issues like you know you have
373
00:14:28,639 --> 00:14:33,120
a splunk search which is getting skipped
374
00:14:31,440 --> 00:14:34,880
or something right so if you want to get
375
00:14:33,120 --> 00:14:37,120
uh the details like what kind of
376
00:14:34,879 --> 00:14:38,879
searches are getting skipped you can use
377
00:14:37,120 --> 00:14:40,720
some queries like this like underscore
378
00:14:38,879 --> 00:14:43,278
internal and the source type should be
379
00:14:40,720 --> 00:14:46,079
scheduler and the status like skip so if
380
00:14:43,278 --> 00:14:48,399
you are having skip searches you can
381
00:14:46,078 --> 00:14:52,319
find it with this let's see what we get
382
00:14:48,399 --> 00:14:54,320
so let me run this search okay
383
00:14:52,320 --> 00:14:56,560
so you can see i don't have any output
384
00:14:54,320 --> 00:14:58,320
at all because i don't have any searches
385
00:14:56,559 --> 00:15:01,439
which is skip so i'll just remove the
386
00:14:58,320 --> 00:15:04,240
status so let's see what we get so i
387
00:15:01,440 --> 00:15:07,600
have the details about the searches now
388
00:15:04,240 --> 00:15:08,799
so i have no source type scheduler and
389
00:15:07,600 --> 00:15:10,879
you can see
390
00:15:08,799 --> 00:15:12,879
completed reading history so those kind
391
00:15:10,879 --> 00:15:14,399
of things is there now if i go to the
392
00:15:12,879 --> 00:15:16,720
status
393
00:15:14,399 --> 00:15:18,720
i have only states called success so
394
00:15:16,720 --> 00:15:21,120
that means the searches are success but
395
00:15:18,720 --> 00:15:23,680
if you have you know some skip searches
396
00:15:21,120 --> 00:15:25,278
you can use uh the status equal to
397
00:15:23,679 --> 00:15:27,439
skipped then you will see what other
398
00:15:25,278 --> 00:15:29,600
searches are skipped then based on that
399
00:15:27,440 --> 00:15:31,600
you will be able to take your actions
400
00:15:29,600 --> 00:15:34,399
based on that you may also want to
401
00:15:31,600 --> 00:15:36,639
analyze some of like concurrent searches
402
00:15:34,399 --> 00:15:38,480
and all those things so in this case you
403
00:15:36,639 --> 00:15:40,720
can use this search like or you have
404
00:15:38,480 --> 00:15:42,720
internal source type metric and the
405
00:15:40,720 --> 00:15:44,320
group is like search concurrent source
406
00:15:42,720 --> 00:15:46,639
so that will also give you some detail
407
00:15:44,320 --> 00:15:48,480
like how much of concurrent searches we
408
00:15:46,639 --> 00:15:51,198
can do those kind of things
409
00:15:48,480 --> 00:15:53,199
so let me do that search over here okay
410
00:15:51,198 --> 00:15:55,838
so i will do a
411
00:15:53,198 --> 00:15:56,879
search for with this metrics.log
412
00:15:55,839 --> 00:15:59,199
so
413
00:15:56,879 --> 00:16:02,720
you can see we have uh search
414
00:15:59,198 --> 00:16:04,639
concurrency right and uh the metrics so
415
00:16:02,720 --> 00:16:07,199
minimum queue so those kind of
416
00:16:04,639 --> 00:16:09,839
information is available in this uh you
417
00:16:07,198 --> 00:16:11,519
know search and because what we are
418
00:16:09,839 --> 00:16:13,360
trying to do is we are making use of the
419
00:16:11,519 --> 00:16:15,519
underscore internal and the source types
420
00:16:13,360 --> 00:16:18,560
right so we are using mainly splunk dot
421
00:16:15,519 --> 00:16:20,799
lock or and the metrics dot log uh
422
00:16:18,559 --> 00:16:23,119
i think we have also used scheduler so
423
00:16:20,799 --> 00:16:25,120
different kind of source we have it and
424
00:16:23,120 --> 00:16:27,759
using that we can make use of different
425
00:16:25,120 --> 00:16:29,600
kind of events uh the log files over
426
00:16:27,759 --> 00:16:31,919
here itself so it's not like you have to
427
00:16:29,600 --> 00:16:34,320
open the files manually on the server
428
00:16:31,919 --> 00:16:36,078
and do it so this is also an easiest way
429
00:16:34,320 --> 00:16:38,399
so you can write down your queries and
430
00:16:36,078 --> 00:16:40,719
you can filter it based on that
431
00:16:38,399 --> 00:16:43,039
so other scenario will be like you may
432
00:16:40,720 --> 00:16:45,839
face like your sprung splunk instance
433
00:16:43,039 --> 00:16:47,599
get crashed right so you can use uh this
434
00:16:45,839 --> 00:16:50,399
query like where source type will be
435
00:16:47,600 --> 00:16:51,920
splunk d crash dot log and it will tell
436
00:16:50,399 --> 00:16:54,000
you like how much time this splunk
437
00:16:51,919 --> 00:16:55,919
instance has been crashed you may also
438
00:16:54,000 --> 00:16:58,000
want to find out like when the splunk
439
00:16:55,919 --> 00:17:00,479
instance has been restarting or spla you
440
00:16:58,000 --> 00:17:02,799
know when the server was restarted last
441
00:17:00,480 --> 00:17:04,880
time the splunk's instance so you can
442
00:17:02,799 --> 00:17:06,558
use the splunk the dot lock with the
443
00:17:04,880 --> 00:17:09,120
statement like splunk d starting so
444
00:17:06,558 --> 00:17:12,480
let's see what output we get from this
445
00:17:09,119 --> 00:17:15,838
so i will just search for uh splunk this
446
00:17:12,480 --> 00:17:17,360
star search starting first because if
447
00:17:15,838 --> 00:17:19,279
you want to check out check you know
448
00:17:17,359 --> 00:17:22,159
when your splunk has been restarted so
449
00:17:19,279 --> 00:17:24,160
if you see in last 24 hours uh this my
450
00:17:22,160 --> 00:17:25,919
splunk instance has been restarted at
451
00:17:24,160 --> 00:17:27,839
this time so it was
452
00:17:25,919 --> 00:17:30,320
splunk this starting message right if i
453
00:17:27,838 --> 00:17:33,279
change it for whole time let me see it
454
00:17:30,319 --> 00:17:35,038
may give me more informations
455
00:17:33,279 --> 00:17:37,440
so you can see it has done uh three to
456
00:17:35,038 --> 00:17:39,679
four three times the restart right so
457
00:17:37,440 --> 00:17:40,880
this is a new setup so it's not uh too
458
00:17:39,679 --> 00:17:42,480
old so
459
00:17:40,880 --> 00:17:45,679
you know so it has been only just
460
00:17:42,480 --> 00:17:47,759
restarted uh three times so this is also
461
00:17:45,679 --> 00:17:49,360
where you can find out when the splunk
462
00:17:47,759 --> 00:17:52,079
was restarted
463
00:17:49,359 --> 00:17:54,798
if you see this other search where we
464
00:17:52,079 --> 00:17:57,119
talk about splunk the crash dot log
465
00:17:54,798 --> 00:17:59,519
i don't think i will have any data here
466
00:17:57,119 --> 00:18:00,399
because it has not been crashed
467
00:17:59,519 --> 00:18:02,400
anywhere
468
00:18:00,400 --> 00:18:05,600
so we don't have that source type at all
469
00:18:02,400 --> 00:18:07,600
so but if you have this you know um
470
00:18:05,599 --> 00:18:09,918
file because if your splunk has been
471
00:18:07,599 --> 00:18:11,519
crashed you'll have this source type
472
00:18:09,919 --> 00:18:14,960
then you should be able to do this
473
00:18:11,519 --> 00:18:17,839
search okay so let's uh you know uh
474
00:18:14,960 --> 00:18:19,360
uh find out some more better information
475
00:18:17,839 --> 00:18:21,279
other than this uh
476
00:18:19,359 --> 00:18:23,199
you know tools or like the search
477
00:18:21,279 --> 00:18:24,639
queries which you are using so what we
478
00:18:23,200 --> 00:18:27,038
understood is like we have different
479
00:18:24,640 --> 00:18:28,720
kind of log files so mainly you know uh
480
00:18:27,038 --> 00:18:30,640
when there is a data mismatch you have
481
00:18:28,720 --> 00:18:32,720
to go to splunk dot log and you have to
482
00:18:30,640 --> 00:18:34,559
find out what data is getting indexed
483
00:18:32,720 --> 00:18:36,798
and also you need to check the forwarder
484
00:18:34,558 --> 00:18:38,720
lock so you can see what forward is
485
00:18:36,798 --> 00:18:40,879
sending and what uh splunk d on the
486
00:18:38,720 --> 00:18:42,640
indexer is getting so if that matches
487
00:18:40,880 --> 00:18:44,160
yeah fine if there is a description see
488
00:18:42,640 --> 00:18:46,799
then the data is not reaching to the
489
00:18:44,160 --> 00:18:48,880
indexer at all right and you know you
490
00:18:46,798 --> 00:18:50,639
may also see there will be reason like
491
00:18:48,880 --> 00:18:52,480
the deployment server is not getting
492
00:18:50,640 --> 00:18:53,679
configured correctly that's why the
493
00:18:52,480 --> 00:18:55,599
splunk uh
494
00:18:53,679 --> 00:18:57,679
configurations are not getting reflected
495
00:18:55,599 --> 00:19:00,159
there so that kind of scenario happen
496
00:18:57,679 --> 00:19:02,320
sometimes you know the crc file you know
497
00:19:00,160 --> 00:19:04,240
it's checking the crc it may not see any
498
00:19:02,319 --> 00:19:05,678
changes so you'll have to tweak
499
00:19:04,240 --> 00:19:07,839
something like you know there are other
500
00:19:05,679 --> 00:19:10,400
commands available in the stand server
501
00:19:07,839 --> 00:19:12,639
you can add where the crc
502
00:19:10,400 --> 00:19:14,960
values so you can by default it comes
503
00:19:12,640 --> 00:19:16,480
around like 256. you can change a little
504
00:19:14,960 --> 00:19:18,558
bit so that you can search a little bit
505
00:19:16,480 --> 00:19:20,960
more of the file so you have to be very
506
00:19:18,558 --> 00:19:23,359
careful when you work on that so it can
507
00:19:20,960 --> 00:19:25,360
re-index the whole data again so you
508
00:19:23,359 --> 00:19:27,359
need to read through the documentation
509
00:19:25,359 --> 00:19:29,519
and check you know with splunk support
510
00:19:27,359 --> 00:19:31,839
you can raise splunk tickets if you have
511
00:19:29,519 --> 00:19:33,759
any queries if you have a enterprise
512
00:19:31,839 --> 00:19:36,079
license so you can register them and
513
00:19:33,759 --> 00:19:37,919
they'll be able to support and also you
514
00:19:36,079 --> 00:19:39,439
know you can have any license issues and
515
00:19:37,919 --> 00:19:41,038
everything sometimes you have to go back
516
00:19:39,440 --> 00:19:44,080
to them
517
00:19:41,038 --> 00:19:46,160
so another interesting tool which splunk
518
00:19:44,079 --> 00:19:47,038
is having is called splunk b tool which
519
00:19:46,160 --> 00:19:48,798
will be
520
00:19:47,038 --> 00:19:50,720
very helpful so you can run the command
521
00:19:48,798 --> 00:19:52,558
like splunk help b tool
522
00:19:50,720 --> 00:19:55,038
which is in the windows if it's in the
523
00:19:52,558 --> 00:19:57,759
linux you can put dot slash in the
524
00:19:55,038 --> 00:20:00,640
location of our splunk bin and then you
525
00:19:57,759 --> 00:20:02,558
allow splunk help b2 and you know let's
526
00:20:00,640 --> 00:20:04,640
see what we get when you run this in our
527
00:20:02,558 --> 00:20:07,599
machine
528
00:20:04,640 --> 00:20:10,400
so i'm inside the c program file splunk
529
00:20:07,599 --> 00:20:11,759
bin where the splunk will be available
530
00:20:10,400 --> 00:20:14,480
okay
531
00:20:11,759 --> 00:20:16,000
so if you see if i run a splunk help b
532
00:20:14,480 --> 00:20:18,159
tool it give you
533
00:20:16,000 --> 00:20:20,400
quite some information like what
534
00:20:18,159 --> 00:20:23,280
a different kind of uh you know
535
00:20:20,400 --> 00:20:26,320
stanzas or you can do arguments with
536
00:20:23,279 --> 00:20:29,759
this so you can see b tool config file
537
00:20:26,319 --> 00:20:32,240
list b check right and you have uh other
538
00:20:29,759 --> 00:20:34,400
optional parameters which you can use
539
00:20:32,240 --> 00:20:37,279
right so different uh ways you can use
540
00:20:34,400 --> 00:20:39,280
this tool so let me show you some of uh
541
00:20:37,279 --> 00:20:41,839
simple examples
542
00:20:39,279 --> 00:20:43,759
so if i want to list all the indexes
543
00:20:41,839 --> 00:20:46,558
this is one of a way you can do it like
544
00:20:43,759 --> 00:20:48,558
splunk b tool indexes dot list so it
545
00:20:46,558 --> 00:20:50,319
will list you all the details about the
546
00:20:48,558 --> 00:20:54,000
indexes you can then you can filter it
547
00:20:50,319 --> 00:20:55,839
using uh graph in linux or in maybe in
548
00:20:54,000 --> 00:20:57,919
windows like a find string something
549
00:20:55,839 --> 00:21:01,959
like that so you can filter it let me
550
00:20:57,919 --> 00:21:01,960
show you with this command
551
00:21:05,440 --> 00:21:09,840
so if you see like you know when i run
552
00:21:07,359 --> 00:21:10,959
this command it has given a complete
553
00:21:09,839 --> 00:21:13,279
list of
554
00:21:10,960 --> 00:21:16,000
uh you know the indexes for example it's
555
00:21:13,279 --> 00:21:18,158
underscore audit which is uh index and
556
00:21:16,000 --> 00:21:19,440
it's giving a huge bunch of information
557
00:21:18,159 --> 00:21:21,840
about that
558
00:21:19,440 --> 00:21:24,480
that specific index and then it will go
559
00:21:21,839 --> 00:21:26,558
to the next index so if you see we have
560
00:21:24,480 --> 00:21:29,519
any underscore introspection which is
561
00:21:26,558 --> 00:21:32,000
another index and let me see you have
562
00:21:29,519 --> 00:21:34,720
underscore internal so you have a
563
00:21:32,000 --> 00:21:36,319
a whole list of indexes it's showing up
564
00:21:34,720 --> 00:21:38,558
and you know it will tell you what the
565
00:21:36,319 --> 00:21:40,240
complete information about a lot of
566
00:21:38,558 --> 00:21:42,240
information is there what you require
567
00:21:40,240 --> 00:21:44,480
you have to filter it so i just want to
568
00:21:42,240 --> 00:21:47,279
show you like you know the b tool gives
569
00:21:44,480 --> 00:21:49,279
a different kind of this is a once one
570
00:21:47,279 --> 00:21:51,200
or two example i'm just showing you how
571
00:21:49,279 --> 00:21:53,599
to read through the documentation for b
572
00:21:51,200 --> 00:21:54,798
tool there are huge more options you
573
00:21:53,599 --> 00:21:57,279
have it
574
00:21:54,798 --> 00:22:00,319
so and one more other example with b2
575
00:21:57,279 --> 00:22:03,200
like you can also use it to search uh
576
00:22:00,319 --> 00:22:05,119
like searches list in that specific app
577
00:22:03,200 --> 00:22:07,600
so if you see this we are using b tool
578
00:22:05,119 --> 00:22:09,599
app under the search and we are using
579
00:22:07,599 --> 00:22:11,519
save searches list so it will list you
580
00:22:09,599 --> 00:22:12,719
all the saved searchers let's see what
581
00:22:11,519 --> 00:22:15,440
we get
582
00:22:12,720 --> 00:22:17,759
so if you see if i run uh this command b
583
00:22:15,440 --> 00:22:20,000
tool app search search searches list it
584
00:22:17,759 --> 00:22:21,919
will give you the uh different kind of
585
00:22:20,000 --> 00:22:24,480
searches like errors in the last 24
586
00:22:21,919 --> 00:22:26,640
hours in the last hour right
587
00:22:24,480 --> 00:22:29,679
license usage so similar way like if you
588
00:22:26,640 --> 00:22:32,559
have served uh some kind of searches it
589
00:22:29,679 --> 00:22:34,880
will give you the complete uh details on
590
00:22:32,558 --> 00:22:37,599
when using this search query so these
591
00:22:34,880 --> 00:22:39,360
are some example okay so uh as i
592
00:22:37,599 --> 00:22:42,480
mentioned you know the main way of
593
00:22:39,359 --> 00:22:44,719
analyzing the splunk uh issues are using
594
00:22:42,480 --> 00:22:46,880
the log files and also the indexes like
595
00:22:44,720 --> 00:22:48,798
underscore internal or underscore audit
596
00:22:46,880 --> 00:22:51,840
you can write down your own queries you
597
00:22:48,798 --> 00:22:55,038
can get the you know performance issues
598
00:22:51,839 --> 00:22:57,119
or skip searches or you know it can be
599
00:22:55,038 --> 00:22:59,440
you know concurrent searches issues or
600
00:22:57,119 --> 00:23:01,439
the file is not getting indexed or it
601
00:22:59,440 --> 00:23:03,840
can be any kind of scenarios you just
602
00:23:01,440 --> 00:23:06,240
need to put what kind of data you need
603
00:23:03,839 --> 00:23:08,158
to analyze it then you should be able to
604
00:23:06,240 --> 00:23:10,558
easily interpret interpreted
605
00:23:08,159 --> 00:23:12,320
so that is all for this tutorial so uh
606
00:23:10,558 --> 00:23:15,359
next tutorial maybe i will come up with
607
00:23:12,319 --> 00:23:17,200
the specific scenarios but i have to
608
00:23:15,359 --> 00:23:18,959
make the kind of scenario then i have to
609
00:23:17,200 --> 00:23:21,919
show you how to fix that so that's a
610
00:23:18,960 --> 00:23:23,759
little bit complicated so but i will try
611
00:23:21,919 --> 00:23:26,080
to find out that kind of tutorials in
612
00:23:23,759 --> 00:23:28,158
the upcoming tutorials but for now
613
00:23:26,079 --> 00:23:29,918
i'm logging off so i would request you
614
00:23:28,159 --> 00:23:32,400
like if you are new to my channel or if
615
00:23:29,919 --> 00:23:34,559
you're not subscribed kindly subscribe
616
00:23:32,400 --> 00:23:37,200
to my channel for more videos and also
617
00:23:34,558 --> 00:23:40,759
like my videos share and comment so
618
00:23:37,200 --> 00:23:40,759
thank you for watching
619
00:23:43,259 --> 00:23:49,009
[Music]
45865
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.