Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,050 --> 00:00:17,600 [Music] 2 00:00:15,039 --> 00:00:19,919 hello friends welcome back to my channel 3 00:00:17,600 --> 00:00:22,320 and uh today we are back with another 4 00:00:19,920 --> 00:00:24,640 exciting tutorial so this will be a 5 00:00:22,320 --> 00:00:26,560 splunk tutorial for beginners and there 6 00:00:24,640 --> 00:00:28,399 has been a lot of queries a lot of 7 00:00:26,559 --> 00:00:32,159 requests on how to 8 00:00:28,399 --> 00:00:34,159 troubleshoot splunk issues so like if we 9 00:00:32,159 --> 00:00:36,558 had done a lot of tutorials like how to 10 00:00:34,159 --> 00:00:38,799 set up splunk and writing queries and 11 00:00:36,558 --> 00:00:41,039 all those things but there was a request 12 00:00:38,799 --> 00:00:43,199 like if in a real productive scenarios 13 00:00:41,039 --> 00:00:45,039 they may face some issues with 14 00:00:43,200 --> 00:00:47,760 splunk environment how it can be 15 00:00:45,039 --> 00:00:49,679 troubleshoot so in that cases you know i 16 00:00:47,759 --> 00:00:51,599 just wanted to show you some of the tips 17 00:00:49,679 --> 00:00:53,840 or you know what are the log files what 18 00:00:51,600 --> 00:00:55,840 kind of indexes you know what kind of 19 00:00:53,840 --> 00:00:58,800 queries you know you can use what kind 20 00:00:55,840 --> 00:01:00,719 of uh extra tools like b2 uh which you 21 00:00:58,799 --> 00:01:03,280 can use it for uh you know 22 00:01:00,719 --> 00:01:05,680 finding out some of uh splunk issues how 23 00:01:03,280 --> 00:01:08,719 you can analyze that okay so some of the 24 00:01:05,680 --> 00:01:10,880 common splunk issues which you uh come 25 00:01:08,719 --> 00:01:13,280 across or face would be like some data 26 00:01:10,879 --> 00:01:15,920 quality issues or it can be a search 27 00:01:13,280 --> 00:01:18,159 performance or capacity issues or some 28 00:01:15,920 --> 00:01:20,560 license issues with the splunk or you 29 00:01:18,159 --> 00:01:22,960 know it can be a server usage issues so 30 00:01:20,560 --> 00:01:24,960 these are some common issues or splunk 31 00:01:22,959 --> 00:01:26,640 crash issues there are a lot of more but 32 00:01:24,959 --> 00:01:29,039 these are some common issues which you 33 00:01:26,640 --> 00:01:30,960 may come across and the way you know how 34 00:01:29,040 --> 00:01:32,880 you can analyze i will just show you 35 00:01:30,959 --> 00:01:35,359 some tips like you know what kind of log 36 00:01:32,879 --> 00:01:37,118 files you can go and check and in which 37 00:01:35,359 --> 00:01:39,680 your log file you can easily find out 38 00:01:37,118 --> 00:01:41,519 what so let's uh check out on those 39 00:01:39,680 --> 00:01:43,280 things so before i get into that i would 40 00:01:41,519 --> 00:01:45,438 request you like if you are new to my 41 00:01:43,280 --> 00:01:47,680 channel or if you have not subscribed to 42 00:01:45,438 --> 00:01:51,438 my channel click on the subscribe button 43 00:01:47,680 --> 00:01:53,439 also like my videos share and comment 44 00:01:51,438 --> 00:01:56,798 so let's get started with some of the 45 00:01:53,438 --> 00:01:59,359 common splunk logs okay so that would be 46 00:01:56,799 --> 00:02:01,118 the best place to start so you splunk 47 00:01:59,359 --> 00:02:03,118 always write you know most of its 48 00:02:01,118 --> 00:02:05,359 contents into some of the logs or some 49 00:02:03,118 --> 00:02:07,840 of the internal indexes which we will 50 00:02:05,359 --> 00:02:10,399 see so some of the common logs which you 51 00:02:07,840 --> 00:02:12,800 can go and identify these issues are 52 00:02:10,399 --> 00:02:14,878 like one is log file is called splunk 53 00:02:12,800 --> 00:02:17,840 dot log and another one is called 54 00:02:14,878 --> 00:02:21,199 metrics dot log and auric.log and 55 00:02:17,840 --> 00:02:22,719 license usage.log and splunk access dot 56 00:02:21,199 --> 00:02:25,359 log there are other locks as well but 57 00:02:22,719 --> 00:02:27,759 these are some uh major logs which you 58 00:02:25,360 --> 00:02:30,239 can be helpful and out of this splunk 59 00:02:27,759 --> 00:02:32,560 dot log is the main one where it will 60 00:02:30,239 --> 00:02:35,759 write all the contents what splunk d is 61 00:02:32,560 --> 00:02:38,080 doing and let's go and check out this 62 00:02:35,759 --> 00:02:40,479 where it will be saved 63 00:02:38,080 --> 00:02:42,480 since i'm using windows machine and i 64 00:02:40,479 --> 00:02:45,598 have installed splunk on this machine 65 00:02:42,479 --> 00:02:47,439 this uh log files are located under your 66 00:02:45,598 --> 00:02:50,159 splunk installation folder so if it's 67 00:02:47,439 --> 00:02:51,840 under c program files splunk uh so that 68 00:02:50,159 --> 00:02:54,000 would be your splunk home and that 69 00:02:51,840 --> 00:02:55,680 should be underwater log and splunk so 70 00:02:54,000 --> 00:02:58,318 that will be the place where the logs 71 00:02:55,680 --> 00:03:00,159 will be installed available where in the 72 00:02:58,318 --> 00:03:01,919 case of linux installation it would be 73 00:03:00,158 --> 00:03:05,039 like your splunk home for example if 74 00:03:01,919 --> 00:03:07,679 your splunk home is slash opt 75 00:03:05,039 --> 00:03:09,598 slash splunk then you know the log file 76 00:03:07,680 --> 00:03:10,400 will be under you know 77 00:03:09,598 --> 00:03:12,799 log 78 00:03:10,400 --> 00:03:15,519 splunk so it'll be slash opt slash 79 00:03:12,800 --> 00:03:17,519 splunk or slash war slash log slash 80 00:03:15,519 --> 00:03:20,400 splunk so that would be the place where 81 00:03:17,519 --> 00:03:22,158 all these logs file will be there so 82 00:03:20,400 --> 00:03:24,239 as you as you can see there are so much 83 00:03:22,158 --> 00:03:26,239 of log file here right so mainly you 84 00:03:24,239 --> 00:03:28,560 know what we want to do is we 85 00:03:26,239 --> 00:03:30,719 we want to start with the splunk d dot 86 00:03:28,560 --> 00:03:33,360 log that would be the main log where the 87 00:03:30,719 --> 00:03:35,519 splunk will write all its uh you know 88 00:03:33,360 --> 00:03:37,360 information and you have other logs 89 00:03:35,519 --> 00:03:39,120 likes plan the access dot log you know 90 00:03:37,360 --> 00:03:42,959 which i mentioned you have something 91 00:03:39,120 --> 00:03:45,680 called audit.log you have metrics.log 92 00:03:42,959 --> 00:03:47,199 license usage.log so all these locks 93 00:03:45,680 --> 00:03:49,200 there are other locks as well but these 94 00:03:47,199 --> 00:03:52,719 are some major lock now if you go to 95 00:03:49,199 --> 00:03:54,959 this splunk dot log as i mentioned it 96 00:03:52,719 --> 00:03:57,120 will start writing all these uh 97 00:03:54,959 --> 00:03:59,519 activities what it doing like splunk d 98 00:03:57,120 --> 00:04:02,239 starting what the system info what is 99 00:03:59,519 --> 00:04:03,519 the you know uh system information you 100 00:04:02,239 --> 00:04:05,680 know 101 00:04:03,519 --> 00:04:08,719 all those details it's trying to put it 102 00:04:05,680 --> 00:04:10,239 here you can see that right uh you can 103 00:04:08,719 --> 00:04:12,239 read through it you know when you want 104 00:04:10,239 --> 00:04:14,000 to find and you know it will also tell 105 00:04:12,239 --> 00:04:16,879 you you know what it's trying to do with 106 00:04:14,000 --> 00:04:18,560 each you know uh splunk uh 107 00:04:16,879 --> 00:04:20,399 about you it's uh 108 00:04:18,560 --> 00:04:22,560 indexing and all those things you can 109 00:04:20,399 --> 00:04:25,279 see it's the stanza which is looking for 110 00:04:22,560 --> 00:04:28,000 even log right and also it will be 111 00:04:25,279 --> 00:04:31,359 talking about the uh i know what file 112 00:04:28,000 --> 00:04:33,680 it's watching so if i search for 113 00:04:31,360 --> 00:04:33,680 watch 114 00:04:36,240 --> 00:04:40,478 so you can see if i search for watch it 115 00:04:38,319 --> 00:04:43,360 will tell you like you know different 116 00:04:40,478 --> 00:04:46,079 files which is watching so when splunk 117 00:04:43,360 --> 00:04:47,759 is looking uh those files mean it will 118 00:04:46,079 --> 00:04:50,639 watch those files and if there is any 119 00:04:47,759 --> 00:04:53,360 changes it will uh get that into the 120 00:04:50,639 --> 00:04:55,680 index as per our configurations right so 121 00:04:53,360 --> 00:04:57,919 that's how it's be done for example i 122 00:04:55,680 --> 00:04:59,759 have windows 123 00:04:57,918 --> 00:05:02,319 update dot log 124 00:04:59,759 --> 00:05:04,240 which i am uh having it so you can see 125 00:05:02,319 --> 00:05:07,038 you know uh there is a log which is uh 126 00:05:04,240 --> 00:05:08,319 you know added into this so it will be 127 00:05:07,038 --> 00:05:10,639 watching that 128 00:05:08,319 --> 00:05:12,399 file and it's also writing you know it's 129 00:05:10,639 --> 00:05:15,280 different kind of buckets 130 00:05:12,399 --> 00:05:16,799 all those things it's also look for crc 131 00:05:15,279 --> 00:05:19,038 right so all those details will be 132 00:05:16,800 --> 00:05:20,800 available in this log so it's not 133 00:05:19,038 --> 00:05:23,038 mandatory that you need to open this 134 00:05:20,800 --> 00:05:25,918 file and uh read through it there you 135 00:05:23,038 --> 00:05:28,399 can also directly access this from your 136 00:05:25,918 --> 00:05:30,159 splunk instance you can write a query 137 00:05:28,399 --> 00:05:31,279 and you can find out those information 138 00:05:30,160 --> 00:05:34,000 here 139 00:05:31,279 --> 00:05:35,758 so when we talk about splunk dot log 140 00:05:34,000 --> 00:05:38,160 which i mentioned splunk dot log 141 00:05:35,759 --> 00:05:40,879 provides an overview of what splunk is 142 00:05:38,160 --> 00:05:43,199 doing so all the events are logged uh 143 00:05:40,879 --> 00:05:45,519 for all the splunk components in this uh 144 00:05:43,199 --> 00:05:47,680 splunk dot log and as i mentioned it's 145 00:05:45,519 --> 00:05:49,680 available in this folder like splunk 146 00:05:47,680 --> 00:05:51,759 home which is you know in windows should 147 00:05:49,680 --> 00:05:53,280 be under program file splunk whereas 148 00:05:51,759 --> 00:05:56,560 linux it should be the place where you 149 00:05:53,279 --> 00:05:58,478 install war log splunk right and this is 150 00:05:56,560 --> 00:06:00,879 a query which you can run 151 00:05:58,478 --> 00:06:03,038 okay and i'll show you what we get and 152 00:06:00,879 --> 00:06:05,120 uh if you see yeah this is a sample 153 00:06:03,038 --> 00:06:07,199 which i show like in the splunk d dialog 154 00:06:05,120 --> 00:06:10,160 it's watches the file which is we want 155 00:06:07,199 --> 00:06:12,240 to index so if you have a scenario like 156 00:06:10,160 --> 00:06:14,720 you know your file is not getting 157 00:06:12,240 --> 00:06:16,639 indexed uh the best thing is you go and 158 00:06:14,720 --> 00:06:18,720 check in the log where you have the file 159 00:06:16,639 --> 00:06:20,960 is getting watched and also if you have 160 00:06:18,720 --> 00:06:23,199 a forwarder which is sending the file 161 00:06:20,959 --> 00:06:24,318 you can also check the splunk d log in 162 00:06:23,199 --> 00:06:25,840 the 163 00:06:24,319 --> 00:06:27,759 forwarder client so that you know you 164 00:06:25,839 --> 00:06:29,519 can see what is happening from there as 165 00:06:27,759 --> 00:06:32,240 well 166 00:06:29,519 --> 00:06:34,318 so if i run this uh query over here on 167 00:06:32,240 --> 00:06:36,079 the splunk instance you can see i'm 168 00:06:34,319 --> 00:06:39,120 running on the source 169 00:06:36,079 --> 00:06:39,120 and if i run it 170 00:06:39,439 --> 00:06:43,759 you can see it will give you the whole 171 00:06:41,038 --> 00:06:47,199 components what we are having in inside 172 00:06:43,759 --> 00:06:49,680 the splunk dot log so it's give you a 173 00:06:47,199 --> 00:06:53,120 bunch of you know details what is done 174 00:06:49,680 --> 00:06:55,038 so if you see the bucket roll over if i 175 00:06:53,120 --> 00:06:58,079 check it it will tell you all the 176 00:06:55,038 --> 00:07:00,959 components or the locks based on that so 177 00:06:58,079 --> 00:07:03,038 you can see a roll to the hot db bucket 178 00:07:00,959 --> 00:07:05,758 for you know uh 179 00:07:03,038 --> 00:07:08,399 from this one right and you can see here 180 00:07:05,759 --> 00:07:10,720 finished moving hot to one so all those 181 00:07:08,399 --> 00:07:12,560 informations are written in this uh 182 00:07:10,720 --> 00:07:14,960 log file like how the buckets are moved 183 00:07:12,560 --> 00:07:17,199 from hot to warm and all those things so 184 00:07:14,959 --> 00:07:19,918 you can see all the details over here 185 00:07:17,199 --> 00:07:21,840 when i just search for that component 186 00:07:19,918 --> 00:07:24,399 right so similar way you can check what 187 00:07:21,839 --> 00:07:26,159 the components so it's just a simple way 188 00:07:24,399 --> 00:07:28,478 like you just put a stats on the count 189 00:07:26,160 --> 00:07:30,639 by component and you will be getting you 190 00:07:28,478 --> 00:07:32,478 know the details so it's not mandatory 191 00:07:30,639 --> 00:07:34,879 that you need to go to the splunk dot 192 00:07:32,478 --> 00:07:37,199 log and then you search it there 193 00:07:34,879 --> 00:07:39,279 so before we go into the other log files 194 00:07:37,199 --> 00:07:42,000 i also want to show you like some of the 195 00:07:39,279 --> 00:07:43,918 indexes which will be you know very 196 00:07:42,000 --> 00:07:46,000 useful for analyzing so some of the 197 00:07:43,918 --> 00:07:48,318 index like underscore internal and 198 00:07:46,000 --> 00:07:51,279 underscore audit so these are two main 199 00:07:48,319 --> 00:07:52,879 uh indexes other than the other indexes 200 00:07:51,279 --> 00:07:55,279 which you will create these are system 201 00:07:52,879 --> 00:07:57,520 indexes which will be very useful for 202 00:07:55,279 --> 00:07:59,918 your analysis or troubleshooting a lot 203 00:07:57,519 --> 00:08:01,758 of splunk issues so one of a simple 204 00:07:59,918 --> 00:08:03,918 query like if you put the 205 00:08:01,759 --> 00:08:06,720 underscore internal and if you skip the 206 00:08:03,918 --> 00:08:08,399 stats by source type and source we can 207 00:08:06,720 --> 00:08:09,360 get some information from the let's see 208 00:08:08,399 --> 00:08:11,679 that 209 00:08:09,360 --> 00:08:13,840 so if i go and put 210 00:08:11,680 --> 00:08:16,478 the source and source type so it will 211 00:08:13,839 --> 00:08:18,318 give us the details on what are the 212 00:08:16,478 --> 00:08:20,318 contents we have it in the underscore 213 00:08:18,319 --> 00:08:22,400 internal so you can see you know there 214 00:08:20,319 --> 00:08:25,199 are different kind of source type and 215 00:08:22,399 --> 00:08:27,359 where the source the file is coming for 216 00:08:25,199 --> 00:08:29,280 example splunk d is the source type 217 00:08:27,360 --> 00:08:31,360 where it's how multiple log files 218 00:08:29,279 --> 00:08:34,478 getting returned so splunk d dot log is 219 00:08:31,360 --> 00:08:36,320 one utility metrics license usage health 220 00:08:34,479 --> 00:08:39,680 dot log so all these things are written 221 00:08:36,320 --> 00:08:41,680 by splunk d right and we have ui 222 00:08:39,679 --> 00:08:44,879 access which is the splunk ui access dot 223 00:08:41,679 --> 00:08:47,120 log and we have config we have mongodb 224 00:08:44,879 --> 00:08:48,958 scheduler right so there are web access 225 00:08:47,120 --> 00:08:50,720 which will be web access dot log so the 226 00:08:48,958 --> 00:08:52,719 different kind of log where it is 227 00:08:50,720 --> 00:08:55,600 written by which component it give you 228 00:08:52,720 --> 00:08:57,360 the detail using this query 229 00:08:55,600 --> 00:09:00,080 if i want to simplify it a little bit 230 00:08:57,360 --> 00:09:02,000 more for a splunk d uh case alone so if 231 00:09:00,080 --> 00:09:04,800 i go i like index 232 00:09:02,000 --> 00:09:07,519 internals source type is splunk d and 233 00:09:04,799 --> 00:09:09,278 source with the splunk dot log 234 00:09:07,519 --> 00:09:12,399 because there are different logs let's 235 00:09:09,278 --> 00:09:14,159 see what we get from output from there 236 00:09:12,399 --> 00:09:16,159 so this should be similar like what you 237 00:09:14,159 --> 00:09:18,319 go and search in the splunk dot log 238 00:09:16,159 --> 00:09:19,600 because we are finding uh all the 239 00:09:18,320 --> 00:09:22,160 details for 240 00:09:19,600 --> 00:09:24,560 splunk d dot log right so now uh 241 00:09:22,159 --> 00:09:26,319 whatever we see in that log file we are 242 00:09:24,559 --> 00:09:28,799 going to get it here for example you 243 00:09:26,320 --> 00:09:30,879 know reading the file you know 244 00:09:28,799 --> 00:09:33,919 all those in details we will have it 245 00:09:30,879 --> 00:09:36,799 here right and you'll have different 246 00:09:33,919 --> 00:09:38,799 filters over here like 247 00:09:36,799 --> 00:09:40,958 let's see we have source type right we 248 00:09:38,799 --> 00:09:43,439 have a file so you can see different 249 00:09:40,958 --> 00:09:44,399 kind of files you can filter with that 250 00:09:43,440 --> 00:09:46,560 right 251 00:09:44,399 --> 00:09:49,039 so if i go and select 252 00:09:46,559 --> 00:09:51,759 one of the file here 253 00:09:49,039 --> 00:09:54,159 you can see uh it is it will show you 254 00:09:51,759 --> 00:09:55,919 that file alone so for example if i go 255 00:09:54,159 --> 00:09:57,120 and change this to 256 00:09:55,919 --> 00:09:58,399 windows 257 00:09:57,120 --> 00:10:01,720 update 258 00:09:58,399 --> 00:10:01,720 dot log 259 00:10:04,720 --> 00:10:09,519 so you can see if i run with this 260 00:10:07,078 --> 00:10:11,919 windowsupdate.log we get some locks 261 00:10:09,519 --> 00:10:15,440 based on that right so if you see the 262 00:10:11,919 --> 00:10:16,879 file is watched uh you know at this time 263 00:10:15,440 --> 00:10:19,279 right and 264 00:10:16,879 --> 00:10:21,200 also parsing the content because it's 265 00:10:19,278 --> 00:10:24,320 coming from this uh 266 00:10:21,200 --> 00:10:26,800 you know uh stance of our you know 267 00:10:24,320 --> 00:10:28,160 uh configuration right so that's what 268 00:10:26,799 --> 00:10:30,719 it's trying to do 269 00:10:28,159 --> 00:10:32,799 uh so you can change the value of from 270 00:10:30,720 --> 00:10:35,120 24 hours to which or so then you'll get 271 00:10:32,799 --> 00:10:36,879 more uh details as well so there are 272 00:10:35,120 --> 00:10:39,360 different ways you can simply you know 273 00:10:36,879 --> 00:10:41,600 find out which log is uh you know 274 00:10:39,360 --> 00:10:43,759 in splunk d so it's not that you have to 275 00:10:41,600 --> 00:10:45,680 open the splunk dot log 276 00:10:43,759 --> 00:10:47,439 from the location and you read through 277 00:10:45,679 --> 00:10:49,599 it so you can easily 278 00:10:47,440 --> 00:10:50,800 filter it using your splunk search as 279 00:10:49,600 --> 00:10:52,639 well 280 00:10:50,799 --> 00:10:55,439 and the same way like you can do it for 281 00:10:52,639 --> 00:10:57,278 a matrix logs as well so let's find what 282 00:10:55,440 --> 00:11:01,839 we get there 283 00:10:57,278 --> 00:11:01,838 so if i go and search for metrics 284 00:11:04,958 --> 00:11:09,599 so you can see like we get a lot of 285 00:11:07,440 --> 00:11:11,040 output here as well so metrics you can 286 00:11:09,600 --> 00:11:13,920 see there are more metrics like 287 00:11:11,039 --> 00:11:15,919 throughput you know instantaneous kb 288 00:11:13,919 --> 00:11:17,759 right so different other parameters you 289 00:11:15,919 --> 00:11:19,838 get it from metrics 290 00:11:17,759 --> 00:11:22,639 so if you talk about metrics this 291 00:11:19,839 --> 00:11:24,160 metrics log is where the splunk stores 292 00:11:22,639 --> 00:11:26,399 all the information 293 00:11:24,159 --> 00:11:28,958 of various group of splunk activities 294 00:11:26,399 --> 00:11:31,679 such as like throughput skew sizes 295 00:11:28,958 --> 00:11:33,599 response time job counts so this the 296 00:11:31,679 --> 00:11:35,759 kind of whole information is getting 297 00:11:33,600 --> 00:11:37,360 stored on the metrics dot log so if you 298 00:11:35,759 --> 00:11:40,000 want to analyze some of those you need 299 00:11:37,360 --> 00:11:41,600 to check these logs metrics dot log so 300 00:11:40,000 --> 00:11:43,440 that's why i just want to show you now 301 00:11:41,600 --> 00:11:44,879 there is also other way like all these 302 00:11:43,440 --> 00:11:46,880 informations if you see it's getting 303 00:11:44,879 --> 00:11:48,639 stored to the index underscore internal 304 00:11:46,879 --> 00:11:50,320 right so if you don't want to search 305 00:11:48,639 --> 00:11:52,879 whole information if you want to get 306 00:11:50,320 --> 00:11:54,879 some like errors or warnings you can 307 00:11:52,879 --> 00:11:57,919 even query with you know 308 00:11:54,879 --> 00:12:00,000 that kind of query in the splunk uh 309 00:11:57,919 --> 00:12:01,919 search you can also advance that you 310 00:12:00,000 --> 00:12:04,480 know if you want to specifically do for 311 00:12:01,919 --> 00:12:06,879 splunk the dot log so you can do that 312 00:12:04,480 --> 00:12:08,240 and you can table it with some log 313 00:12:06,879 --> 00:12:09,519 message and all those things so this is 314 00:12:08,240 --> 00:12:11,600 a sample 315 00:12:09,519 --> 00:12:13,919 query which you can run so i will just 316 00:12:11,600 --> 00:12:17,440 run it and show you what we get 317 00:12:13,919 --> 00:12:20,479 so if i run this query for 318 00:12:17,440 --> 00:12:20,480 error or warning 319 00:12:22,320 --> 00:12:26,240 so you can see we get uh some output so 320 00:12:24,799 --> 00:12:29,199 where you know the 321 00:12:26,240 --> 00:12:30,799 message will be based on that so 322 00:12:29,200 --> 00:12:33,120 you can see the search has been 323 00:12:30,799 --> 00:12:35,199 cancelled right so that's uh one of 324 00:12:33,120 --> 00:12:36,000 error message you can see we have error 325 00:12:35,200 --> 00:12:37,920 right 326 00:12:36,000 --> 00:12:40,078 so it's giving a here if you see it's a 327 00:12:37,919 --> 00:12:42,719 warning message right the message search 328 00:12:40,078 --> 00:12:44,958 has been cancelled so based on that 329 00:12:42,720 --> 00:12:46,160 those uh content also we can do some 330 00:12:44,958 --> 00:12:48,239 search 331 00:12:46,159 --> 00:12:50,078 so these are some samples i just want to 332 00:12:48,240 --> 00:12:52,720 show you like you know what you can make 333 00:12:50,078 --> 00:12:53,679 use of this uh kind of queries to find 334 00:12:52,720 --> 00:12:55,519 some 335 00:12:53,679 --> 00:12:58,638 output so you can see you know host 336 00:12:55,519 --> 00:13:00,720 component the level warning level info 337 00:12:58,639 --> 00:13:03,120 error you know this which server it's 338 00:13:00,720 --> 00:13:05,440 happening so this kind of queries you 339 00:13:03,120 --> 00:13:07,519 can write when you have some issues so 340 00:13:05,440 --> 00:13:09,760 based on what is if you are want to find 341 00:13:07,519 --> 00:13:12,000 some error messages or warning message 342 00:13:09,759 --> 00:13:14,399 you can try to run this kind of queries 343 00:13:12,000 --> 00:13:16,799 and you will get some kind of uh input 344 00:13:14,399 --> 00:13:19,919 from this which you can analyze it 345 00:13:16,799 --> 00:13:21,519 so similar like matrix logs or splunk 346 00:13:19,919 --> 00:13:24,159 dot log we have something called 347 00:13:21,519 --> 00:13:26,480 audi.log so if you want to find some 348 00:13:24,159 --> 00:13:29,360 information about any user activity such 349 00:13:26,480 --> 00:13:31,920 as logins or search 350 00:13:29,360 --> 00:13:35,278 run and all those things the auric.log 351 00:13:31,919 --> 00:13:38,240 is the best place so this audit.log is 352 00:13:35,278 --> 00:13:40,480 not for uh web-based ui login uh 353 00:13:38,240 --> 00:13:43,360 activities this audit is for other user 354 00:13:40,480 --> 00:13:46,399 activities okay so we'll also talk about 355 00:13:43,360 --> 00:13:49,120 there's another called audit access.log 356 00:13:46,399 --> 00:13:51,679 which will be mainly used for ui login 357 00:13:49,120 --> 00:13:53,759 things okay so license usage is also 358 00:13:51,679 --> 00:13:56,000 another log which you can make use of it 359 00:13:53,759 --> 00:13:58,799 to find out how much index the volume of 360 00:13:56,000 --> 00:14:00,879 buys per license indexes source source 361 00:13:58,799 --> 00:14:04,159 type those kind of things are happening 362 00:14:00,879 --> 00:14:06,399 using site license usage dot log and as 363 00:14:04,159 --> 00:14:09,679 i mentioned splunk the access dot log 364 00:14:06,399 --> 00:14:12,159 this gives you the details of splunk d 365 00:14:09,679 --> 00:14:15,519 through ui is logged in like uh web 366 00:14:12,159 --> 00:14:16,799 splunk web cli or post get uh delete 367 00:14:15,519 --> 00:14:18,959 search so when you do it through the 368 00:14:16,799 --> 00:14:21,919 splunk ui login those things will get 369 00:14:18,958 --> 00:14:24,239 started in the splunk the access dot log 370 00:14:21,919 --> 00:14:26,799 okay so you can see you know there are 371 00:14:24,240 --> 00:14:28,639 other scenarios also like uh you may 372 00:14:26,799 --> 00:14:31,439 face some issues like you know you have 373 00:14:28,639 --> 00:14:33,120 a splunk search which is getting skipped 374 00:14:31,440 --> 00:14:34,880 or something right so if you want to get 375 00:14:33,120 --> 00:14:37,120 uh the details like what kind of 376 00:14:34,879 --> 00:14:38,879 searches are getting skipped you can use 377 00:14:37,120 --> 00:14:40,720 some queries like this like underscore 378 00:14:38,879 --> 00:14:43,278 internal and the source type should be 379 00:14:40,720 --> 00:14:46,079 scheduler and the status like skip so if 380 00:14:43,278 --> 00:14:48,399 you are having skip searches you can 381 00:14:46,078 --> 00:14:52,319 find it with this let's see what we get 382 00:14:48,399 --> 00:14:54,320 so let me run this search okay 383 00:14:52,320 --> 00:14:56,560 so you can see i don't have any output 384 00:14:54,320 --> 00:14:58,320 at all because i don't have any searches 385 00:14:56,559 --> 00:15:01,439 which is skip so i'll just remove the 386 00:14:58,320 --> 00:15:04,240 status so let's see what we get so i 387 00:15:01,440 --> 00:15:07,600 have the details about the searches now 388 00:15:04,240 --> 00:15:08,799 so i have no source type scheduler and 389 00:15:07,600 --> 00:15:10,879 you can see 390 00:15:08,799 --> 00:15:12,879 completed reading history so those kind 391 00:15:10,879 --> 00:15:14,399 of things is there now if i go to the 392 00:15:12,879 --> 00:15:16,720 status 393 00:15:14,399 --> 00:15:18,720 i have only states called success so 394 00:15:16,720 --> 00:15:21,120 that means the searches are success but 395 00:15:18,720 --> 00:15:23,680 if you have you know some skip searches 396 00:15:21,120 --> 00:15:25,278 you can use uh the status equal to 397 00:15:23,679 --> 00:15:27,439 skipped then you will see what other 398 00:15:25,278 --> 00:15:29,600 searches are skipped then based on that 399 00:15:27,440 --> 00:15:31,600 you will be able to take your actions 400 00:15:29,600 --> 00:15:34,399 based on that you may also want to 401 00:15:31,600 --> 00:15:36,639 analyze some of like concurrent searches 402 00:15:34,399 --> 00:15:38,480 and all those things so in this case you 403 00:15:36,639 --> 00:15:40,720 can use this search like or you have 404 00:15:38,480 --> 00:15:42,720 internal source type metric and the 405 00:15:40,720 --> 00:15:44,320 group is like search concurrent source 406 00:15:42,720 --> 00:15:46,639 so that will also give you some detail 407 00:15:44,320 --> 00:15:48,480 like how much of concurrent searches we 408 00:15:46,639 --> 00:15:51,198 can do those kind of things 409 00:15:48,480 --> 00:15:53,199 so let me do that search over here okay 410 00:15:51,198 --> 00:15:55,838 so i will do a 411 00:15:53,198 --> 00:15:56,879 search for with this metrics.log 412 00:15:55,839 --> 00:15:59,199 so 413 00:15:56,879 --> 00:16:02,720 you can see we have uh search 414 00:15:59,198 --> 00:16:04,639 concurrency right and uh the metrics so 415 00:16:02,720 --> 00:16:07,199 minimum queue so those kind of 416 00:16:04,639 --> 00:16:09,839 information is available in this uh you 417 00:16:07,198 --> 00:16:11,519 know search and because what we are 418 00:16:09,839 --> 00:16:13,360 trying to do is we are making use of the 419 00:16:11,519 --> 00:16:15,519 underscore internal and the source types 420 00:16:13,360 --> 00:16:18,560 right so we are using mainly splunk dot 421 00:16:15,519 --> 00:16:20,799 lock or and the metrics dot log uh 422 00:16:18,559 --> 00:16:23,119 i think we have also used scheduler so 423 00:16:20,799 --> 00:16:25,120 different kind of source we have it and 424 00:16:23,120 --> 00:16:27,759 using that we can make use of different 425 00:16:25,120 --> 00:16:29,600 kind of events uh the log files over 426 00:16:27,759 --> 00:16:31,919 here itself so it's not like you have to 427 00:16:29,600 --> 00:16:34,320 open the files manually on the server 428 00:16:31,919 --> 00:16:36,078 and do it so this is also an easiest way 429 00:16:34,320 --> 00:16:38,399 so you can write down your queries and 430 00:16:36,078 --> 00:16:40,719 you can filter it based on that 431 00:16:38,399 --> 00:16:43,039 so other scenario will be like you may 432 00:16:40,720 --> 00:16:45,839 face like your sprung splunk instance 433 00:16:43,039 --> 00:16:47,599 get crashed right so you can use uh this 434 00:16:45,839 --> 00:16:50,399 query like where source type will be 435 00:16:47,600 --> 00:16:51,920 splunk d crash dot log and it will tell 436 00:16:50,399 --> 00:16:54,000 you like how much time this splunk 437 00:16:51,919 --> 00:16:55,919 instance has been crashed you may also 438 00:16:54,000 --> 00:16:58,000 want to find out like when the splunk 439 00:16:55,919 --> 00:17:00,479 instance has been restarting or spla you 440 00:16:58,000 --> 00:17:02,799 know when the server was restarted last 441 00:17:00,480 --> 00:17:04,880 time the splunk's instance so you can 442 00:17:02,799 --> 00:17:06,558 use the splunk the dot lock with the 443 00:17:04,880 --> 00:17:09,120 statement like splunk d starting so 444 00:17:06,558 --> 00:17:12,480 let's see what output we get from this 445 00:17:09,119 --> 00:17:15,838 so i will just search for uh splunk this 446 00:17:12,480 --> 00:17:17,360 star search starting first because if 447 00:17:15,838 --> 00:17:19,279 you want to check out check you know 448 00:17:17,359 --> 00:17:22,159 when your splunk has been restarted so 449 00:17:19,279 --> 00:17:24,160 if you see in last 24 hours uh this my 450 00:17:22,160 --> 00:17:25,919 splunk instance has been restarted at 451 00:17:24,160 --> 00:17:27,839 this time so it was 452 00:17:25,919 --> 00:17:30,320 splunk this starting message right if i 453 00:17:27,838 --> 00:17:33,279 change it for whole time let me see it 454 00:17:30,319 --> 00:17:35,038 may give me more informations 455 00:17:33,279 --> 00:17:37,440 so you can see it has done uh three to 456 00:17:35,038 --> 00:17:39,679 four three times the restart right so 457 00:17:37,440 --> 00:17:40,880 this is a new setup so it's not uh too 458 00:17:39,679 --> 00:17:42,480 old so 459 00:17:40,880 --> 00:17:45,679 you know so it has been only just 460 00:17:42,480 --> 00:17:47,759 restarted uh three times so this is also 461 00:17:45,679 --> 00:17:49,360 where you can find out when the splunk 462 00:17:47,759 --> 00:17:52,079 was restarted 463 00:17:49,359 --> 00:17:54,798 if you see this other search where we 464 00:17:52,079 --> 00:17:57,119 talk about splunk the crash dot log 465 00:17:54,798 --> 00:17:59,519 i don't think i will have any data here 466 00:17:57,119 --> 00:18:00,399 because it has not been crashed 467 00:17:59,519 --> 00:18:02,400 anywhere 468 00:18:00,400 --> 00:18:05,600 so we don't have that source type at all 469 00:18:02,400 --> 00:18:07,600 so but if you have this you know um 470 00:18:05,599 --> 00:18:09,918 file because if your splunk has been 471 00:18:07,599 --> 00:18:11,519 crashed you'll have this source type 472 00:18:09,919 --> 00:18:14,960 then you should be able to do this 473 00:18:11,519 --> 00:18:17,839 search okay so let's uh you know uh 474 00:18:14,960 --> 00:18:19,360 uh find out some more better information 475 00:18:17,839 --> 00:18:21,279 other than this uh 476 00:18:19,359 --> 00:18:23,199 you know tools or like the search 477 00:18:21,279 --> 00:18:24,639 queries which you are using so what we 478 00:18:23,200 --> 00:18:27,038 understood is like we have different 479 00:18:24,640 --> 00:18:28,720 kind of log files so mainly you know uh 480 00:18:27,038 --> 00:18:30,640 when there is a data mismatch you have 481 00:18:28,720 --> 00:18:32,720 to go to splunk dot log and you have to 482 00:18:30,640 --> 00:18:34,559 find out what data is getting indexed 483 00:18:32,720 --> 00:18:36,798 and also you need to check the forwarder 484 00:18:34,558 --> 00:18:38,720 lock so you can see what forward is 485 00:18:36,798 --> 00:18:40,879 sending and what uh splunk d on the 486 00:18:38,720 --> 00:18:42,640 indexer is getting so if that matches 487 00:18:40,880 --> 00:18:44,160 yeah fine if there is a description see 488 00:18:42,640 --> 00:18:46,799 then the data is not reaching to the 489 00:18:44,160 --> 00:18:48,880 indexer at all right and you know you 490 00:18:46,798 --> 00:18:50,639 may also see there will be reason like 491 00:18:48,880 --> 00:18:52,480 the deployment server is not getting 492 00:18:50,640 --> 00:18:53,679 configured correctly that's why the 493 00:18:52,480 --> 00:18:55,599 splunk uh 494 00:18:53,679 --> 00:18:57,679 configurations are not getting reflected 495 00:18:55,599 --> 00:19:00,159 there so that kind of scenario happen 496 00:18:57,679 --> 00:19:02,320 sometimes you know the crc file you know 497 00:19:00,160 --> 00:19:04,240 it's checking the crc it may not see any 498 00:19:02,319 --> 00:19:05,678 changes so you'll have to tweak 499 00:19:04,240 --> 00:19:07,839 something like you know there are other 500 00:19:05,679 --> 00:19:10,400 commands available in the stand server 501 00:19:07,839 --> 00:19:12,639 you can add where the crc 502 00:19:10,400 --> 00:19:14,960 values so you can by default it comes 503 00:19:12,640 --> 00:19:16,480 around like 256. you can change a little 504 00:19:14,960 --> 00:19:18,558 bit so that you can search a little bit 505 00:19:16,480 --> 00:19:20,960 more of the file so you have to be very 506 00:19:18,558 --> 00:19:23,359 careful when you work on that so it can 507 00:19:20,960 --> 00:19:25,360 re-index the whole data again so you 508 00:19:23,359 --> 00:19:27,359 need to read through the documentation 509 00:19:25,359 --> 00:19:29,519 and check you know with splunk support 510 00:19:27,359 --> 00:19:31,839 you can raise splunk tickets if you have 511 00:19:29,519 --> 00:19:33,759 any queries if you have a enterprise 512 00:19:31,839 --> 00:19:36,079 license so you can register them and 513 00:19:33,759 --> 00:19:37,919 they'll be able to support and also you 514 00:19:36,079 --> 00:19:39,439 know you can have any license issues and 515 00:19:37,919 --> 00:19:41,038 everything sometimes you have to go back 516 00:19:39,440 --> 00:19:44,080 to them 517 00:19:41,038 --> 00:19:46,160 so another interesting tool which splunk 518 00:19:44,079 --> 00:19:47,038 is having is called splunk b tool which 519 00:19:46,160 --> 00:19:48,798 will be 520 00:19:47,038 --> 00:19:50,720 very helpful so you can run the command 521 00:19:48,798 --> 00:19:52,558 like splunk help b tool 522 00:19:50,720 --> 00:19:55,038 which is in the windows if it's in the 523 00:19:52,558 --> 00:19:57,759 linux you can put dot slash in the 524 00:19:55,038 --> 00:20:00,640 location of our splunk bin and then you 525 00:19:57,759 --> 00:20:02,558 allow splunk help b2 and you know let's 526 00:20:00,640 --> 00:20:04,640 see what we get when you run this in our 527 00:20:02,558 --> 00:20:07,599 machine 528 00:20:04,640 --> 00:20:10,400 so i'm inside the c program file splunk 529 00:20:07,599 --> 00:20:11,759 bin where the splunk will be available 530 00:20:10,400 --> 00:20:14,480 okay 531 00:20:11,759 --> 00:20:16,000 so if you see if i run a splunk help b 532 00:20:14,480 --> 00:20:18,159 tool it give you 533 00:20:16,000 --> 00:20:20,400 quite some information like what 534 00:20:18,159 --> 00:20:23,280 a different kind of uh you know 535 00:20:20,400 --> 00:20:26,320 stanzas or you can do arguments with 536 00:20:23,279 --> 00:20:29,759 this so you can see b tool config file 537 00:20:26,319 --> 00:20:32,240 list b check right and you have uh other 538 00:20:29,759 --> 00:20:34,400 optional parameters which you can use 539 00:20:32,240 --> 00:20:37,279 right so different uh ways you can use 540 00:20:34,400 --> 00:20:39,280 this tool so let me show you some of uh 541 00:20:37,279 --> 00:20:41,839 simple examples 542 00:20:39,279 --> 00:20:43,759 so if i want to list all the indexes 543 00:20:41,839 --> 00:20:46,558 this is one of a way you can do it like 544 00:20:43,759 --> 00:20:48,558 splunk b tool indexes dot list so it 545 00:20:46,558 --> 00:20:50,319 will list you all the details about the 546 00:20:48,558 --> 00:20:54,000 indexes you can then you can filter it 547 00:20:50,319 --> 00:20:55,839 using uh graph in linux or in maybe in 548 00:20:54,000 --> 00:20:57,919 windows like a find string something 549 00:20:55,839 --> 00:21:01,959 like that so you can filter it let me 550 00:20:57,919 --> 00:21:01,960 show you with this command 551 00:21:05,440 --> 00:21:09,840 so if you see like you know when i run 552 00:21:07,359 --> 00:21:10,959 this command it has given a complete 553 00:21:09,839 --> 00:21:13,279 list of 554 00:21:10,960 --> 00:21:16,000 uh you know the indexes for example it's 555 00:21:13,279 --> 00:21:18,158 underscore audit which is uh index and 556 00:21:16,000 --> 00:21:19,440 it's giving a huge bunch of information 557 00:21:18,159 --> 00:21:21,840 about that 558 00:21:19,440 --> 00:21:24,480 that specific index and then it will go 559 00:21:21,839 --> 00:21:26,558 to the next index so if you see we have 560 00:21:24,480 --> 00:21:29,519 any underscore introspection which is 561 00:21:26,558 --> 00:21:32,000 another index and let me see you have 562 00:21:29,519 --> 00:21:34,720 underscore internal so you have a 563 00:21:32,000 --> 00:21:36,319 a whole list of indexes it's showing up 564 00:21:34,720 --> 00:21:38,558 and you know it will tell you what the 565 00:21:36,319 --> 00:21:40,240 complete information about a lot of 566 00:21:38,558 --> 00:21:42,240 information is there what you require 567 00:21:40,240 --> 00:21:44,480 you have to filter it so i just want to 568 00:21:42,240 --> 00:21:47,279 show you like you know the b tool gives 569 00:21:44,480 --> 00:21:49,279 a different kind of this is a once one 570 00:21:47,279 --> 00:21:51,200 or two example i'm just showing you how 571 00:21:49,279 --> 00:21:53,599 to read through the documentation for b 572 00:21:51,200 --> 00:21:54,798 tool there are huge more options you 573 00:21:53,599 --> 00:21:57,279 have it 574 00:21:54,798 --> 00:22:00,319 so and one more other example with b2 575 00:21:57,279 --> 00:22:03,200 like you can also use it to search uh 576 00:22:00,319 --> 00:22:05,119 like searches list in that specific app 577 00:22:03,200 --> 00:22:07,600 so if you see this we are using b tool 578 00:22:05,119 --> 00:22:09,599 app under the search and we are using 579 00:22:07,599 --> 00:22:11,519 save searches list so it will list you 580 00:22:09,599 --> 00:22:12,719 all the saved searchers let's see what 581 00:22:11,519 --> 00:22:15,440 we get 582 00:22:12,720 --> 00:22:17,759 so if you see if i run uh this command b 583 00:22:15,440 --> 00:22:20,000 tool app search search searches list it 584 00:22:17,759 --> 00:22:21,919 will give you the uh different kind of 585 00:22:20,000 --> 00:22:24,480 searches like errors in the last 24 586 00:22:21,919 --> 00:22:26,640 hours in the last hour right 587 00:22:24,480 --> 00:22:29,679 license usage so similar way like if you 588 00:22:26,640 --> 00:22:32,559 have served uh some kind of searches it 589 00:22:29,679 --> 00:22:34,880 will give you the complete uh details on 590 00:22:32,558 --> 00:22:37,599 when using this search query so these 591 00:22:34,880 --> 00:22:39,360 are some example okay so uh as i 592 00:22:37,599 --> 00:22:42,480 mentioned you know the main way of 593 00:22:39,359 --> 00:22:44,719 analyzing the splunk uh issues are using 594 00:22:42,480 --> 00:22:46,880 the log files and also the indexes like 595 00:22:44,720 --> 00:22:48,798 underscore internal or underscore audit 596 00:22:46,880 --> 00:22:51,840 you can write down your own queries you 597 00:22:48,798 --> 00:22:55,038 can get the you know performance issues 598 00:22:51,839 --> 00:22:57,119 or skip searches or you know it can be 599 00:22:55,038 --> 00:22:59,440 you know concurrent searches issues or 600 00:22:57,119 --> 00:23:01,439 the file is not getting indexed or it 601 00:22:59,440 --> 00:23:03,840 can be any kind of scenarios you just 602 00:23:01,440 --> 00:23:06,240 need to put what kind of data you need 603 00:23:03,839 --> 00:23:08,158 to analyze it then you should be able to 604 00:23:06,240 --> 00:23:10,558 easily interpret interpreted 605 00:23:08,159 --> 00:23:12,320 so that is all for this tutorial so uh 606 00:23:10,558 --> 00:23:15,359 next tutorial maybe i will come up with 607 00:23:12,319 --> 00:23:17,200 the specific scenarios but i have to 608 00:23:15,359 --> 00:23:18,959 make the kind of scenario then i have to 609 00:23:17,200 --> 00:23:21,919 show you how to fix that so that's a 610 00:23:18,960 --> 00:23:23,759 little bit complicated so but i will try 611 00:23:21,919 --> 00:23:26,080 to find out that kind of tutorials in 612 00:23:23,759 --> 00:23:28,158 the upcoming tutorials but for now 613 00:23:26,079 --> 00:23:29,918 i'm logging off so i would request you 614 00:23:28,159 --> 00:23:32,400 like if you are new to my channel or if 615 00:23:29,919 --> 00:23:34,559 you're not subscribed kindly subscribe 616 00:23:32,400 --> 00:23:37,200 to my channel for more videos and also 617 00:23:34,558 --> 00:23:40,759 like my videos share and comment so 618 00:23:37,200 --> 00:23:40,759 thank you for watching 619 00:23:43,259 --> 00:23:49,009 [Music] 45865