Starting: 1st of Every Month 
+91 8409492687 
Contact@DevOpsSchool.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Role Public IP Pvt IP | |
| =============================================================== | |
| Universal Forwarder 13.233.132.116 172.31.20.154 | |
| Heavy Forwarder 13.127.211.39 172.31.17.212 | |
| Indexer 52.66.211.133 172.31.27.101 | |
| Search Head 13.127.12.193 172.31.20.122 | |
| Software - | |
| Universal Forwarder - https://s3.ap-south-1.amazonaws.com/scmgalaxy/splunkforwarder-7.2.3-06d57c595b80-Linux-x86_64.tgz | |
| Splunk Full - https://s3.ap-south-1.amazonaws.com/scmgalaxy/splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| Universal Forwarder - 13.233.132.116 172.31.20.154 | |
| ================================== | |
| Installation | |
| ----------- | |
| cd /opt | |
| yum install wget -y | |
| wget https://s3.ap-south-1.amazonaws.com/scmgalaxy/splunkforwarder-7.2.3-06d57c595b80-Linux-x86_64.tgz | |
| tar -zxvf splunkforwarder-7.2.3-06d57c595b80-Linux-x86_64.tgz | |
| How to send raw data to heavy forwarder | |
| -------------------- | |
| cd /opt/splunkforwarder/bin/ | |
| ./splunk start --accept-license | |
| ./splunk enable boot-start | |
| ./splunk add forward-server 172.31.17.212:9997 -auth admin:admin123 | |
| ./splunk list forward-server | |
| ./splunk list monitor | |
| &&&& | |
| LAST======================= | |
| cd /opt/splunkforwarder/bin/ | |
| ./splunk list monitor | |
| ./splunk add monitor /opt/tmp/access_30DAY.log -sourcetype access -index rajesh | |
| ./splunk add monitor /opt/tmp/db_audit_30DAY.csv -sourcetype db_audit -index rajesh | |
| ./splunk add monitor /opt/tmp/linux_s_30DAY.log -sourcetype linux -index rajesh | |
| ./splunk list monitor | |
| ./splunk add monitor /var/log | |
| ==================== | |
| How to upload a file | |
| sudo ./splunk add oneshot /opt/tmp/access_30DAY.log | |
| sudo ./splunk add oneshot /opt/tmp/db_audit_30DAY.csv | |
| sudo ./splunk add oneshot /opt/tmp/linux_s_30DAY.log | |
| sudo ./splunk add oneshot /opt/tmp/access_30DAY.log -sourcetype access -index rajesh | |
| sudo ./splunk add oneshot /opt/tmp/db_audit_30DAY.csv -sourcetype db_audit -index rajesh | |
| =========================== | |
| Heavy Forwarder - 13.127.211.39 172.31.17.212 | |
| ================================== | |
| Installation | |
| ----------- | |
| cd /opt | |
| yum install wget -y | |
| yum install git -y | |
| wget https://s3.ap-south-1.amazonaws.com/scmgalaxy/splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| tar -zxvf splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| Start a Heavy Forwarder | |
| ----------- | |
| cd /opt | |
| cd splunk | |
| cd bin | |
| ./splunk start --accept-license | |
| admin/admin123 | |
| ./splunk enable boot-start | |
| http://13.127.211.39:8000/ | |
| How to convert into Heavy Forwarder | |
| -------------- | |
| Setting => Licencig ==> Change Licence Group => Forwarder License => Restart now | |
| Setting => Forwarding and Receiving => Configure Forwarding => Add New | |
| Host Machine = X.X.X.X:9997 i.e 172.31.27.101:9997 | |
| Where as X.X.X.X is Indexer ip addreess | |
| 1. Settings => Monitoring console => Setting => Forwarder Monitoring Setup => Forwarder Monitoring (ENABLE with 15 mins) | |
| 2. Settings => Forwarding and Recieving => Receive data => Add New ==> Listen on this port (For example, 9997 will receive data on TCP port 9997) | |
| 3. Restart a Splunk Instance | |
| Settings => Server Controls => Restart Splunk | |
| -------- | |
| How to send parsed event to indexer? | |
| ------------ | |
| cd /opt/splunk/bin | |
| ./splunk add forward-server 172.31.18.109:9997 -auth admin:admin123 | |
| ./splunk list forward-server | |
| Indexer - 52.66.211.133 172.31.27.101 | |
| ================================== | |
| Installation | |
| ----------- | |
| cd /opt | |
| yum install wget -y | |
| yum install git -y | |
| wget https://s3.ap-south-1.amazonaws.com/scmgalaxy/splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| tar -zxvf splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| Start a Indexer | |
| ----------- | |
| cd /opt | |
| cd splunk | |
| cd bin | |
| ./splunk start --accept-license | |
| admin/admin123 | |
| ./splunk enable boot-start | |
| http://52.66.211.133:8000 | |
| How to convert into Indexer | |
| -------------- | |
| 1. Settings => Monitoring console => Setting => Forwarder Monitoring Setup => Forwarder Monitoring (ENABLE with 15 mins) | |
| 2. Settings => Forwarding and Recieving => Receive data => Add New ==> Listen on this port (For example, 9997 will receive data on TCP port 9997) | |
| 3. Restart a Splunk Instance | |
| Settings => Server Controls => Restart Splunk | |
| Search Head - 13.127.12.193 172.31.20.122 | |
| ================================== | |
| Installation | |
| ----------- | |
| cd /opt | |
| yum install wget -y | |
| wget https://s3.ap-south-1.amazonaws.com/scmgalaxy/splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| tar -zxvf splunk-7.2.5-088f49762779-Linux-x86_64.tgz | |
| Start a Search Head | |
| ----------- | |
| cd /opt | |
| cd splunk | |
| cd bin | |
| ./splunk start --accept-license | |
| admin/admin123 | |
| ./splunk enable boot-start | |
| http://13.127.12.193:8000 | |
| How to convert into Search Head | |
| ----------------------- | |
| Setting => Distributed Search => Distributed search setup => Turn on distributed search == YES | |
| Setting => Distributed Search => Search peers ==> Add NEw => | |
| INSERT - https://172.31.27.101:8089 | |
| where as 172.31.18.109 = indexer ip address | |
| 8089 = mgmt port of index | |
| https://answers.splunk.com/answers/455606/how-to-add-and-configure-a-new-indexer-to-my-splun.html | |
| https://answers.splunk.com/answers/588379/how-do-we-add-a-new-indexer-and-search-head-to-our.html | |
| https://docs.splunk.com/Documentation/Splunk/7.0.0/DistSearch/Configuredistributedsearch | |
| https://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Configure_selective_indexing | |
| https://docs.splunk.com/Documentation/Forwarder/7.2.4/Forwarder/Forwarderdeploymenttopologies | |
| https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Deployaheavyforwarder | |
| https://answers.splunk.com/answers/522532/how-to-get-data-from-host-to-heavy-forwarder-to-in-1.html | |
| https://answers.splunk.com/answers/589380/how-do-you-convert-an-indexer-into-a-heavy-forward.html | |
| https://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Configure_selective_indexing | |
| Windows Issues with 401 | |
| https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Turnonbasicencryptionusingweb.conf |
by 
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND
