Splunk web user interface (UI) - Splunk Tutorial

After you install your instance of Splunk, what do you want to do? Maybe you wanted to index some data, you want to get insights from that data, create knowledge objects, or you wanted to perform some administration tasks like creating new users, configuring inputs, and whatnot. How are you going to connect to Splunk in order to do this? There are different ways for you to use and administer Splunk and the first and primary way of doing that is through this Splunk web user interface. So this just means that you can use and administer Splunk through a graphical user interface. Now is this the only way for you to use and administer Splunk? Of course no. You have two other ways that you can use and administer Splunk. One of them is through this Splunk command line interface where you're passing commands to a command binary and it's performing these actions for you. This is not in the scope of the Splunk course certified user course. And then the other one is configuration files. So almost every aspect of Splunk is governed by configuration files. Anything that you are doing on the Splunk web user interface or even on the command line interface, ultimately it's going to update configuration files in the back end. But you can also work with this configuration files directly. And that's why we say that it's also a method for you to use and administer Splunk. Now, an important concept with Splunk is Splunk users. When Splunk comes out-of-the-box, it has three main roles, which are the user role, the power role, and the admin role. Now, what is the importance of these roles? These roles have capabilities that control what you are able to do within Splunk. Now, the user role, for example, you are able to create knowledge objects, you are not able to share this knowledge objects, the power role you can create and share knowledge objects and things like that. We're going to discuss a little bit more about these roles as we go down the line. Now, the next aspect we see here is what these users can do. When you have users in Splunk that have been assigned the user role or the power role, their principal role is for them to get insights from the data. Users are typically people that maybe have expertise in some domain. For example, you work in an organization, and then you are expert at some vendor's data, and your organization happens to purchase Splunk, and then data from this vendor is indexed in Splunk, you are going to be the best fit candidate to get insights from this data. When you log into Splunk with the user profile, maybe you just have a user role or a power role, you're going to be able to run searches on this data, you're going to perform analysis on this data, you're going to create visualization. In general, you are getting insights from that data source that you are expert on. Then the other thing is create knowledge objects. With knowledge objects, what you can do, you can create things like reports, alerts, dashboard, data models, and so on. You create these objects there, and then it also gives you opportunities to share this knowledge object so that other users can take advantage and use them as well. We're going to discuss reports, alerts, and dashboards in this course, and data models we're going to discuss in the Splunk course certified power user course. Of course, there are several other knowledge objects that are not mentioned here. Now, what about Splunk administrators? We said that we have three main roles, the user role, the power role, and the admin role. The admin role is the role that is given to Splunk administrators. Typically, Splunk administrators are able to do what users with the user role and the power role can do, but a bit more because they can control everything within your Splunk installation. they have access to everything. Their main role is to perform administration tasks. They administer the system, they can create users, they can configure authentication methods, they can create inputs to index data into the environment, they can work in distributed environment and do things like distributed search, indexer clustering, and whatnot. Those are things that users that only have the user role or the PowerRole are not able to do within the Splunk deployment. Now, another thing with Splunk administrators is that they are there to support Splunk users. From day one, if your organization has Splunk, maybe they just purchased Splunk, and now the expectation is that you should go ahead and start analyzing the data from your domain of expertise and getting insights from. You're going to have Splunk administrators that are going to be administering that Splunk instance, But one of their jobs is going to be to support you as a user that is new to Splunk. So maybe you wanted to create some knowledge objects and things like that. They can help you to do things of that nature. Now, Splunk user exams are exclusively web-based. This is something that is very important. So when we start talking about exams, this course here is for the very first one, which is the Splunk course certified user certification. You don't need to know anything about Splunk CLI and configuration files. Everything for this exam is based on the Splunk web user interface. The second one, which is the Splunk course certified power user, which is the next exam after this one that we also have a course for on Udemy, is all web-based as well. Then if you wanted to really enhance your knowledge of your Splunk user skills, build advanced skills in Splunk user, then you can also take the Splunk core certified advanced power user and this certification is also purely web-based. So the only time that you're going to get in contact with the Splunk CLI or configuration files is when you start working on the admin certification. Now let's discuss how you can access Splunk web user interface after installation. The first thing to note here is that the default port for Splunk Enterprise is port 8000. So when you install Splunk. This is the port number that is going to allow you to log into Splunk. Now the first case here, if you install Splunk on a local machine, let's suppose that you install Splunk on your laptop. So to log in, what you're going to do, you use HTTP, you use localhost, and then you put the port number because that's a local machine. Then it's going to give you the login prompt where you're going to be able to log into Splunk. Now what if you install Splunk on a remote instance such as an AWS EC2 instance or an Azure virtual machine then what you have to do is to put HTTP then in place of localhost now you have to put the public IP address of your virtual machine because when you install a virtual machine of course you're gonna have an IP address for it then you follow that with a port number which is 8000 again and then you'll be able to log in again note that this 8000 is a default port number so it's something that is configurable and admin can go ahead and say okay I wanted to change the port and say I'm gonna put 8001 so in that case you have to log in with 8001 but I'm just trying to say here that by default that port number is 8000 and then also one thing we saw is that during Splunk installation you have an option to configure configure the credentials that you're gonna lock into your instance as an administrator so you configure a username and password and And that is the same username and password that you're going to use when you have this login prompt in order to log into your Splunk instance after installation. Now we have an exam tip here. What is the default web port used by Splunk? And as we've said multiple times, the answer is port 8000.