Day 1: Welcome to Splunk

What You Will Learn Today

What Splunk is and why it matters
Splunk's architecture
Installation and setup
Navigating the Web UI
Running your first search

What Is Splunk?

Splunk is a platform for collecting, indexing, searching, analyzing, and visualizing machine data (logs). It can handle virtually any type of machine-generated data: server logs, application logs, network traffic, security events, and more.

flowchart LR
    subgraph Sources["Data Sources"]
        S1["Web Server<br>Logs"]
        S2["Application<br>Logs"]
        S3["OS<br>Logs"]
        S4["Network<br>Data"]
    end
    subgraph Splunk["Splunk"]
        Collect["Collect"]
        Index["Index"]
        Search["Search & Analyze"]
        Visualize["Visualize"]
    end
    Sources --> Collect --> Index --> Search --> Visualize
    style Collect fill:#3b82f6,color:#fff
    style Index fill:#8b5cf6,color:#fff
    style Search fill:#22c55e,color:#fff
    style Visualize fill:#f59e0b,color:#fff

Common Use Cases

Domain	Use Cases
IT Operations	Server monitoring, incident analysis, performance management
Security	SIEM, threat detection, incident response
Business Analytics	Log-based KPI analysis, user behavior analytics
DevOps	CI/CD pipeline monitoring, deployment tracking
IoT	Sensor data collection and analysis

Splunk Architecture

Splunk is built on three core components.

flowchart TB
    subgraph Tier["Splunk's Three-Tier Architecture"]
        FW["Forwarder<br>Data collection & forwarding"]
        IDX["Indexer<br>Data storage & indexing"]
        SH["Search Head<br>Search & visualization"]
    end
    FW -->|"Forward data"| IDX
    SH -->|"Search request"| IDX
    IDX -->|"Search results"| SH
    style FW fill:#3b82f6,color:#fff
    style IDX fill:#22c55e,color:#fff
    style SH fill:#f59e0b,color:#fff

Component	Role	Description
Forwarder	Data collection	Collects logs and forwards them to the indexer
Indexer	Data storage	Stores data in indexes and makes it searchable
Search Head	Search & display	Provides the user interface and search engine

Types of Forwarders

Type	Description	Use Case
Universal Forwarder (UF)	Lightweight, forwards data only	Deploying on production servers
Heavy Forwarder (HF)	Full-featured, can parse and filter data	Data filtering and transformation

Installation

Splunk Enterprise (Free Trial)

Splunk Enterprise is free for up to 500 MB/day of data ingestion.

# macOS
brew install --cask splunk

# Linux (tar.gz)
wget -O splunk.tgz "https://download.splunk.com/products/splunk/releases/latest/linux/splunk-latest-Linux-x86_64.tgz"
tar xvzf splunk.tgz -C /opt

# First-time startup
/opt/splunk/bin/splunk start --accept-license
# You will be prompted to create an admin username and password

Running with Docker

docker run -d \
  --name splunk \
  -p 8000:8000 \
  -p 8089:8089 \
  -e SPLUNK_START_ARGS="--accept-license" \
  -e SPLUNK_PASSWORD="YourPassword123!" \
  splunk/splunk:latest

Recommended: Docker is the easiest way to get started for learning purposes.

Accessing Splunk

Open your browser and navigate to http://localhost:8000, then log in with the username and password you configured.

Web UI Basics

flowchart TB
    subgraph UI["Splunk Web UI"]
        SearchBar["Search Bar<br>Enter SPL queries"]
        TimeRange["Time Range Picker<br>Set search time window"]
        Results["Search Results<br>Event listing"]
        Sidebar["Fields Sidebar<br>Available fields"]
    end
    SearchBar --> Results
    TimeRange --> Results
    Sidebar --> Results
    style SearchBar fill:#3b82f6,color:#fff
    style TimeRange fill:#f59e0b,color:#fff
    style Results fill:#22c55e,color:#fff
    style Sidebar fill:#8b5cf6,color:#fff

Key Screens

Screen	Path	Description
Search	Search & Reporting	Execute SPL queries
Dashboards	Dashboards	View visualization panels
Data Inputs	Settings > Data inputs	Configure data sources
Indexes	Settings > Indexes	Manage indexes

Ingesting Your First Data

Adding Sample Data

Go to Settings > Add Data
Select Upload
Upload a test log file

Creating a Test Log File

2026-01-30 10:00:01 INFO  [web-server] GET /index.html 200 0.023s user=alice ip=192.168.1.10
2026-01-30 10:00:05 WARN  [web-server] GET /api/users 429 0.150s user=bob ip=192.168.1.20
2026-01-30 10:00:10 ERROR [web-server] POST /api/login 500 1.200s user=charlie ip=192.168.1.30
2026-01-30 10:00:15 INFO  [web-server] GET /dashboard 200 0.045s user=alice ip=192.168.1.10
2026-01-30 10:00:20 INFO  [web-server] GET /api/data 200 0.089s user=dave ip=192.168.1.40
2026-01-30 10:00:25 ERROR [web-server] GET /api/reports 503 2.500s user=eve ip=192.168.1.50
2026-01-30 10:00:30 INFO  [web-server] POST /api/upload 201 0.500s user=alice ip=192.168.1.10
2026-01-30 10:00:35 WARN  [web-server] GET /api/search 408 5.000s user=bob ip=192.168.1.20

Save this as webserver.log and upload it to Splunk.

Your First Search

Basic Search

index=main

This displays all events in the main index.

Keyword Search

index=main ERROR

This shows only events containing the word "ERROR".

Setting the Time Range

Use the time picker next to the search bar to set the search time window.

Range	Description
Last 15 minutes	Events from the past 15 minutes
Last 60 minutes	Events from the past hour
Last 24 hours	Events from the past day
Last 7 days	Events from the past week
All time	All available events

Basic SPL Syntax

index=main sourcetype=access_log status=500

Element	Description
`index=main`	The index to search
`sourcetype=access_log`	The type of data
`status=500`	Filter by field value

Core Splunk Concepts

Concept	Description	Example
Event	A single log entry	One line of an access log
Index	A data repository	`main`, `security`
Sourcetype	The data format	`syslog`, `access_combined`
Source	Where the data came from	`/var/log/messages`
Host	The originating machine	`web-server-01`
Field	A key=value pair within an event	`status=200`, `user=alice`

flowchart TB
    Event["Event<br>A single log record"]
    subgraph Metadata["Metadata"]
        Index["index<br>Data repository"]
        Source["source<br>File path"]
        Sourcetype["sourcetype<br>Data format"]
        Host["host<br>Originating host"]
    end
    subgraph Fields["Fields"]
        F1["status=200"]
        F2["user=alice"]
        F3["ip=192.168.1.10"]
    end
    Event --> Metadata
    Event --> Fields
    style Event fill:#3b82f6,color:#fff
    style Metadata fill:#22c55e,color:#fff
    style Fields fill:#f59e0b,color:#fff

Introduction to SPL (Search Processing Language)

SPL is Splunk's query language. You chain commands together using pipes (|), just like in Unix.

index=main ERROR
| stats count by source
| sort -count

flowchart LR
    Search["Search<br>index=main ERROR"]
    Stats["Aggregate<br>stats count by source"]
    Sort["Sort<br>sort -count"]
    Search -->|"|"| Stats -->|"|"| Sort
    style Search fill:#3b82f6,color:#fff
    style Stats fill:#22c55e,color:#fff
    style Sort fill:#f59e0b,color:#fff

Key insight: SPL follows the same philosophy as Unix pipes. The output of one command becomes the input of the next.

Summary

Concept	Description
Splunk	A platform for collecting, searching, and analyzing machine data
Forwarder	Collects and forwards data
Indexer	Stores and indexes data
Search Head	Provides search and visualization UI
SPL	Splunk's query language
Index	A data repository
Sourcetype	Defines the data format

Key Takeaways

Splunk is a platform designed for machine data
It uses a three-tier architecture (Forwarder -> Indexer -> Search Head)
SPL chains commands together with pipes
The free license allows up to 500 MB/day

Exercises

Exercise 1: Basic

Install Splunk, upload the sample log file, and search for all events.

Exercise 2: Applied

Use keyword searches to find events containing "ERROR", "WARN", and "INFO", and visually compare the event counts for each.

Challenge

Download and import Splunk's official tutorial dataset (tutorialdata.zip) from the Splunk documentation site.

References

Next up: In Day 2, you will learn about data ingestion -- how to bring data into Splunk from a variety of sources.