What to monitor
Let's start by describing what we are referring to when we talk about monitoring in Splunk. So, Splunk tells us that monitoring in Splunk can be defined as follows:
"The act of watching a file, directory, script, or network port for new data. Also used to refer to a configured Splunk data input of the aforementioned types. When you configure a data input for an ongoing incoming data source, you are telling Splunk to monitor the input." | ||
--Splunk.com, 2014 |
Earlier in this book, we covered the concept of getting data into Splunk (or indexing data). Let's refresh.
To get started with Splunk, you need to feed it with some sort of data. Once Splunk becomes aware of the new data, it instantly indexes it so that it's available for your search needs (we discussed indexes in Chapter 6, Indexes and Indexing). At this point, the data is transformed into Splunk events, each with its own searchable fields. There are many things that can be done to the data and with it.
So, what kind of data...