You're reading from Data Analytics Using Splunk 9.x A practical guide to implementing Splunk's features for performing data analysis at scale

Product type Paperback

Published in Jan 2023

Publisher Packt

ISBN-13 9781803249414

Length 336 pages

Edition 1st Edition

Tools

Splunk

Concepts

Data Analysis

Author (1):

Dr. Nadine Shillingford

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1: Getting Started with Splunk

2. Chapter 1: Introduction to Splunk and its Core Components FREE CHAPTER

3. Chapter 2: Setting Up the Splunk Environment

4. Chapter 3: Onboarding and Normalizing Data

5. Part 2: Visualizing Data with Splunk

6. Chapter 4: Introduction to SPL

7. Chapter 5: Reporting Commands, Lookups, and Macros

8. Chapter 6: Creating Tables and Charts Using SPL

9. Chapter 7: Creating Dynamic Dashboards

10. Part 3: Advanced Topics in Splunk

11. Chapter 8: Licensing, Indexing, and Buckets

12. Chapter 9: Clustering and Advanced Administration

13. Chapter 10: Data Models, Acceleration, and Other Ways to Improve Performance

14. Chapter 11: Multisite Splunk Deployments and Federated Search

15. Chapter 12: Container Management

16. Index

Why subscribe?

17. Other Books You May Enjoy

Summary

This chapter was an exploration of how Splunk stores data. Since Splunk is a paid application, we started by looking at how licensing works in Splunk. We learned about the different licensing models, such as the Splunk Free and Splunk Enterprise licenses. We looked at the different kinds of events that count against the Splunk license and defined terms such as Splunk license groups, stacks, and pools. We ended that discussion by learning how to configure licenses using Splunk Web and the Splunk CLI. Indexes and buckets are the constructs used to store data in Splunk. We learned that indexes are a repository of data and contain multiple buckets. We learned about the different types of buckets (warm, cold, frozen, and thawed). We discovered that we could make changes to the way Splunk stores data by making changes to settings in indexes.conf, such as maxDataSize and frozenTimePeriodInSecs. We saw how each of these settings determines when data rolls from one bucket to the next...