Preparing for the Splunk Enterprise Deployment Practical Lab

May 26, 2020

Preparing for the Splunk Enterprise Deployment Practical Lab

Well, I didn't make as much progress on the subject run-book as I would've liked, but it has been a productive day. I was able to troubleshoot an inputs.conf problem for a colleague, off the top of my head, no less. That's a big deal in my view, 'cause the Admin manual for version 8.0.2 lists 64 multi-page conf files in its appendices.

And then us both being cloud novices reared its ugly head: they came back to me saying that they were unsuccessful in making their master node a license slave; the command was timing out. Well, as many (if not most) of my readers will know, by default, EC2 instances are placed in their own separate security group by default; or at least that's the theory guiding the latest troubleshooting.

My mind jumped to checking that the license master was listening, and once that was confirmed, that there might be a firewall problem. I knew how to check for iptables, but I'm a fish out of water in CentOS/Amazon Linux. However, I think that was a bit of a red herring, and I'm crossing my fingers for success once all the instances are moved into the same security group. [Edit: Theory confirmed and problem corrected apparently, hours later now, after the kids are in bed and I've had a chance to check my email.]

I bring all this up because, as practical as the subject lab is — from what I've been told, anyway — it still must be artificial or canned to ensure students are tested on their Splunk knowledge, in a timely fashion. So, practising for it, whether in the cloud or on bare metal, is bound to run into all sorts of problems that won't be relevant to the test itself. The good news is, pretty much every one of those problems will be completely relevant in the real world — a.k.a. the place where I'll be doing 99% of my future deployments.

Now that the EC2 interface/dashboard hasn't proved this task completely trivial, I'm seriously considering writing some Terraform to automate it instead. It'll be the perfect opportunity to reinforce that knowledge, and, hopefully, won't take too much time away from my Splunk practice. If it goes well, new hires will be able to use it; I'll throw it up on GitHub as well.

End of Day 17

— jlj #100DaysToOffload

I'm writing this as part of the 100 Days To Offload project; join us at: https://100daystooffload.com/