1. Start Here - Getting the Application

Introduction

This guide describes how to install and configure the Dell SonicWALL Analytics for Splunk application. After installation, if you have questions, contact support at splunk_help@sonicwall.com or refer to the Troubleshooting section for more information.

Requirements

To use the Splunk application, you will need a Splunk Server. The software runs on both Linux and Windows (all versions) platforms. Download the installer directly from splunk.com. When you install Splunk on a Linux system, it should be installed in the following location:

/opt/splunk

1. Install and start the Splunk server.

2. Setup a username, password, and log in.

The following sections describe how to complete the installation and configure the Dell SonicWALL Analytics for Splunk application.

Licensing

Splunk's current licensing model works as follows:

As a trial user, you can download the product and receive full Enterprise features up to 60 days. During that time, you can index up to 500MB of data per day (24-hour period). If you exceed that amount, Splunk continues to index, but a license warning will be issued. After the warning has been issued, you will not be able to use the Search interface (the main part of Splunk) for 24 hours. After you have received three warnings, Splunk locks you out for a month. You can get the server unlocked by requesting an unlock license from Splunk.

After 60 days, you can either purchase the Splunk license or convert your existing installation to a free license. The indexing limit is still set at 500MB a day, but you loose all the Enterprise features.

Another option is to apply for a Developer’s License. This license provides you with 10GB of indexed data per day. The Developer's License is valid for six months but that can be renewed. It is free to apply and requests are usually granted within three days. This license is perfect if you intend on using a lab and testing Splunk.

Note Do not use the Developers License to do Proof of Concept (POC) installations.

If you have a potential customer that would like to do a POC installation, contact support at splunk_help@sonicwall.com to help you with a license you can use for that.

Getting the Application

Note The application uses the latest.tgz tar ball. All other tar balls install older versions of the application.

Also located on the servers is a VMWare OVA image that includes CentOS preinstalled with the application. This version of the application is out-of-date and needs to be brought current. Updating the application is the same as reinstalling it. (There are no unique update procedures).

From the Source

The source is located at: http://splunk.eng.sonicwall.com/splunk/

If you cannot directly view that server, you can also connect to it with SSL VPN through sslvpn.eng.sonicwall.com or sslvpn.sonicwall.com.

From a Public FTP Server

Go to: ftp8.sonicwall.com

• username: ******

• password: ******