Splunk overview

Splunk overview

Splunk is powerful and versatile IT search software that takes the pain out of tracking and utilizing the information in your data center. If you have Splunk, you won't need complicated databases, connectors, custom parsers or controls--all that's required is a web browser and your imagination. Splunk handles the rest.

Use Splunk to:

• Continually index all of your IT data in real time.
• Automatically discover useful information embedded in your data, so you don't have to identify it yourself.
• Search your physical and virtual IT infrastructure for literally anything of interest and get results in seconds.
• Save searches and tag useful information, to make your system smarter.
• Set up alerts to automate the monitoring of your system for specific recurring events.
• Generate analytical reports with interactive charts, graphs, and tables and share them with others.
• Share saved searches and reports with fellow Splunk users, and distribute their results to team members and project stakeholders via email.
• Proactively review your IT systems to head off server downtimes and security incidents before they arise.
• Design specialized, information-rich views and dashboards that fit the wide-ranging needs of your enterprise.

Index new data

Splunk offers a variety of flexible data input methods to index everything in your IT infrastructure in real time, including live log files, configurations, traps and alerts, messages, scripts, performance data, and statistics from all of your applications, servers, and network devices. Monitor file systems for script and configuration changes. Enable change monitoring on your file system or Windows registry. Capture archive files. Find and tail live application server stack traces and database audit tables. Connect to network ports to receive syslog, SNMP traps, and other network-based instrumentation.

No matter how you get the data, or what format it's in, Splunk indexes it the same way--without any specific parsers or adapters to write or maintain. It stores both the raw data and the rich index in an efficient, compressed, filesystem-based datastore--with optional data signing and auditing if you need to prove data integrity.

For more details on data indexing with Splunk, see the "Index new data" chapter in this manual.

Search and investigate

Now you've got all that data in your system...what do you want to do with it? Start by using Splunk's powerful search functionality to look for anything, not just a handful of predetermined fields. Combine time and term searches. Find errors across every tier of your IT infrastructure and track down configuration changes in the seconds before a system failure occurs. Splunk identifies fields from your records as you search, providing flexibility unparalleled by solutions that require setup of rigid field mapping rulesets ahead of time. Even if your system contains terrabytes of data, Splunk enables you to search across it with precision.

To get the full picture of Splunk's IT search capability, see the "Search and investigate" chapter in this manual.

Capture knowledge

Freeform searching on raw data is just the start. Enrich that data and improve the focus of your searches by adding your own knowledge about fields, events, and transactions. Tag high-priority assets, and annotate events according to their business function or audit requirement. Give a set of related server errors a single tag, and then devise searches that use that tag to isolate and report on events involving that set of errors. Save and share frequently-run searches. Splunk surpasses traditional approaches to log management by mapping knowledge to data at search time, rather than normalizing the data up front. It enables you to share searches, reports, and dashboards across the range of Splunk apps being used in your organization.

To get more details on capturing and utilizing knowledge with event types and fields, see the "Capture knowledge" chapter in this manual.

Automate monitoring

Any search can be run on a schedule, and scheduled searches can be set up to trigger notifications or when specific conditions occur. This automated alerting functionality works across the wide range of components and technologies throughout your IT infrastructure--from applications to firewalls to access controls. Have Splunk send notifications via email or SNMP to other management consoles. Arrange for alerting actions to trigger scripts that perform activities such as restarting an application, server, or network device, or opening a trouble ticket. Set up alerts for known bad events and use sophisticated correlation via search to find known risk patterns such brute force attacks, data leakage, and even application-level fraud.

For more information about monitoring recurring events, see the "Automate monitoring" chapter in this manual.

Analyze and report

Splunk's ability to quickly analyze massive amounts of data enables you to summarize any set of search results in the form of interactive charts, graphs, and tables. Generate reports on-the-fly that use statistical commands to trend metrics over time, compare top values, and report on the most and least frequent types of conditions. Visualize report results as interactive line, bar, column, pie, scatterplot and heat-map charts.

Splunk offers a variety of ways to share reports with team members and project stakeholders. You can schedule reports to run at regular intervals and have Splunk send each report to interested parties via email, print reports, save them to community collections of commonly-run reports, and add reports to specialized dashboards for quick reference.

For more information about defining reports, generating charts, and sharing them with others, see the "Analyze and report" chapter in this manual.

• Was this topic useful?
• Post a comment