Splunk 4 Moves IT Search Forward
With a new release, the open source IT search tool adds an API and welcomes Windows systems into the fold.
If you haven't kept up with Splunk development in the last few years, you are in for a wonderful treat. Splunk 4, released last week, is full of new features and enhancements. This week we take a look at Splunk, and specifically new features in Splunk 4.
Splunk is "IT search" software, but we think that tagline understates Splunk's value. It is much more than just search. Splunk aggregates and correlates IT infrastructure data, including logs, server information, configuration data, and more. Splunk was the first to gather all this data in one place, but instead of simply indexing it for searching capabilities, they took it one giant step further. Splunk analyzes all of this data, and correlates events with all available data to provide unparalleled troubleshooting abilities.
Since we last looked at Splunk in 2006, Splunk has grown considerably. We start by explaining a few more features and use cases that may or may not be part of Splunk 4, before getting into new the features.
New to Us
Splunk has supported both user-created custom graphs and alerting for a while now, but the benefits of those features may have been unclear. It was after speaking with Erik Swan, CTO at Splunk, that we began to understand these features that seem to encroach on the systems monitoring tools' territory. The question first came up when Swan mentioned that Splunk could gather system statics, such as load, memory usage, and running process and threads.
Splunk, when given information about the state of a system, can do an even better job with troubleshooting and incident triage. Administrators can run Splunk on all servers, and even workstations, which allows it to gather detailed information and ship that off to a central server. The wealth of information available puts Splunk in a unique position to graph arbitrary data and alert on extremely complex constraints across many servers.
That is why Splunk monitors, reports, and alerts: it is far more flexible than traditional Nagios or Zenoss, once you begin monitoring beyond ping and service checks. The most recent example we came across illustrates this well. Say you wanted to monitor the health of Red Hat Cluster Suite. Instead of custom scripting something, or searching for an existing plug-in for your monitoring tool, just set an alert in Splunk to notify you when the cluster manager syslogs an error.
Splunk on Windows
Registry searching! Yes, Splunk also runs on Windows. This means you can search for anything about a Windows server or workstation. Everything revolves around the registry in the mysterious world of Windows, so you can easily verify anything about your systems with Splunk. For example, when a virus adds an entry to the registry, Splunk can tell you which machines are infected. It can even alert you immediately. You can also verify that packages are installed or application settings are as you expect them to be. Splunk also supports Active Directory, which gives it a complete view of enterprise deployments.
Dashboards and Usability Enhancements
Splunk 4 focused a tremendous amount of effort on making data accessible to less technical users. Everyone from the help desk and security managers to non-technical executives can now have a dashboard view of the data they need.
Custom graphs and reports are created much easier now, in version 4. Splunk now has an interactive report builder that allows nearly anyone to begin playing with data. The interactive search assistant, which used to be limited to auto-completion, also got a work-over and now supports search histories and interactive help.
In prior Splunks, you could create saved searches. Those saved searches powered graphs that you added to the dashboard, and they updated at a scheduled interval. Splunk 4 has a much more robust job scheduling engine. As you create more dashboards for more and more types of users throughout the company, the amount of scheduled searches (to update the charts and reports) also increases.
Searches can be scheduled, given a lower priority, archived, and even paused now in Splunk 4.
Splunk Apps: more than just an API. The API allows customers to integrate Splunk with nearly anything, but Splunk Apps allows users to package, distribute, and install applications.
The API is extremely flexible; in that customer have access to advanced features such as contextual views and role-based access control. Once an app is created, it can be shared, as many vendors are already doing. Built-in Splunk-provided apps include: Change Management, PCI Compliance, and Enterprise Security Suite.
While it was unclear which of these new features would be available in the open source version, know that Splunk's free version has always been generous. In fact, the data-indexed-per-day licensing model means that most small to medium IT shops can get along with using only the free version. And now that Splunk Apps exists, expect to see more open source community contributed Apps in the near future.
Splunk has come a long way in a short amount of time. With over 1,100 paying customers, tons of vendor integration, and 350K+ open source downloads, it is safe to say that Splunk is doing well. The technology spoke for itself three years ago, and now with Splunk 4's tremendous list of new features, it has successfully defined its new market: IT search.