Splunk makes log-file searches a slam dunk
Free-format search tool handles disparate event types, eases admin headachesFollow @infoworld
One of my frustrations with narrowly focused log-analyzers is the sometimes massive amount of scripting necessary to make a simple interaction, such as whether a VoIP call event intersects with a switch threshold event. With Splunk, clicking on the Set Timerange control on any of the Splunk interface screens tunes it to the suspect period. From there, the search bar further refines the search.
You can also use Splunk to correlate system and network events with those directly involved in the development cycle, saving time for programmers who need to search multiple environments. And though the Splunk Base wiki -- intended to serve as a community knowledge base -- wasn’t available during my review, it will certainly be useful for researching events and solutions.
The product does have some holes. Splunk can index SNMP information, but it doesn’t directly tie into management consoles such as CA Unicenter or HP OpenView; instead, it can run a command-line script as a work-around. For example, you could set up a Live Splunk -- a search set to run at specific intervals -- to look for high-priority alerts from Snort and shoot someone an e-mail. In this case, I would prefer the bells and whistles to go off in the NOC -- scripting makes the response very flexible, but I’d like to eventually have the ability to send traps to a central console.
Another gripe involves the amount of manual editing required during the initial setup: it’s simple to edit the sample config.xml files, but it’s also pretty easy to make a mistake. Thankfully, a new configuration GUI will be available in the next major release (support for FreeBSD, Mac OS X, and Solaris is also on the road map), but for now, I suggest making a backup copy of the config file before you start editing.
Nevertheless, Splunk seems well prepared to succeed in a market that’s often the realm of homegrown search tools. If you’re interested in finding out what’s really happening in context across all your systems, take a good look at Splunk Professional and save yourself some eyestrain.