Splunk the book by Betsy Page Sigman, Ericsson Delgado, and other contributors, presents an introduction through advanced usage of enterprise implementation. A trial version of Splunk, with a limitation of 500 MB ingestion per day, is used for demo purposes to help the reader get hands on experience and a feel for using the tool.
Given the dynamic and fast changing pace of monitoring technology, the challenges for the monitoring automation professional have also increased by leaps and bounds. To educate and empower such professionals, this book is a useful read although with a focus on Splunk tool. Splunk is a useful tool for log monitoring with broad applications in application management, IT infrastructure monitoring, security investigations and infosec compliance, actionable insight from security related data.
IT Process automation is an enhancement over workload automation of earlier IT architecture deployments. ITPA allows complex workflows, full and deep integration with all IT functions, data handling compared to basic workload automation. IT Operations Analytics is a further specialization within IT process automation whereby analytics is heavily used to make sense and derive actionable intelligence from machine data. Jostling for space in this market other than big firms like IBM and HP are names such as BMC, CA technologies, Sumerian and Splunk.
Splunk is one of the most famous log analysis services in the market. Open source alternatives include the ELK stack (Elasticsearch for search, Log stash for data collection ,Kibana for data visualization) and Graylag. Cloud service options include Sumo Logic, Logentries, and Loggly.
IT practitioners have to solve real world problems and plan change management. Deriving actionable data from logs of existing systems is crucial to this end. Splunk allows tracking and analyzing machine data coming from various computer systems and servers.
Search processing language on Splunk is a library of all search processing commands with their execution modes. The book explains pivoting, data models, classifying data using event types, enrich data using lookups and workflow actions, and normalize data using tags. There are options of lookup tables to map the codes returned by browser like applications into human understandable message. Typical browser codes such as 404, 500 and others are suitable candidates for these types of lookup tables.
Splunk allows send out reports using emails, configure alerts based on error codes captured in the error log files. The authors discuss challenges of searching on historical archived data using summary and workarounds of fetching historical data without impacting business as usual tasks running on splunk setup such as log extraction and analysis for current data.
One of the useful options provided by Splunk is to design dashboards based on user feedback. Splunk Software development kit and D3.js allows extracting data without exposing authentication credentials.
HTTP event collector available from Splunk v6 onwards saves the effort for tracking websites and improving their performance. The authors have shared some of the best practices and advanced queries on search processing language as code examples for ready use to the reader.
REST API of splunk allows web service like functionality for sharing custom reports with endpoint applications. R project app for Splunk allows splunk to R-engine data transfer for calculation and then return to splunk for further computation or visualization.
Sample implementation architecture of such usage would have IT, Data analytics, Security and business user teams accessing Splunk which would depend on well known and rich R modules at its backend for customized calculations.
Applications of Splunk and similar utilities extend beyond automated workload management to data access monitoring and infosec requirements for tracking and identifying suspect traffic source with basic level of intelligence. The recent trends have seen a normalization of open source options vs. Splunk in market reach. Authors of existing book may well have extended some comparisons of Splunk recipes with the ELK stack options recipes available for use to end users.