See below for an overview of the use of Splunk or…
(Here’s another article that gives a good overview of how Splunk is used.)
[Go directly to the Getting Started page]
[Go directly to the Splunk Training Videos, Courses, Documentation and Other Online Resources page]
Contents
Getting Your Data In
Splunk offers a web-based interface for adding data so you can tweak options (for example, identifying the timestamp including timezone, where each event starts and stop, possible field extractions, etc.) until Splunk gets it just right.
Add-Ons for your data
While not required, getting your data in can be simplified and standardized if there is a Splunk “Add-on” (aka, “Technical Add-on” or “TA”) for your data source. Add-ons are specific Splunk “apps” that are focused on data ingestion, sourcetyping, parsing, extractions, etc. Please search https://splunkbase.splunk.com for add-ons relevant to the technology generating your machine data. TIP: Especially valuable are add-ons that claim CIM-compliance. (Filter on “Add-ons” to exclude “Apps”.)
CIM
Making your data “CIM-compliant” (CIM = Common Information Model) can be very helpful, and sometimes necessary: First, aligning your fields to CIM normalizes your data so that, for example, all “source ip” and “destination ip” fields (no matter what their actual field names are in your data source) are recognized as the same thing across all of your data sources, enabling more sophisticated (simpler) and more meaningful multi-source queries/analyses. CIM-compliance is also necessary if an Splunk app you want to use requires it. Finally, depending on the use case, searching against accelerated (CIM) data models could yield significantly faster performance compared to regular searches against your index(es).
Searching / Exploring Your Data
The Splunk Web search interface and its approachable yet powerful Search Processing Language (SPL) is one of the most compelling features of Splunk. Notice the suggestions as you type, the time-picker, the graphical representation of the events over time from your search, and the fields in the left menu that allow you to explore/discover/drill in to your data.
Developing Reports / Visualizations / Dashboards
Take your early searches, refine them, save them, schedule them. Build visualizations on top of them. Save those visualizations as “panels” in dashboards.
Analytics, Alerts, and/or Automations from Splunk, Product Vendors, and/or Splunk Community
Some Splunk users never get deep in to building reports, etc., because someone else has already done the hard work. Visit Splunkbase to search and discover Splunk Apps for the technologies your team is responsible for.
Alerts and Automations
Beyond reports and dashboards, the next most common evolution of the use of Splunk is…
- Developing Alerts – Turn your searches in to scheduled searches that can trigger emails, Nagios alerts, or other forms of notifications.
- Developing Automations – Triggers can be used to kick off a wide variety of actions, including API calls to other systems.
- (And leveraging third-party apps for the same.)
And More…
Advanced use cases of Splunk include…
- Advanced data-processing on ingest. (For example, transforming or enriching data before it is ingested, selectively omitting data, de-identification/anonymization/obfuscation, etc.)
- Advanced analytics developments such as those that leverage Machine Learning. (Reference Splunk’s Machine Learning Toolkit.)
- Advanced automations and integrations with other technologies / systems.
- Advanced visualizations and dashboarding. (Moving beyond what’s available through SPL and Splunk Web interface, leverage your custom javascript, css, XML, etc.)
- Developing custom Splunk apps.
- Use of a Splunk instance for special use cases (such as research) – either dedicated or shared, but separate from our primary instance of Splunk (which is primarily oriented around operational data of the institution).
