Getting Started with Splunk

"Because ninjas are too busy"

I first ran into Splunk at VMworld 2012 where I picked up one of my favorite swag t-shirts, but I never took more than the t-shirt for a spin. Then last week my SolarWinds Kiwi Syslog maintenance reminder popped up. Kiwi is cheap, but it’s also cheap, if you know what I mean. It’ll grab those logs all day long, but translating data into useful info or simply searching it quickly just isn’t its strong suit. So I took a moment to search for leading syslog solutions that are Windows friendly.

Splunk Enterprise was near the top of the search results, and a quick perusal showed that it might be worth the time to trial.

Looking at Splunk is like looking at a Swiss Army knife. If I told you that it was a fruit peeler, I wouldn’t be wrong, but I’d also be grossly selling you short of its potential. Splunk correlates. For me, that’s starting with syslog data and simply making it accessible, searchable, but it goes far beyond that. The product page does a good job of laying out the 30,000 foot view.

From the perspective of one only a couple days into the eval and juggling it along with a full array of network, server, and virtualization projects, I have to say that I’m impressed with Splunk. The install documentation and process is smooth and clear, and it even supports Managed Service Accounts, which is nice (and they work–I’m running it as a gMSA). Data ingestion is also easy–“Add Data” and pick your flavor.

splunk_dash
Syslog dashboard with VMware, Cisco & F5 panels

After that, search strings provide quick access (assuming proper CPU and disk allocations have been made) and “Apps” present the data in vendor-specific fashions.

Pricing seems to be based on consumed data (GB), which looks reasonable so far. I’ll definitely be looking at our Windows auditing levels and any “verbose” or “debug” logging active on devices, since those definitely affect that metric.

Be First to Comment

Leave a Reply