To understand where Splunk has been conventionally leveraged, you'll see that the applicable areas have generally fallen into the categories, as shown in the following screenshot. The areas where Splunk is conventionally used are:
Investigational searching
Monitoring and alerting
Decision support analysis
The practice of investigational searching usually refers to the processes of scrutinizing an environment, infrastructure, or large accumulation of data to look for an occurrence of specific events, errors, or incidents. In addition, this process might include locating information that indicates the potential for an event, error, or incident.
As mentioned, Splunk indexes and makes it possible to search and navigate through data and data sources from any application, server, or network device in real time. This includes logs, configurations, messages, traps and alerts, scripts, and almost any kind of metric, in almost any location.
"If a machine can generate it - Splunk can index it…" | ||
| --www.Splunk.com | ||
Splunk's powerful searching functionality can be accessed through its Search & Reporting app. (This is also the interface that you used to create and edit reports.)
A Splunk app (or application) can be a simple search collecting events, a group of alerts categorized for efficiency (or for many other reasons), or an entire program developed using the Splunk's REST API.
Organized collections of configurations
Sets of objects that contain programs designed to add to or supplement Splunk's basic functionalities
Completely separate deployments of Splunk itself
The Search & Reporting app provides you with a search bar, time range picker, and a summary of the data previously read into and indexed by Splunk. In addition, there is a dashboard of information that includes quick action icons, a mode selector, event statuses, and several tabs to show various event results.
Splunk search provides you with the ability to:
Locate the existence of almost anything (not just a short list of predetermined fields)
Create searches that combine time and terms
Find errors that cross multiple tiers of an infrastructure (and even access Cloud-based environments)
Locate and track configuration changes
Users are also allowed to accelerate their searches by shifting search modes:
They can use the fast mode to quickly locate just the search pattern
They can use the verbose mode to locate the search pattern and also return related pertinent information to help with problem resolution
The smart mode (more on this mode later)
A more advanced feature of Splunk is its ability to create and run automated searches through the command-line interface (CLI) and the even more advanced, Splunk's REST API.
Splunk searches initiated using these advanced features do not go through Splunk Web; therefore, they are much more efficient (more efficient because in these search types, Splunk does not calculate or generate the event timeline, which saves processing time).
In addition to the previously mentioned searching options, Splunk's pivot tool is a drag-and-drop interface that enables you to report on a specific dataset without using SPL (mentioned earlier in this chapter).
The pivot tool uses data model objects (designed and built using the data model editor (which is, discussed later in this book) to arrange and filter the data into more manageable segments, allowing more focused analysis and reporting.
The Splunk event timeline is a visual representation of the number of events that occur at each point in time; it is used to highlight the patterns of events or investigate the highs and lows in event activity.
Calculating the Splunk search event timeline can be very resource expensive and intensive because it needs to create links and folders in order to keep the statistics for the events referenced in the search in a dispatch directory such that this information is available when the user clicks on a bar in the timeline.
Monitoring numerous applications and environments is a typical requirement of any organization's data or support center. The ability to monitor any infrastructure in real time is essential to identify issues, problems, and attacks before they can impact customers, services, and ultimately profitability.
With Splunk's monitoring abilities, specific patterns, trends and thresholds, and so on can be established as events for Splunk to keep an alert for, so that specific individuals don't have to.
Splunk can also trigger notifications (discussed later in this chapter) in real time so that appropriate actions can be taken to follow up on an event or even avoid it as well as avoid the downtime and the expense potentially caused by an event.
Splunk also has the power to execute actions based on certain events or conditions. These actions can include activities such as:
Sending an e-mail
Running a program or script
Creating an organizational support or action ticket
For all events, all of this event information is tracked by Splunk in the form of its internal (Splunk) tickets that can be easily reported at a future date.
Typical Splunk monitoring marks might include the following:
Active Directory: Splunk can watch for changes to an Active Directory environment and collect user and machine metadata.
MS Windows event logs and Windows printer information: Splunk has the ability to locate problems within MS Windows systems and printers located anywhere within the infrastructure.
Files and directories: With Splunk, you can literally monitor all your data sources within your infrastructure, including viewing new data when it arrives.
Windows performance: Windows generates enormous amounts of data that indicates a system's health. A proper analysis of this data can make the difference between a healthy, well-functioning system and a system that suffers from poor performance or downtime. Splunk supports the monitoring of all the Windows performance counters available to the system in real time, and it includes support for both local and remote collections of performance data.
WMI-based data: You can pull event logs from all the Windows servers and desktops in your environment without having to install anything on those machines.
Windows registry information: A registry's health is also very important. Splunk not only tells you when changes to the registry are made but also tells you whether or not those changes were successful.
In addition to searching and monitoring your big data, Splunk can be configured to alert anyone within an organization as to when an event occurs or when a search result meets specific circumstances. You can have both your real-time and historical searches run automatically on a regular schedule for a variety of alerting scenarios.
You can base your Splunk alerts on a wide range of threshold and trend-based situations, for example:
Empty or null conditions
About to exceed conditions
Events that might precede environmental attacks
Server or application errors
Utilizations
All alerts in Splunk are based on timing, meaning that you can configure an alert as:
Real-time alerts: These are alerts that are triggered every time a search returns a specific result, such as when the available disk space reaches a certain level. This kind of alert will give an administrator time to react to the situation before the available space reaches its capacity.
Historical alerts: These are alerts based on scheduled searches to run on a regular basis. These alerts are triggered when the number of events of a certain kind exceed a certain threshold. For example, if a particular application logs errors that exceed a predetermined average.
Rolling time-frame alerts: These alerts can be configured to alert you when a specific condition occurs within a moving time frame. For example, if the number of acceptable failed login attempts exceed 3 in the last 10 minutes (the last 10 minutes based on the time for which a search runs).
Splunk also allows you to create scheduled reports that trigger alerts to perform an action each time the report runs and completes. The alert can be in the form of a message or provide someone with the actual results of the report. (These alert reports might also be set up to alert individuals regardless of whether they are actually set up to receive the actual reports!)
Alerts create records when they are triggered (by the designated event occurrence or when the search result meets the specific circumstances). Alert trigger records can be reviewed easily in Splunk, using the Splunk alert manager (if they have been enabled to take advantage of this feature).
The Splunk alert manager can be used to filter trigger records (alert results) by application, the alert severity, and the alert type. You can also search for specific keywords within the alert output. Alert/trigger records can be set up to automatically expire, or you can use the alert manager to manually delete individual alert records as desired.
Reports can also be created when you create a search (or a pivot) that you would like to run in the future (or share with another Splunk user).
In the world of IT service-level agreement (SLA), a support organization's ability to visualize operational data in real time is vital. This visibility needs to be present across every component of their application's architecture.
IT environments generate overwhelming amounts of information based on:
Configuration changes
User activities
User requests
Operational events
Incidents
Deployments
Streaming events
Additionally, as the world digitizes the volume, the velocity and variety of additional types of data becoming available for analysis increases.
The ability to actually gain (and maintain) visibility in this operationally vital information is referred to as gaining operational intelligence.
Operational intelligence (OI) is a category of real-time, dynamic, business analytics that can deliver key insights and actually drive (manual or automated) actions (specific operational instructions) from the information consumed.
A great majority of IT operations struggle today to access and view operational data, especially in a timely and cost-efficient manner.
Today, the industry has established an organization's ability to evaluate and visualize (the volumes of operational information) in real time as the key metric (or KPI) to evaluate an organization's operational ability to monitor, support, and sustain itself.
At all levels of business and information technology, professionals have begun to realize how IT service quality can impact their revenue and profitability; therefore, they are looking for OI solutions that can run realistic queries against this information to view their operational data and understand what is occurring or is about to occur, in real time.
Having the ability to access and understand this information, operations can:
Automate the validation of a release or deployment
Identify changes when an incident occurs
Quickly identify the root cause of an incident
Automate environment consistency checking
Monitor user transactions
Empower support staff to find answers (significantly reducing escalations)
Give developers self-service to access application or server logs
Create real-time views of data, highlighting the key application performance metrics
Leverage user preferences and usage trends
Identify security breaches
Measure performance
Traditional monitoring tools are inadequate to monitor large-scale distributed custom applications, because they typically don't span all the technologies in an organization's infrastructure and cannot serve the multiple analytic needs effectively. These tools are usually more focused on a particular technology and/or a particular metric and don't provide a complete picture that integrates the data across all application components and infrastructures.
Splunk can index and harness all the operational data of an organization and deliver true service-level reporting, providing a centralized view across all of the interconnected application components and the infrastructures—all without spending millions of dollars in instrumenting the infrastructure with multiple technologies and/or tools (and having to support and maintain them).
No matter how increasingly complex, modular, or distributed and dynamic systems have become, the Splunk technology continues to make it possible to understand these system topologies and to visualize how these systems change in response to changes in the environment or the isolated (related) actions of users or events.
Splunk can be used to link events or transactions (even across multiple technology tiers), put together the entire picture, track performance, visualize usage trends, support better planning for capacity, spot SLA infractions, and even track how the support team is doing, based on how they are being measured.
Splunk enables new levels of visibility with actionable insights to an organization's operational information, which helps in making better decisions.
How will an organization do its analysis? The difference between profits and loss (or even survival and extinction) might depend on an organization's ability to make good decisions.
A Decision Support System (DSS) can support an organization's key individuals (management, operations, planners, and so on) to effectively measure the predictors (which can be rapidly fluctuating and not easily specified in advance) and make the best decisions, decreasing the risk.
There are numerous advantages to successfully implemented organizational decision support systems (those that are successfully implemented). Some of them include:
Increased productivity
Higher efficiency
Better communication
Cost reduction
Time savings
Gaining operational intelligence (described earlier in this chapter)
Supportive education
Enhancing the ability to control processes and processing
Trend/pattern identification
Measuring the results of services by channel, location, season, demographic, or a number of other parameters
The reconciliation of fees
Finding the heaviest users (or abusers)
Many more…
Can you use Splunk as a real-time decision support system? Of course, you can! Splunk becomes your DSS by providing the following abilities for users:
Splunk is adaptable, flexible, interactive, and easy to learn and use
Splunk can be used to answer both structured and unstructured questions based on data
Splunk can produce responses efficiently and quickly
Splunk supports individuals and groups at all levels within an organization
Splunk permits a scheduled-control of developed processes
Splunk supports the development of Splunk configurations, apps, and so on (by all the levels of end users)
Splunk provides access to all forms of data in a universal fashion
Splunk is available in both standalone and web-based integrations
Splunk possess the ability to collect real-time data with details of this data (collected in an organization's master or other data) and so much more
Typically, your average analytical project will begin with requirements: a predetermined set of questions to be answered based on the available data. Requirements will then evolve into a data modeling effort, with the objective of producing a model developed specifically to allow users to answer defined questions, over and over again (based on different parameters, such as customer, period, or product).
Limitations (of this approach to analytics) are imposed to analytics because the use of formal data models requires structured schemas to use (access or query) the data. However, the data indexed in Splunk doesn't have these limitations because the schema is applied at the time of searching, allowing you to come up with and ask different questions while they continue to explore and get to know the data.
Another significant feature of Splunk is that it does not require data to be specifically extracted, transformed, and then (re)loaded (ETL'ed) into an accessible model for Splunk to get started. Splunk just needs to be pointed to the data for it to index the data and be ready to go.
These capabilities (along with the ability to easily create dashboards and applications based on specific objectives), empower the Splunk user (and the business) with key insights—all in real time.
Today, organizations have implemented analytical BI tools and (in some cases) even enterprise data warehouses (EDW).
You might think that Splunk will have to compete with these tools, but Splunk's goal is to not replace the existing tools and work with the existing tools, essentially complimenting them by giving users the ability to integrate understandings from available machine data sources with any of their organized or structured data. This kind of integrated intelligence can be established quickly (usually in a matter of hours, not days or months).
Using the compliment (not to replace) methodology:
Data architects can expand the scope of the data being used in their other analytical tools
Developers can use software development kits (SDKs) and application program interfaces (APIs) to directly access Splunk data from within their applications (making it available in the existing data visualization tools)
Business analysts can take advantage of Splunk's easy-to-use interface in order to create a wide range of searches and alerts, dashboards, and perform in-depth data analytics
Splunk can also be the engine behind applications by exploiting the Splunk ODBC connector to connect to and access any data already read into and indexed by Splunk, harnessing the power and capabilities of the data, perhaps through an interface more familiar to a business analyst and not requiring specific programming to access the data.
An analyst can leverage expertise in technologies such as MS Excel or Tableau to perform actions that might otherwise require a Splunk administrator using the Splunk ODBC driver to connect to Splunk data. The analyst can then create specific queries on the Splunk-indexed data, using the interface (for example, the query wizard in Excel), and then the Splunk ODBC driver will transform these requests into effectual Splunk searches (behind the scenes).