Splunk Advances Data Platforms for What's Next

Splunk announces new enterprise and security platforms at its annual .conf event.

Splunk .conf 2018

Splunk held is annual .conf customer event Oct. 1-4, making a series of announcements about product direction and new capabilities across its portfolio.

Among the new products is the general availability of the Splunk Enterprise 7.2 platform, which provides insight into log files and network traffic. Splunk also announced its latest security platform updates, including the Splunk Phantom 4.1 technology, which is a Security Orchestration Automation and Response (SOAR) offering, as well as the Splunk ES (Enterprise Security) 5.2 and UBA (User Behavior Analytics) 4.2 updates. Rounding out the updates was a preview of Splunk Next, which is a set of continuously evolving technologies.

"We've got to find ways to work the way your data works," Doug Merritt, president and CEO of Splunk, said during his opening keynote. "It's all about making things happen with data."

Merritt said that a key goal of Splunk is to enable organizations to go from a sprawl of seeming chaos to business actions. He emphasized that Splunk across all of its platforms is about helping organizations gain value from unstructured data.

"Data is the raw material for all the output that is going to be meaningfully monetized," he said. "The people that can make things happen with data are the most valuable players on the field."

Splunk Enterprise 7.2

Josh Klahr, vice president of product management, explained that Splunk Enterprise is the core platform that enables Splunk's capabilities. 

Among the new features in Splunk Enterprise 7.2 is one called Help Report that can alert administrators when systems hit policy-based thresholds for different system attributes, such as storage space. Storage itself is getting a major boost in Splunk Enterprise 7.2 with the new SmartStore feature that enables Splunk to separate compute from storage, which means that the Splunk storage layer can now be any Amazon S3 API-compliant object storage system.

Another new feature is Workload Management, which enables Splunk administrators to dedicate CPU and memory resources across a cluster to wherever they need to go and to enable priority assignment to different groups.

Splunk Enterprise 7.2 also adds a new source type for data called log to metrics that enables real-time data analysis with the new metrics workspace tool for visualizing data. Additionally, Splunk has taken a page from Apple's macOS Mojave refresh and added a new optional dark theme to the dashboard display.


In April, Splunk acquired SOAR vendor Phantom in a $350 million deal. Now part of Splunk, the new Phantom 4.1 release was announced, providing enhanced automation scale.

Phantom isn't the first security vendor that Splunk has acquired. Splunk had previously expanded its security capabilities through the $190 million acquisition of User Behavior Analytics (UBA) vendor Caspida in 2015. At .conf 2018, the Splunk UBA 4.2 release was also announced, providing organizations with improved machine learning based security analytics.

Splunk Enterprise Security 5.2 was also announced at .conf, providing new SIEM (Security Information and Event Manager) capabilities. Monzy Merza, vice president of security research, said that ES 5.2 includes new security use-case libraries to help organizations with different security tasks. One of the use cases is to enable analytics for suspicious email, which maps to research and notable events. Merza said ES 5.2 also benefits from an enhanced event sequencing view.

"Event sequencing looks at the threat from a standpoint of view so you can see everything across the kill chain," Merza said.

Merza added that the alerts in ES 5.2 can now also be used to trigger a playbook in Phantom 4.2, which in turn will execute a series of orchestrated events to help with response and mitigation.

Splunk Next

Looking beyond its core platform and existing products, Tim Tully, senior vice president and chief technology officer, explained that Splunk Next is a set of beta tools that complement the existing Splunk platform. Among the first Splunk Next efforts is the Splunk Data Stream Processor for performing analytics on data in motion. 

The Splunk Data Fabric Search is another new Splunk Next effort that will enable federated queries across multiple Splunk indexes. Another Splunk Next effort is Splunk Mobile, which Tully said brings the power of Splunk to mobile devices.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.