Splunks namesake Splunk Professional, now at Version 2.2, takes log-file and other time-stamped IT performance and monitoring data and turns it into a searchable body of troubleshooting information.
Splunks secret sauce is the ability to look for time stamps in log entries and turn the log information into compressed, indexed metadata that can then be searched via the user interface.
Splunk Professional is licensed either on an annual term or by perpetual license. Prices are based on the peak daily volume of indexed data and selected support options. Pricing starts at $2,500 per year, allowing as much as 500MB of indexing per day (extending to terabytes of indexing per day, with no limit on the number of instances of the Splunk software).
eWEEK Labs installed Splunk Professional 2.2 on a system running Canonicals Ubuntu 6.10 with 160GB of disk space. Splunk Professional 2.2 is supported on a variety of Unix and Linux platforms, although Splunk users can access searches and the administrative console—and do almost all system configuration tasks—via the applications Web interface.
eWEEK Labs recommends that midsize to large organizations with IT troubleshooting staff consider adding Splunk Professional 2.2 to their management tool kit. The products ability to sift through huge amounts of data to answer the essential question, “What was happening just before XYZ application stopped working?” is well worth the educational effort needed to use the product.
And while installation and setup are straightforward, Splunk Professional 2.2 does have a significant learning curve for anything beyond basic log-file investigations. For one thing, event data can be tagged to make it even more useful during problem searches. But the knowledge needed to make effective tags, or even to figure out what data should be tagged, takes significant product experience.
Splunk Professional 2.2 allows IT managers to accept data from many sources. To keep the large amounts of collected data relevant, the product provides for a number of intake configurations.
In our tests—which monitored a variety of Windows Server 2003 systems running Microsofts Exchange and SQL Server, along with several Ubuntu Linux servers running the Apache Web server—Splunk Professional 2.2 was adept at quickly finding information such as which administrator made a system change and what was newly installed on our systems. The product sent us alerts via e-mail if a problematic event reoccurred.
We used Splunk Professional 2.2 to monitor Cisco Systems switches and WatchGuard Technologies firewall syslogs and to receive SNMP traps from a Cisco router. We were impressed with the products ability to provide time-related log files and SNMP data that correlated to changes we had made in our network that broke connections or impeded application efficiency, such as loading our switches with high volumes of test traffic.
After spending several weeks with the product, we were able to construct Splunks, or queries, that answered questions about why some users on our test systems were not receiving e-mail. The problem, it turned out, was content-filter rules that had been set on our Exchange Server system; the rules generated log entries each time a message was intercepted. Splunk Professional 2.2 was able to show us these violations by filtering through hundreds of thousands of daily log files in a matter of seconds.
Technical Director Cameron Sturdevant can be reached at [email protected]
LogRhythms LogRhythm: Focuses on security log management but can be used to report on other logged events (www.logrhythm.com)
RippleTechs LogCaster:Collects log data for auditing and compliance uses (www.rippletech.com)
TriGeos Security Information Manager: Focuses on intrusion and firewall event correlation (www.trigeo.com)