Splunk is hands down the best log analysis tooling I've used. If not for the hefty price tag, I'd use it for my personal stuff and every workplace I've been. Structured logs and Splunk are the stuff dreams are made of if you care about monitoring the quality of software.
The logs into metrics abilities along with the ability to unlock finding relationships in data is amazing. Mouse over the fields found in logs matching your search and see the top N values for other these keys.
Imagine getting an alert and being able to search your logs for that error message and immediately being able to see it affects these N users disproportionally, that it is split 50/50 in two of your seven regions, only affects version X of your service. A couple more searches to dig in and you can see it is only feature Y with setting Z that is the problem. You switch to a timechart view and can see the moment the error started and the affected user counts. A few more minutes and your support team has a list of known affected users. You decide to monitor this new feature so you quickly create a new dashboard (or panel on an existing dashboard) and a new alert. At no time did you have to declare a field of your structured logs as an index or as searchable or aggregatable.
Splunk has delivered this level of innovation and quality since 2007 when I first used it.
We used Splunk to associate a change request ticket number all the way through the change control process to the Puppet log output tagging each change to the original business purpose.
It was like magic for auditors back then and I rarely see that depth of tracing automated changes to business purpose in the field today, though we get close with gitops.
The entire moat is gone. The biggest value driver they had was integrations to get the data there, but now ebpf, telegraf and Vector have destroyed that moat.
With Vector you can even source from Splunk and move elsewhere.
OMB Memorandum M-21-31[0], “Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents” which includes directives to ensure event logging goes well beyond the current norms.
By all accounts I've heard it's going to enrich the fortunes of every single SIEM/Log aggregation company out there, pretty much every govt contractor is going to need larger licenses in the next few years as contracts get rewritten with this EO in mind.
Partially, but Splunk has been on the market for sometime actually. Also, large companies that compete with Cisco like CRWD, PAN, etc have been building out SIEM capabilities, as has Cisco, though Cisco being Cisco it didn't get the attention needed.
We [Notion] switched to Splunk Cloud a year or so ago, and it's vastly better than the other logging systems we've used. Much, much better than Kibana/Elasticsearch. We don't need to worry about indexed property limits anymore, yay. I'm a happy user.
Same for us [Obsidian Sync] although we've not had to worry about property limits, yet - although seems like we won't have to either. For us it was having a lot of in house experience with splunk already that gave us a reason to consider and in the end settle on it.
The software seems very lazy. The interface belongs in the 90s. They've been resting on their laurels for eons. The fuckin basic ass PowerShell IDE that comes with windows is about seventeen trillion times more well designed and user-friendly.
Maybe, but the Splunk query language is reasonably well liked by its users, at least in the security space. Much more approachable than SQL, which seems to be what all new tools these days are forcing users to use due to their dependence on Snowflake and Presto/Trino. In Splunk, you can type free text queries, and you can also add structure. Fairly flexible. We’ve been asked many times to make Scanner’s query lang more like Splunk’s.
sethammons|2 years ago
The logs into metrics abilities along with the ability to unlock finding relationships in data is amazing. Mouse over the fields found in logs matching your search and see the top N values for other these keys.
Imagine getting an alert and being able to search your logs for that error message and immediately being able to see it affects these N users disproportionally, that it is split 50/50 in two of your seven regions, only affects version X of your service. A couple more searches to dig in and you can see it is only feature Y with setting Z that is the problem. You switch to a timechart view and can see the moment the error started and the affected user counts. A few more minutes and your support team has a list of known affected users. You decide to monitor this new feature so you quickly create a new dashboard (or panel on an existing dashboard) and a new alert. At no time did you have to declare a field of your structured logs as an index or as searchable or aggregatable.
0xEFF|2 years ago
We used Splunk to associate a change request ticket number all the way through the change control process to the Puppet log output tagging each change to the original business purpose.
It was like magic for auditors back then and I rarely see that depth of tracing automated changes to business purpose in the field today, though we get close with gitops.
ckdarby|2 years ago
With Vector you can even source from Splunk and move elsewhere.
Covzire|2 years ago
OMB Memorandum M-21-31[0], “Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents” which includes directives to ensure event logging goes well beyond the current norms.
By all accounts I've heard it's going to enrich the fortunes of every single SIEM/Log aggregation company out there, pretty much every govt contractor is going to need larger licenses in the next few years as contracts get rewritten with this EO in mind.
[0] https://www.fedramp.gov/2023-07-14-fedramp-guidance-for-m-21...
alephnerd|2 years ago
jitl|2 years ago
notsureanymor99|2 years ago
akulbe|2 years ago
Not arguing with you, it's genuine curiosity on my part.
pbjtime|2 years ago
liveoneggs|2 years ago
markstos|2 years ago
PagerDuty is significantly better for about the same price and demonstrates ways in which the product could have kept improving.
cliffcrosland|2 years ago