Splunk is the IT Search engine. It lets you index, search, alert and report on any IT data, in real time, for application management, IT operations, security and compliance, and more. Splunk consumes any data, from log files, system metrics, applications, configurations and more.
Click on a topic below to get started.
Splunk's UI is packed with features. Read through the following topics to get a better sense of how to navigate and manage your Splunk installation.
Splunk 4.0 is made up of apps. Apps create different contexts for your data out of sets of views, dashboards, and configurations. Right now, you're in the Getting Started app, but there are lots of other apps available to you. For example, Splunk ships with an app that is specifically designed to work with the OS you're running. Your Splunk deployment may also include custom-built or installed apps. By default, Splunk includes the Search app, and all the examples in this app will launch the Search app in a new window (or tab, if you're using Firefox).
Navigate between apps
To navigate to another app, use the App drop-down in the upper right hand corner:
To see a list of apps that are currently installed in your Splunk instance, you can return to Launcher by clicking the App menu in the upper right hand corner of this page and choosing Launcher. This will take you out of the Getting Started app, but you can get back here by choosing Getting Started again from the Launcher or the App menu.
Used Splunk before? Looking for something a little more familiar?
If you've used Splunk before, you're probably looking for the Search app. To get to the Search app, return to the App Launcher by clicking the App menu in the upper right hand corner of this page and choosing Launcher. Then, select the Search app from the list.
Much of Splunk's management options are now available through Splunk Web (Splunk's user interface). Note that some configurations are only available to Splunk users with admin privileges. If you can't access some of the configurations discussed in this app, you may not have permission to access them.
Use Splunk Manager
Manage your configurations and apps with Splunk Manager. Almost every configuration change can be set through Splunk Manager. Get to Manager by clicking on the Manager link in the upper right hand corner:
Use Job Manager
Manage your searches with Job Manager. All of your searches run as jobs. You can list and control all the searches running on your system by clicking the Jobs link in the upper right hand corner:
Add more apps
To browse for and download more apps for Splunk, return to the App Launcher and click the Browse Apps tab.
You can make your own apps too! Refer to the ${_("Developer Manual")} for information.
If a machine generates it, Splunk can index it. Yep, that's right -- Splunk can index any IT data (regardless of source or format) without custom parsers, connectors, or adapters. Feed Splunk anything from syslog from Unix servers and network devices, to Event Logs on Windows, to custom application logs and even configurations and system metrics -- you'll finally get real visibility into your your entire operation.
Wondering what IT data is? Read more here.
There are lots of ways to get your data into Splunk.
If you have a file on your local machine, upload it to Splunk through Splunk Manager.
Configure Splunk to read from files that are currently being written to by any program or device. This is how you'd monitor live application logs such as those coming from J2EE or .Net applications, Web access logs, and so on. Splunk will continue to index the data in this file or directory as it comes in. This file or directory must be reachable from the Splunk host you're using.
Use this method to "raw" data that is being sent over a TCP or UDP port. For example, set up Splunk to listen on UDP 514 to capture syslog data.
By default, Spunk ships with an app written specifically for your OS, such as Windows or *nix. These apps let you monitor system performance, event logs, and filesystem and registry changes. Set up inputs for these apps by enabling them. You can also download more apps off SplunkBase to fit your data, such as Blue Coat.
To switch to and enable the Windows or UNIX app:
There are other ways to get your data into Splunk. Here are a few popular options:
Script your own inputs
Create a ${_("scripted input")} for your custom data source. Scripted input are useful for command-line tools such as vmstat, iostat, netstat, top, etc. Get data from APIs and other remote data interfaces and message queues and generate metrics and status data from exercising system and app status commands like vmstat, iostat, etc. Lots of apps on SplunkBase provide scripted inputs for specific applications. Set up scripted inputs from Splunk Manager.
Monitor file system changes
Interested in what changes are happening on your file system? Set up ${_("file system change monitoring")} and see every change as it occurs. Use this method to monitor critical files, configuration files, etc as required for many compliance mandates as well as to find system-impacting changes and unauthorized changes for security and operations.
Centralize data for a distributed environment
Wonder how you'll get data to Splunk from a distributed environment, such as a farm of app or web servers logging locally? Splunk can be configured as a lightweight forwarder and deployed to dozens or even hundreds or thousands of servers to capture data in real time and send to to a central Splunk indexer. Use ${_("Splunk forwarders")} to send data to Splunk from other systems. Set up Forwarding from Splunk Manager.
Once you have data in Splunk, you can use the Search app to investigate security incidents; troubleshoot application, server and network problems; or just proactively review system and user activity.
Search for any text that you expect to find in your data.
Your search results are just as interactive as the timeline. In this section, you'll see how, with just one click, you can add, remove, and exclude terms from your search.
Free form search is easy and powerful, but it doesn't always give you the answer that you want. For example, you may want to exclude events with the HTTP status code 200. But, if you just search for "NOT 200", you'll also remove events you might want to keep, such as "503" status events coming from IP addresses with 200 in them.
As Splunk indexes every term in your original data, it discovers and adds fields based on name/value pairs, headers, or other information that is otherwise self-explanatory. For example, Splunk automatically adds information about where the data came from into host, source and sourcetype fields. Splunk might also recognize other parts of your data, such as IP addresses, HTTP status codes, etc. You can also add your own fields, as discussed in the Add knowledge section of this app.
Fields that are visible in your search results are listed under the 'Selected fields' header. You can select more fields to show. Other fields that Splunk discovered automatically are listed under 'Other interesting fields'.
The timeline is a visual representation of the number of events that occur at each point in time. Thus, you can use the timeline to highlight patterns of events or investigate peaks and lows in event activity.
Search assistant is a quick in-product reference for users who are constructing searches. It provides details about the search command, including examples of usage, and suggests other commands for you to use.
Splunk takes search where it's never been before by automatically extracting knowledge from your IT data and letting you add your own knowledge on-the-fly. Add knowledge about the events, fields, transactions, patterns and statistics in your data. You can identify, name and tag this data as well.
Splunk maps all this knowledge at search time, so you can add new fields and event types anytime you need them, without re-indexing the data. Go from finding all events with a particular username, to instantly getting statistics on specific user activities.
When you search your data, you're essentially weeding out all unwanted events; the results of your search are events that share common characteristics, and you can give them a collective name or "event type". The names of your event types are added as values into an eventtype field. This means that you can search for these groups of events the same way you search for any field. The following example takes you through the steps to save a search as an eventtype and then searching for that field.
If you run frequent searches to investigate SSH and firewall activities, such sshd logins or firewall denies, you can save these searches as an event type. Also, if you see error messages that are cryptic, you can save it as an event type with a more descriptive name.
Splunk automatically extracts knowledge for you as you index new data; and you can also add new knowledge anytime you need it -- without re-indexing your data. This sections shows you how to use the the field extractor to interactively extract and save new fields.
Tags help you group search results that share field values. A tag is a name that you attach to a a particular value of a field such as eventtype, host, source, or sourcetype. For example, you can tag hosts values with a service name or a note indicating compliance with regulations like PCI.
Generally, you can use tags to:
There are two ways to search for a tag; you can search for the tag across all events or in a particular field.
There’s more that you can do to best use and extend Splunk so that it works with your data in a manner that fulfills the needs of your enterprise. You'll want to consult the ${_("Knowledge Manager manual")} as you optimize, maintain, and expand your Splunk deployment over time.
The Knowledge Manager manual teaches you:
After you use Splunk to identify and locate problems in your system, take advantage of its monitoring and alerting capabilities to keep you notified if those situations recur. Configure any search to run on a set schedule. Set up any scheduled search to alert you when the search results meet conditions that you define. Note: This feature is not available in the when you use Splunk with a Free license. If you are using Splunk with an Enterprise Trial license, you won't have access to this feature after your trial expires.
Once you've scheduled your search, turn it into an alert.
Create reports with Splunk's built-in visualization tools. Splunk gives you a wide range of options when it comes to reporting. Create simple "top values over time" reports directly from your search results. Use Report Builder to define and format sophisticated charts. Or define reports by hand using Splunk's powerful statistical commands. Finally, you can quickly create dashboards that share your best reports with others.
After you run a search you can quickly launch reports providing basic information about the fields in your search results.
Launch the report builder to create and format your reports.
When you use the Report Builder drop-down lists to define a report, you may notice that Splunk updates the Report Builder search box with the statistical reporting commands Splunk uses to run the report. This section explains how to use these reporting commands directly from the search bar.
Note: The example searches below utilize information in Splunk's internal index, which is only available to users with Admin permissions.
When you run a report, Splunk can preview the report results for you as the search runs. This feature saves you time, especially when running searches across large time periods. Note that report preview is enabled by default for searches that use reporting commands, so try it out on a report over a large period of time.
Embed searches and reports in the UI by creating a dashboard. that make your most useful and informative reports available to other users. All you need to have in advance is a set of saved reports that you want to display in dashboard format.
Looking for more information about what you can do with Splunk? Here are a few more links to Splunk's online documentation.