Copyright © 2016 Splunk Inc.

Splunk Overview

Agenda

What is Splunk Enterprise? Deployment & Integration

Real-Time Search, Alert & ReportingUniversal Indexing ExplainedSplunk Developer Platform

Make machine data accessible, usable and valuable to everyone.

Industry Leading Platform For Machine Data Machine Data: Any Location, Type, Volume

Platform Support (Apps / API / SDKs)

Enterprise Scalability

Universal Indexing

Answer Any Question

Custom dashboards

Report and

analyze

Monitor and alert

DeveloperPlatform

Ad hoc search

Online Services Web

Services

ServersSecurity GPS

Location

StorageDesktops

Networks

Packaged Applications

CustomApplicationsMessaging

TelecomsOnline

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

On-Premises

Private Cloud

Public Cloud

Industry Leading Platform For Machine Data Machine Data: Any Location, Type, Volume

Platform Support (Apps / API / SDKs)

Enterprise Scalability

Universal Indexing

Answer Any Question

Custom dashboards

Report and

analyze

Monitor and alert

DeveloperPlatform

Ad hoc search

Online Services Web

Services

ServersSecurity GPS

Location

StorageDesktops

Networks

Packaged Applications

CustomApplicationsMessaging

TelecomsOnline

Shopping Cart

Web Clickstreams

Databases

Energy Meters

Call Detail Records

Smartphones and Devices

RFID

On-Premises

Private Cloud

Public Cloud

Any amount, any location, any source

Schema-on-the-fly

Universal indexing

No back-end RDBMS

No need to filter

data

Splunk SoftwareDeployment and Integration

1.

2.

3.

4.

Simple Steps to Deploy Splunk Enterprise

DownloadInstallForward DataSearch

Four steps:

DatabasesNetworks Servers Virtual Machines

Smartphones and Devices

CustomApplications

Security WebServer

Sensors

Product Roles

Searching and Reporting (Search Head)

Indexing and Search Services (Indexer)

Data Collection and Forwarding (Forwarder)

Data Governor (Cluster Master)

Distributed Management (Deployment Server)

DatabasesNetworks Servers Virtual Machines

Smartphones and Devices

CustomApplications

Security WebServer

Sensors

Scales to Hundreds of TBs/DayEnterprise-Class Scale, Resilience and Interoperability

Send data from thousands of servers using any combination of Splunk Forwarders

Auto load-balanced forwarding to Splunk Indexers

Offload search load to Splunk Search Heads

1.

2.

3.

Simple Steps to Deploy Splunk Cloud

Sign UpForward DataSearch

Three steps:

DatabasesNetworks Servers Virtual Machines

Smartphones and Devices

CustomApplications

Security WebServer

Sensors

Visibility Across DatacentersDistributed search unifies the view across locations

Role-based access controls how far a given user's search will span

New York Tokyo

London Cloud

Ingests Data From Heterogeneous Data SourcesAgent-Less and Agent Approach for Flexibility and Optimization

perf

shellAPI

Mounted File Systems\\hostname\mount

syslogTCP/UDP

Event Logs Performance

Active Directory

syslog hostsand network devices

Unix, Linux and Windows hosts

Local File MonitoringSplunk Forwarder

virtualhost

Windows

Scripted or Modular Inputsshell scripts,

API subscriptions

Mainframes*nix

Wire DataSplunk App for Stream

DevOps/IoTHTTP Event Collector

Forwards Events to Third-Party Systems

Service Desk

Event Console

SIEMRAW

Formatted

REPLICATION

Delivers Mission-Critical Availability

• Data replication – maintain searchability even if servers go down

• Multi-site capable – maintain searchability even if a site goes down

• Search Affinity – optimizes searches by fetching from the closest/fastest location

Clustering

PortlandDatacenter

New YorkDatacenter

Integrates with Third-Party Business Tools

Analyst Splunk admin

Requirements

STEP 1 Business user communicates data requirements to Splunk admin

STEP 2 Splunk admin authors saved searches in Splunk Enterprise thereby making the searches available to ODBC driver

STEP 3 Business user uses tool to access saved searches and retrieve data from Splunk Enterprise

ODBC driver(SQL to SPL translation

layer)

Analyst

Saved Searche

s

Real-Time Search, Alerting & Reporting

Turn Machine Data Into Operational IntelligenceAnswer Any Question

Platform Support (Apps / API / SDKs)

Enterprise Scalability

Universal Indexing

Custom Dashboards

Report and

Analyze

Monitor and Alert

DeveloperPlatform

Ad hoc Search

Search All Your Machine Data • Real-time and historical data on-

premises, in the cloud or both• Over 140 commands including

anomaly detection and machine learning

Data

Pars

ing

Que

ue Parsing Pipeline• Source, event typing• Character set

normalization• Line breaking• Timestamp

identification• Regex transforms

Indexing Pipeline

Real-Time

Buffer

Raw DataIndex Files

Real-Time

Search Process

Monitor Input

Inde

x Q

ueue

TCP/UDP Input

Scripted Input

SplunkIndex

Search all your data

Results right away

Schema-on-the-fly

Schema-on-the-Fly

Raw events

Auto-detected fields and values

Extract Fields Anytime

• Highlight-to-extract multiple fields at once

• Apply keyword search filters• Specify required text in

extractions• View diverse and rare events• Validate extracted values with

field stats

Simple field extraction

Enrich Raw Data to Make It More Meaningful

Create additional fields from the raw data with a lookup to an external data source

LDAP, AD

WatchLists

CRM/ERP

CMDB

External Data Sources

Insight comes out

Data goes in

Actionable AlertingAlerts• Create alerts based on any

search• Customize content and format

of email alerts• Trigger a script• Custom Alert Actions

– Allows packaged integration with third-party applications

– Enable custom workflows– Developers can build, package

and publish alert actions

Reports

Dynamic Reporting

Chart on any search

Choose visualization

Save as a report

• Visually represent the results of a search

• Run on an ad hoc basis or save the report to view later

• Share it with others on the team or a different group

• Add reports to a new or existing dashboard

Custom Visualizations

• Open framework to create or customize any visual

• Visuals shared via Splunkbase library

• Available for any use: search, dashboards, reports

• Visuals for IT, security, IoT and business analytics

Visualize Any Data

Define Relationships in Machine Data

Data Model• Describes how underlying

machine data is represented and accessed

• Defines meaningful relationships in the data

• Enables single authoritative view of underlying raw data

Hierarchical object view of underlying data

Add constraints to filter out events

Transparent Acceleration

● Automatically collected– Handles timing issues,

backfill…● Automatically maintained

– Uses acceleration window● Stored on the indexers

– Peer to the buckets● Fault tolerant collection

Time window of data that is accelerated

Check to enable acceleration of data model

High Performance Analytics Store

Event Sampling

• Powerful search option provides unbiased sample results

• Useful to quickly determine dataset characteristics

• Speeds large-scale data investigation and discovery

Sample Random Events

Easy-to-Use Analytics

● Drag-and-drop interface enables any user to analyze data

● Create complex queries and reports without learning search language

● Click to visualize any chart type; reports dynamically update when fields change

Select fields from data model

Time window

All chart types available in the chart toolbox

Save report to share

Pivot

Combine Reports to Create Dashboards

Use the built-in dashboard editor

Or embed the reports into external sites like a wiki

Universal IndexingExplained

Inside Universal Indexing

Accurate searching and trending by time across all data

Automatic event boundary identification

Automatic timestamp normalization

How Search Works

Preview and Configure Data

Select or create sourcetype

Set desired parameters

FrozenWARM COLDHOT

Index

How the Data is Stored and Aged in Splunk

Hot – Newest buckets of data that are still open for write

Warm – Recent data but closed for writing (read only)

Cold – Oldest data, commonly on cheaper, slower storage

Frozen – No longer searchable, commonly archived or deleted data

Optional TSIDX Reduction

Extend storage with HDFS or AWS S3

Hadoop ClustersWARM

COLD

FROZEN

Drive Down Costs by Archiving Historical Data to Commodity Hardware

• Archive historical data to Hadoop or S3• Unified search across

all data in real time• Also analyze archived

data using Hadoop tools

Splunk Developer Platform

Powerful Developer Platform

REST API

Build Splunk Apps Extend and Integrate Splunk

Simple XML

JavaScript

HTML5

Web Framework

JavaJavaScriptPython

RubyC#PHP

Data Models

Search Extensibility

Modular Inputs

SDKs

Accelerate Your Deployment

Apps – Leverage packaged searches and dashboards already built on top of SplunkEducation – Focused training programs online or in a classroomProfessional Services – Harness the knowledge and speed of the expertsCloud – No need to wait for infrastructure, use Splunk AMIs or Splunk Cloud

Summary

● Real-Time Architecture

● Schema-on-the-fly

● Massive Scalability

● Easy Reporting and Analytics

● Platform for All Machine Data

Thank You