Lesson 18 of 20

Intro to Splunk

Splunk is a Security Information and Event Management (SIEM) tool that ingests various types of machine data to allow analysts to quickly search, monitor, and visual data.

It can index structured or unstructured data, perform real-time or historical processing and analysis, and create statistical reports. Splunk basically takes your machine or software data, typically found in log files, and makes everything searchable, indexable, and easily understandable. This is the essence of Splunk, but it also has many other features that have been added over time.

It’s easy to get started with Splunk using the sort of search methods you might use for a Google search. However, Splunk offers a powerful tool called Search Processing Language (SPL) that can sift through your log data and perform analytical operations to uncover relevant information for you to use. You may be familiar with the use of Structured Query Language (SQL) in relational database management, but with Splunk, there is no database and no schema. The power of Splunk and SPL comes from its ability to work with simple log files. In fact, Splunk can handle almost any text-based data.

Since there is no database on the backend to manage, Splunk is very easy to install and configure. It also scales efficiently, so if you have very large amounts of data to index, adding another Splunk server is simple.