Skip to content

Clarification on Recent Splunk Quotes

A couple of folks, including our own SF flâneur of the week James, asked about the quotes I gave for the recent Datamation piece on Splunk. The point being, I seem to be ascribing quite a bit of compliance functionality to Splunk. I don’t usually (or ever?) write-up additional commentary on press quotes I give, but to make sure there isn’t any confusion, I wanted to add some commentary this time. More importantly, since Splunk is in the process of signing up as a client (thanks!) I don’t want to be misconstrued as happy-talking for money. That’d be no good at all.

As an IT management wonk, I have a huge bucket of respect and even admiration for Splunk. Not only is their whole “Google search of IT” awesome, but they were one of the first people to try out collaborative systems management, a trend that more and more people are getting to in their own platforms.

But, I don’t want people to read into <a href="my comments. The fault isn’t the reporter’s at all, rather I left out some clarification and contextualization from my original email, esp. given the context of the article.

Re-reading the article, I can see how a reader could insert quite a bit more than I intended in there, thinking that Splunk is a soup-to-nuts compliance detection and management system.

According to Coté, Splunk crawls all the data in a given IT ecosystem and classifies discrete events of its findings.

Now, that’s true, but if your mindset is narrowed down to just compliance instead of the wider scope of IT, you’ll start to add in all sorts of compliance specific stuff that Splunk could be doing. While it Splunk does try to ferret out compliance related events along side all manner of other IT events, I don’t think even Splunk themselves claims that Splunk alone will handle all of your compliance and audit needs. Indeed, their press release from RSA says it well:

Splunk can index any type of logs and IT data by sampling and learning formats automatically. System administrators and security analysts can search and navigate server logs, firewall events and IDS alerts to investigate potential incidents in real time. Compliance analysts and auditors can review, report and achieve long-term retention of data from every component in the data center.

Also, check out the Steve Loyd’s screencast on the Splunk compliance page for all of this in action. His use of tags is fascinating, huh?

What I was thinking I was saying was that Splunk searches over your IT log (or things you’ve setup to be crawlable by Splunk), attempts to identify the type of event (“classifying” it), and provides one interface to search over all those found events. Thus, you need to search through logs and whatnot, you can go to Splunk and start searching away for events related to compliance problems.

More importantly, Splunk gives you a unified interface and sort of “normalization” over events from your “IT soup” to (hopefully) make it quicker and easier to search over all those logs and their events in aggregate, in one place, rather than visiting each system separately.

In the context of winning the “Product of the Year Award for Compliance Software,” I can see how someone would fill in the gaps and then think that Splunk is doing more than searching over all that “soup” along with the classification and event management level alerting that comes with it. Clearly, you’ll need something else to detect compliance problems in the large: Splunk is just search, it doesn’t have algorithms or “intelligence” ferreting out artfully hidden compliance breaches. That said, Splunk definitely looks like a great tool for IT, but I’d be misleading you if thought it was the only tool you needed, as I speak to in the last quite in the article:

Most [systems management vendors and] projects recognize that Splunk is finally providing the search functionality that they’ve wanted for sometime but haven’t gotten around to implementing, so it’s great that Splunk is partnering rather than taking the view that there’s only one way to manage IT.

Technorati Tags: , , , ,

Categories: Compliance, Screencasts, Systems Management.

Comment Feed

2 Responses

Continuing the Discussion

  1. […] as they call it), which is also required to collect from Windows Event Logs and other log sources. As with most folks who get into doing log management, Paglo says this allows them to become part of the compliance life-cycle to do things like […]

  2. […] for things like PCI. Several years ago, when Splunk announced they were a compliance tool, I caught some crap for a quote I had on that topic; the crap being: there’s no way simple log searching can everything needed for compliance. […]