7 New Things We Love About Splunk
7 New Things We Love About Splunk
If you aren’t using Splunk or haven’t heard of it, we like to think of it as the Google of log files. A #BigData cruncher that allows you to search through the logs or exports of thousands of systems from one interface!
We first introduced Splunk to automate complex queries and reports across our multiple data sources. It was our first choice SIEM tool, mainly because of its ability to ingest any data type, along with its real-time alerting capabilities. It has revolutionized our client security reporting and the development in the technology since then continues to surprise us.
Splunk heralded the release of their latest version 7.0 as “the end of meh-trics” and we couldn’t agree more. Having recently upgraded to the new version, we thought we’d reflect on our favourite features so far. It is the little things after all…
The Splunk Features We Couldn’t Live Without…
1. Dashboard Editor
One of our favourite features, added in 6.1, is the dynamic dashboard editor. We can create advanced visualisations through dragging and dropping in the user interface (with the option of editing the XML/HTML if we really want to show off). The beauty of this is no advanced XML or HTML skills are required.
2. Status Indicators
It’s a no brainer that the new status indicators have been a major advantage for us. We are now able to add colours/symbols to a range of values, allowing us to enhance the visualisations and give context to results. In our data-heavy world of security reports, there’s nothing like a big red warning sign to expedite decision making!
Version 6.0 gave us the ability to add geographical context to dashboards by natively embedding maps in Splunk. A game changer! This provides powerful visualisation of location-based tracking, particularly useful for authentication and network logs and quickly spotting anomalies.
4. Dynamic Drilldowns
A subtle change with maximum effect. Our dashboards are used across the business: from C-Level management, through to engineering teams and support. The drilldown feature allows us to present a high-level overview of the data, with interactive panels that link to more detailed dashboards for further context. For example, management may want the top level overview of what has passed or failed, but engineering needs to know the exact component that failed and can drill in to investigate why. Version 7.0 has made this extremely easy to implement!
5. Trellis Views
Trellis views have completely changed how we build dashboards. Instead of having to create almost identical panels with additional searches just to look at the difference between a day, an error message or a server category, we can now chart that data in just one search and configure trellis mode for the type of visualisation we wish to see.
This is really useful for doing month-to-month views without needing to hardcode the month or KPIs based on web services and other factors.
6. Report Actions
One of the big selling points of Splunk for us was always the report actions. In Splunk 7.0 they’ve really ramped it up though! We can now choose from a list of in-built actions including calling external API’s, application webhooks, NSLookups, and running a script, to name a few.
7. Chart Annotations
Chart annotations allow us to add additional context to our dashboards. These are added by utilising a secondary search against the chart panel. For example, if we have a chart that shows account login errors over the last week, we can add an event annotation that flags the times when our domain controllers were down over that period. If the majority of the login errors occurred when our servers were down, it makes it really easy to conclude that the events are likely related.