Splunk! Or how to move IT troubleshooting to the next level
April 5, 2006
"Tag Your IT" is the catch phrase for Splunk Inc., a fast moving company whose goal is to move IT troubleshooting to the next level. Put a bunch of IT guys together; add to the mix their frustration with keeping large computer environments running and something is bound to happen. That something is Splunk Base, a global wiki of IT events-- an interactive wiki where IT professionals can share in-depth information about IT events, regardless of the application, system or device. Splunk's Base is unique because the wiki pages are organized by fingerprints the company generates for different types of events. Typical wikis are unorganized with no underlying order holding the pages together.
Coupled with Splunk search software, Splunk Base allows IT professionals to pool their knowledge with the community, reduce troubleshooting time and speed problem resolution.
So how do they do this? First, Splunk's search software indexes and links together all log files, and other IT data, automatically fingerprinting events based on the structure and syntax of the event. The 'fingerprinting' is done in such a way that if two separate databases were having the same problem, the event logged in each environment would have an identical fingerprint with specific variables like host name, IP address or process IDs removed. Once all of the logs have been indexed with Splunk, they can be searched in real-time. When you come to an event that you don't understand you can click on it, sending its fingerprint off to Splunk Base to see if anyone else has run into the same problem. If no one has left information on that particular event, an alert can be set up to notify you if someone documents the event in the future.
Splunk search software comes in two flavors, Splunk Professional and Splunk Server. The professional version is the premium edition, with features for multiple user accounts, features for large-scale environments and automated use. Splunk Server is the free edition, allowing up to 500MB per day of indexing.
Splunk Base can be used by going to the Splunk website and doing a search, but it works best if integrated with the search product, which can also be downloaded at the website.
When Splunk was originally launched, it ran locally, behind a firewall and provided the ability for an organization's own people to add semantic data to search results. Splunk Base expands on this so that now, rather than seeing semantic data on the local server you can see tags and other semantic data that anyone using Splunk has created and agreed to share with the Splunk Base service.
Splunk runs on multiple flavors of Linux and Unix with a Windows version in the works.. A live demo is available if you would like to do a little exploring on your own. http://demo.splunk.com/