[colug-432] splunk?

William E. T. linux.hacker at gmail.com
Fri Oct 14 13:50:04 EDT 2016


On Fri, Oct 14, 2016 at 1:01 PM, Rick Troth <rmt at casita.net> wrote:

> [...]
>
> I found Splunk's gigabyte licensing to be annoying. A customer can bump
> into the wall and lose traffic. (I forget the details of the failure mode.)
>
>
Just to clarify Splunk's licensing is based on daily ingestion of data.  So
we have a 2TB license at work, but we keep data for 92 days so we have
~184GB of data (not really, but good enough for this conversation)

Traditionally, the fifth day that you breach your license in a rolling
30-day window, the search feature will be disabled but data would still be
ingested.  During training Splunk would tell you to feel free to violate
your license during the freebies; if you have a new deployment you might
have historical data to load etc.  They would also advertise that your
first couple of times calling them to unlock search the first person you
talked to would immediately give you a code to unlock searching.

At .conf 2016 (October 27-29) they announced they were changing the failure
mode.  Starting in 6.5 (released at the conference), they will no longer be
disabling searching.  The justification was that pain typically comes at
really bad times for companies (e.g. during an extended DOS attack).  They
said for details to ask your sales rep and I was not able to get good
details.  Most people assume they have built some sort of phone home in; I
did read something about having to manually upload usage information if
your system is unable to automatically phone home, but we just upgraded to
6.4 and will wait until at least spring to go to 6.5

Is Splunk interesting?  From our perspective, absolutely!  While a few
fields are extracted at index time (data ingestion), most fields are
extracted when you perform a search.  Since we have a very diverse I.T.
environment as we have a number of independent I.T. shops so we don't have
standardized technologies nor do we have central change management, so
being able to bring the data in and then update field extractions on the
fly is a critical feature for us.  Also, since we have no central
configuration management, having the deployment server to enable the Splunk
team to manage the forwarders (agent software that send data to Splunk) is
a huge win.

In terms of features, Splunk is quite rich; it can read anything that can
be converted to textual data, the forwarders can run scripts, they have an
http event collector for injecting JSON events, they have Hunk that lets
you layer Splunk on top of Hadoop and various no-sql database, they have
dbconnect for sql databases etc.

Is it worth tracking Splunk Live?  I'm probably biased since in practice
I'm dedicated to our Splunk implementation and I spoke at the Splunk>Live
event in Columbus last year, so I wasn't going to weight in, but...
Generally I tell people its half sales and half technical.  A number of
people there will be potential customers, so they're trying to help them
see the problems it helps other customers solve.  That would make me lean
towards maybe not; the fact that even though they are very open and
extensible it is closed source makes me further lean maybe not.

If people have questions about Splunk I'd be happy to try to answer them;
I've worked on OSU's implementation for over three years (2TB license,
thousands of forwarders, 600+ source ypes) and I report to Mark Runals who
founded the Columbus user group (happy to help people join if interested).
I'm not convinced Splunk is really on-topic for this mailing list, so feel
free to e-mail me directly.

Thanks,
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20161014/53b4b737/attachment.html 


More information about the colug-432 mailing list