<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap:break-word"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">On October 14, 2016 at 11:33:08, Jeff Frontz (<a href="mailto:jeff.frontz@gmail.com">jeff.frontz@gmail.com</a>) wrote:</div> <div><blockquote type="cite" class="clean_bq" style="font-family:Helvetica,Arial;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span><div><div></div><div><div dir="ltr"><div>Anybody heard-of/using splunk? Is it a widely-deployed platform?</div></div></div></div></span></blockquote></div><div id="bloop_customfont" style="margin:0px"><br></div><div id="bloop_customfont" style="margin:0px">Splunk is an awesome, if expensive, tool.</div><div id="bloop_customfont" style="margin:0px"><br></div><div id="bloop_sign_1476462832510735872" class="bloop_sign"></div><div id="bloop_sign_1476462832510735872" class="bloop_sign">At its most basic and at the risk of over-simplifying it, Splunk is log aggregation. In most setups, hosts run a splunk agent (“forwarder”). This forwarder sends the host's logs (system, application, etc) to Splunk in real time. Now instead of trying to grep-pipe-grep-awk-crap-regex-hell-start-over 12 log files across 6 hosts in a cluster one file, one host at a time, you run a sql-like (emphasis on the like) query in the Splunk UI, and Splunk does the work.</div><p>There are dashboards, and automated searches, and certain log formats[1] that Splunk understands natively and is able to turn your logs into data. For formats that Splunk doesn’t know, it can be taught. For a simple example, apache access logs - statistics by user agent, or access times. Splunk understands the access time as a field - as a query-able piece of data within a log entry. This becomes super powerful when you start sending in and teaching Splunk about your application’s logs.</p><p>Splunk really starts to shine at scale. If you have 2 servers with a small number of log files, big deal they can be searched by hand. If you’re trying to track down an issue across a cluster of a dozen or hundreds of nodes - grep begins to look like the horrible tool for that job that it is. It’s practically impossible to do any sort of log/event correlation using shell commands, but Splunk makes that sort of thing possible.</p><p>While Splunk includes alerting based on searches and whatnot, Splunk is not a real-time monitoring tool or a replacement for a near RT monitoring tools like Zabbix, Nagios, etc. Treating it like one is usually a road to horrible performance and bad experiences.</p><p>There are free alternatives like logstash, but I don’t have any personal experience with logstash. I believe LogInsight is VMWare’s answer to Splunk, but AFAIK it is very much a vmware-specific tool, and doesn’t work as well when trying to use it as in a more generalized way like Splunk was meant to be used.</p><p>If you have an opportunity to attend a Splunk demo, I’d definitely do it. It’s not for everyone or for every shop, but it’s worth knowing about.</p><p><br></p><p>[1] <a href="http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Whysourcetypesmatter">http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/Whysourcetypesmatter</a></p></body></html>