The Splunk Guide to Operational Intelligence

Transcription

1 solutions ui Th Splunk Gui to Oprtionl Intllin Turn Mhin-nrt Dt into Rl-tim Visiility, Insiht n Intllin Wht is Splunk Entrpris TM? Splunk Entrpris is th pltorm or mhin t. It ollts, inxs n hrnsss th mhin t nrt y your IT systms n thnoloy inrstrutur whthr physil, virtul or in th lou. Us Splunk Entrpris n your mhin t to livr nw lvls o visiility, insiht n intllin or IT n th usinss. Th Mhin Dt Opportunity All your IT pplitions, systms n thnoloy inrstrutur nrt t vry millison o vry y. This mhin t is on o th stst rowin n most omplx rs o i t. It s lso on o th most vlul, ontinin initiv ror o ll usr trnstions, ustomr hvior, snsor tivity, mhin hvior, surity thrts, ruulnt tivity n mor. Mkin us o this t, howvr, prsnts rl hllns. Tritionl t nlysis, mnmnt n monitorin solutions r simply not ninr or this hih-volum, hih-vloity n hihly ivrs t. Consir tritionl inormtion mnmnt systms, suh s usinss intllin n t wrhous tools. Ths systms r th-orint n sin or strutur t with rii shms. IT mnmnt n surity inormtion n vnt mnmnt tools on th othr hn, provi vry nrrow viw o th unrlyin t n r hr-wir or spii t typs n sours. Thy lso on t provi historil ontxt. Finin ttr wy to sit, istill n unrstn th vst mounts o mhin t n trnsorm how IT orniztions mn, sur n uit IT. It n lso provi vlul insihts or th usinss on how to innovt n or nw srvis, s wll s trns n ustomr hviors. srvrs, ustom pplitions, pplition srvrs, hyprvisors, GPS systms, stok mrkt s, soil mi, snsors n prxistin strutur tss. It ivs you rl-tim unrstnin o wht s hppnin n p nlysis o wht s hppn ross your IT systms n thnoloy inrstrutur, so you n mk inorm isions. Splunk Entrpris hs mny ritil uss ross IT n th usinss: Applition Mnmnt: provi n-to-n visiility ross istriut inrstruturs; troulshoot ross pplition nvironmnts; monitor or prormn rtion; tr trnstions ross istriut systms n inrstrutur Surity n Complin: provi rpi inint rspons, rltim orrltion n in-pth monitorin ross t sours; onut sttistil nlysis or vn pttrn ttion n thrt ns Inrstrutur n Oprtions Mnmnt: protivly monitor ross IT silos to nsur uptim; rpily pinpoint n rsolv prolms; rt nlytis to rport on SLAs or trk SLAs o srvi provirs W n Businss Anlytis: in visiility n intllin on ustomrs, srvis n trnstions; intiy trns n pttrns in rl tim; ully unrstn th impt o nw prout turs on k-n srvis Dvlopmnt: lrt vlopmnt n tst yls; support vn vlopmnt mthoolois (suh s il n ontinuous); intrt ntrpris pplitions with APIs; uil ntrpris-lss pplitions tht lvr Splunk sotwr Th Splunk Approh Splunk Entrpris is th irst ntrpris-lss pltorm tht ollts n inxs ny mhin t whthr it s rom physil, virtul or lou nvironmnts. Splunk sotwr n r t rom virtully ny sour, suh s ntwork tri, w Crt powrul, intrtiv shors or irnt usrs n rols

2 Finin n ixin prolms, ollowin th tril o n ttkr, rportin or omplin, nlyzin srvi us n ustomr hvior rquirs omplt viw. Troulshootin prolms otn mns orrltin w srvr los, SOA msss, ts trnstions, virtul prormn n oniurtion hns. Invstitin surity inints mns oth th nlysis o vnts rom srvr los, irwlls n IDS sns, in ition to pplition vnts, oniurtions n sripts to unrstn wht s hppn. Mtin omplin rquirs systmti rviws n lon-trm t rtntion rom ross th inrstrutur, plin mor rrirs to ssin this t or y-to-y oprtionl ns. Whn th usinss sks ttr intllin, this my rquir rl-tim orrltion n nlysis o trnstions n vnts rom mny IT sours, potntilly omin with usinss t. Clou vloprs n intllin on lou pplitions in rl tim. Corrlt, nlyz n rport on pplitions. Filtr los y tim or y onitionl srhs to pinpoint n inos issus. Monitor systm us, uptims n ny othr oprtionl mtris. For ll this n mor, Splunk Storm provis th powr o Splunk Entrpris, s srvi. Splunk sotwr rms ntwork ninrs, systm ministrtors, surity n omplin nlysts, vloprs, support/srvi sk st n usinss usrs lik with nw lvls o visiility, nlysis n insiht. This is ll oprtionl intllin. How is Splunk Dirnt? Splunk Entrpris is irnt rom prvious pprohs to mnin, uitin, surin n thrin intllin rom IT systms n thnoloy inrstrutur. Hr s how: Immit rsults without th risk. Usrs n ownlo Splunk sotwr or r, instll it in minuts, point it t thir t n immitly t proutiv. No mor rmis o onsultnts, or DBA to mk it work. Most usrs ownlo n instll Splunk whil thy r unr ir. An th proo is immit. A srious srvi prolm or surity inint n now invstit in minuts, vrsus th hours or ys it us to tk. Bs on hih-prormn inxin n srh thnoloy. Evry y ovr illion popl srh n nvit w ps srv ll ovr th worl. Srh is lxil, intuitiv n livrs immit rsults. At its or, Splunk Entrpris hs powrul inxin n srh thnoloy, rinin whol nw mnin to sp n rsponsivnss. Srh illions o vnts in sons n strt sin rsults immitly. Collt n inx ny mhin t. Mhin t is hihvolum, hih-vloity, hihly vril n inrily ivrs. It ontins ll tim-stmp vnts nrt y mhin-tomhin n humn-to-mhin intrtions. Th tritionl st o tools: systm mnmnt, SIEM, CEP/ECA n lo mnmnt rquir wks or months to vlop n oniur ustom onntors or h t sour. Splunk ollts n inxs ny mhin t rom virtully ny sour, ormt or lotion in rl tim. This inlus t strmin rom pk n ustom pplitions, pp srvrs, w srvrs, tss, ntworks, virtul mhins, tloms quipmnt, oprtin systms, snsors, n muh mor. Thr s no rquirmnt to unrstn th t upront. Just point Splunk t your t or ploy Splunk orwrrs to rlily strm t rom rmot systms t sl. Splunk immitly strts olltin n inxin, so you n strt srhin n nlyzin. Anlyz rl-tim n historil t. Tritionl IT systms or ision twn rl-tim monitorin or historil nlysis. With Splunk you n srh n nlyz rl-tim strmin n tryts o historil t rom on pl. This mns you n intiy n rspon to pttrns o hvior or tivitis o intrst immitly. Most t mnmnt projts r sin to nswr pr-st list o qustions, ittin into rittl shm n t mol. Inx t in Splunk osn t hv ths limittions us th shm is ppli t th tim o srh so usrs n immitly sk nw qustions whil thy srh. Crt ustom shors n viws. You n to mk sns o hu volums o mhin t n stisy th ns o th irnt usrs n roups in your orniztion. With Splunk sotwr you n quikly rt ustom shors tht intrt multipl hrts n viws o your rl-tim t n ss thm rom your sktop or moil vi. Prsonliz shors or irnt usrs in your orniztion mnrs, usinss nlysts, surity nlysts, uitors, vloprs n oprtions tms. Usrs n it shors usin simpl r-n-rop intr n intrt hrtin ontrols mn thy n hn hrt typs on th ly. Sotwr tht usrs wnt to us. It us to mk sns to mn your IT inrstrutur in silos. But with toy s istriut, virtuliz n lou-s nvironmnts, this just osn t work nymor. Splunk rks own th IT silos. Srh, rport, monitor n nlyz ll your t rom vry pplition, srvr n vi physil, virtul or in th lou. Esily intrt with xistin ntrpris mnmnt, surity n omplin tools. Finin n ixin prolms, ollowin th tril o n ttkr, trin trnstions n inin nw insihts rom your oprtionl t is sunly orrs o mnitu str n lot sir. Do mor with Splunk Apps. Tk vnt o hunrs o pps tht run on top o th Splunk pltorm. Apps livr trt usr xprin or irnt rols n us ss. Thr r rowin numr o pps, uilt y our ommunity, prtnrs n Splunk. Ths pps hlp you visuliz t orphilly, or provi pr-in omplin viws or your mission ritil thnolois suh s VMwr, Exhn, Ativ Dirtory, Ciso n Citrix. Thr r pps or irnt thnolois suh s Winows, Linux, Unix, virtuliztion, ntworkin thnolois n mor. Brows pps, or vn rt n post your own, ll on Splunks, th Splunk ommunity wsit ( splunks.om). Buil ntrpris-sl i t projts. Splunk sls to ollt n inx tns o tryts o t pr y, ross multiorphy, multi-tntr n lou-s inrstruturs. An us th insihts rom your t r mission-ritil, Splunk provis th rsilin you n, vn s you sl out your low-ost, istriut omputin nvironmnt. Automti lo lnin optimizs worklos n rspons tims n provis 2

3 Businss Insihts Gin rl-tim insiht rom oprtionl t to mk ttr-inorm usinss isions. Any Mhin Dt Oprtionl Visiility Protiv Monitorin Srh + Invstition Gin n-to-n visiility to trk n livr on IT KPIs n mk ttr-inorm IT isions. Automtilly monitor your inrstrutur to intiy issus, prolms n ttks or thy impt your ustomrs n srvis. Fin n ix prolms rmtilly str ross your orniztion usin mhin t. Trnsorm mhin t into rl-tim oprtionl intllin. uilt-in ilovr support. Out-o-th-ox rportin n nlytis pilitis livr rpi insihts rom your t, rmovin th n or t sintists or omplx vlopmnt timrms. Kp up with hn. Th only onstnt in toy s omplx, virtuliz, lou or hyri IT nvironmnts is hn. Wht w think w know is otn wron. Tritionl IT mnmnt n surity pprohs ssum usrs know ll th possil ilurs n risks up ront n tht t ormts won t hn. This just isn t th s nymor. In t, most IT orniztions spn mor tim ustomizin n mintinin thir tools thn thy o usin thm. Splunk Entrpris osn t rly on rittl shms tht limit lxiility n rk whn t ormts hn. Splunk inxs ll th t you n to inx in rl tim, ll th tim. Any intrprttion o th t you n, suh s xtrtin il or tin sust o hosts, n sily on s you srh. A pltorm or ntrpris pps. Dvlopr tms will in whol host o wys to lvr Splunk Entrpris. Du n troulshoot pplitions urin vlopmnt n tst yls or intrt t rom Splunk Entrpris into ustom pplitions. Output t rom ny API npoint in JSON n nsur ustom Splunk vlopmnt ovr tim, with API vrsionin. Splunk Entrpris ships with th JvSript SDK with itionl ownlol SDKs or Jv, Python n PHP mkin it sy to ustomiz n xtn th powr o Splunk Entrpris. Dlivrin th Ky Cpilitis or Oprtionl Intllin Univrsl olltion n inxin o mhin t, rom virtully ny sour Powrul srh prossin lnu to srh n nlyz rl-tim n historil t Rl-tim monitorin or pttrns n thrshols, trir lrts whn spii onitions ris Powrul rportin n nlysis Custom shors n viws or irnt usrs n rols Rsilin n sl on ommoity hrwr Grnulr rol-s surity n ss ontrols Support or multi-tnny n lxil, istriut ploymnts Conntivity with othr t stors inlus sll, rl-tim intrtion with rltionl tss n iirtionl onntivity with Hoop Roust, lxil pltorm or vlopin ntrpris pps Univrsl Inxin Iniviul omponnts in your inrstrutur nrt hunrs o vnts pr son. A tntr n lo mny tryts o t pr y. You ll proly in wonrin how you r oin to ss ll this t in ll th irnt ormts n lotions. Splunk ors vrity o lxil input mthos n osn t n ustom onntors or spii t ormts. So you n immitly inx los, likstrm t, oniurtions, trps n lrts, msss, sripts, prormn t n sttistis rom your pplitions, srvrs n ntwork vis physil, virtul n in th lou. Flxil t input. Collt n inx t rom just out ny sour iminl, suh s ntwork tri, w srvrs, ustom pplitions, pplition srvrs, hyprvisors, GPS systms, snsors, stok mrkt s, soil mi n prxistin strutur tss. No mttr how you t th t, or wht ormt it s in, it s inx th sm wy without ny spii prsrs or onntors to writ or mintin. Forwrs t rom rmot systms. Splunk orwrrs n ploy in situtions whr th t you n isn t vill ovr th ntwork or visil to th srvr whr Splunk is instll. Splunk orwrrs livr rlil, sur, rltim univrsl t olltion or tns o thousns o sours. Monitor lol pplition lo ils, likstrm t, th output o sttus ommns, prormn mtris rom virtul or non-virtul sours, or wth th il systm or oniurtion, prmissions n ttriut hns. Forwrrs r lihtwiht n n ploy quikly, t no itionl ost. Rl-tim inxin. IT tms pn on up-to-t inormtion or troulshootin, surity inint invstitions, omplin rportin n othr vlul tsks. Splunk ontinully inxs mhin t in rl tim your los, oniurtion t, hn vnts, th output o inosti ommns, t rom APIs n mss quus, vn los rom your ustom pplitions. 3

4 Cpturs vrythin. Stor oth rw t n th rih inx in n iint, omprss, runnt, ilsystm-s tstor, with optionl t sinin n uitin to prov t intrity. No rii shms. Splunk sotwr hs no prin shm. Solutions tht rly on rittl shms hv limit lxiility to nswr nw qustions n rk whn t ormts hn. Any intrprttion you n to o on th t, suh s xtrtin ommon il, or tin sust o hosts is on t srh tim. Automts hronoloy. All this strmin t mns xtrtin n normlizin timstmps is vry importnt. Splunk sotwr utomtilly trmins th tim o ny vnt vn with th most typil or non-tritionl ormts. Dt missin timstmps n hnl y inrrin timstmps s on ontxt. Srh n Invstition Splunk sotwr lts usrs srh n nvit thir t rom on pl. Srh n invstit nythin. Frorm srh supports intuitiv Booln, nst, quot strin n wilr srhs milir to nyon omortl on th w. This llows usrs to quikly itrt n rin thir srhs without knowin nythin out spii t ormts. Powrul srh prossin lnu. Th Splunk srh prossin lnu is qury lnu tht provis powrul mns to oprt on your t. It supports iv irnt typs o orrltion (tim, trnstions, su-srhs, lookups, joins) n ovr 100 sttistil ommns. You n lso onut p nlysis n pttrn ttion or spottin nomlis or nw opportunitis in your t. Rl-tim srh. Srhin rl-tim strmin t n inx historil t rom th sm intr is st-in-lss. With Splunk you n nlyz hvior n tivity in rl tim n s th historil ontxt. Tim-rn srh. Givn th lr volum n rptitiv ntur o mhin t, usrs otn strt y nrrowin thir srh to spii tim rn. With th ous on whn vnts hppn, Splunk Entrpris lts usrs omin tim n trm srhs. This ility to srh ross vry tir o your inrstrutur or rrors n oniurtion hns in th sons or systm ilur ours, is inrily st n powrul. Trnstion srh. Snin n mil, plin n orr on wsit or onntin VOIP ll will rt numr o vnts ross irnt IT omponnts. Otn you ll wnt to srh or ths olltions o vnts tht r ll prt o th sm trnstion. For xmpl, you n in ll th snmil vnts with th sm usr-id, twn loin n loout, tht our within 10 minuts. Splunk sotwr lts you orrlt vnts y inin ommon hrtristis n thn svin tht srh s trnstion, so you n in th sm typ o trnstions in or irnt srh prmtrs. Su-srhs. Tk th rsults o on srh n us thm in nothr to rt i/thn onitions. Usin su-srh llows usrs to s th rsults o srh only i st o othr onitions r mt (or not). Surity vnt mnmnt systms oprt on this prmis. For xmpl, you my only intrst in viwin on vnt i th thrshol or nothr vnt is mt in ivn tim prio. Lookups. Us to nhn, nrih, vlit, or ontxt to t ollt in Splunk Entrpris. Corrltin intrusion ttion t (IDS) with t rom n sst mnmnt systm n ru IDS ls-positivs. For xmpl, n ttk s on Winows OS vulnrility sn y n IDS n orrlt with t rom n sst in ttk within th AIX OS. Joins. Support or SQL-lik innr n outr joins r similr in onpt to joins in n SQL ts. Innr n outr joins r support. Join s prt o srh strin n link on t st to nothr s on or mor ommon ils. Two ompltly irnt t sts n link tothr s on usr nm or vnt ID il prsntin th rsults in sinl viw. Intrtiv rsults. Compr to ommn lin sripts n tools, n intrtiv intr rmtilly improvs th usr s xprin n th sp with whih tsks n omplish. Zoom in n out on timlin o rsults to quikly rvl trns, spiks n nomlis. Dynmilly rillown in shors nywhr in hrt to th rw vnts or in ustom viws n limint nois to t to th nl in th hystk. Whthr you r troulshootin ustomr prolm or invstitin surity lrt, you ll t to th nswr quikly rthr thn tkin mny hours or ys. A Knowl Ain mhin t to Splunk Entrpris is possil with th ntiv or ustom input rmwork. Splunk sotwr utomtilly isovrs knowl rom your t n lts usrs thir own, unlokin your t s ull potntil. Knowl out vnts, ils, trnstions, pttrns n sttistis n to your t. You n intiy, nm n t this t s wll. Go rom inin ll vnts with prtiulr usrnm, to instntly ttin sttistis on spii usr tivitis. You n lso orrlt n nm trnstions tht spn multipl t sours. Splunk mrris th lxiility o rorm srh with th powr o workin with your t, in wy you v nvr xprin or. Mp knowl t srh tim. Avoi th prolms us y tritionl pprohs, y mppin knowl to t t srh tim, rthr thn ttmptin to normliz th t into rittl ts shm up ront. An thr s no mor n or th omplx mnmnt o ustom prsrs n onntors. Esily nrih your mhin t with inormtion rom xtrnl sst mnmnt tss, oniurtion mnmnt systms n usr irtoris. Now you hv lxil wy to mn your t, so s it hns, you on t hv to. Work smrtr. Splunk Entrpris lts vry usr thir own knowl s thy o. As you r svin srhs n intiyin irnt typs o ils, vnts n trnstions, you mk th systm smrtr or vryon ls. An tht knowl osn t wlk out th oor whn somon lvs. 4

5 Monitor n Alrt Rthr thn us srh to simply rt to ho inints or prolms, you wnt to protiv. Gin lxil lrtin pilitis tht improv your monitorin ovr. An us Splunk sotwr works ross your ntir IT inrstrutur, it s th most lxil monitorin solution in your rsnl. Turn srhs into rl-tim lrts. Srhs n sv n shul or ontinul monitorin n n trir lrts vi mil or RSS. You n vn kik o sript to tk rmil tions, sn n SNMP trp to your systm mnmnt onsol or nrt srvi sk tikt. Shulin lrts is rt wy to omplt th invstition o prolm or surity inint y protivly lookin or similr ourrns in th utur. Corrlt omplx vnts. Splunk Entrpris lts you orrlt omplx vnts rom multipl t sours ross your IT inrstrutur so you n monitor mor mninul vnts. For xmpl, you n trk sris o rlt vnts s sinl trnstion to msur urtion or sttus. Monitor or spii onitions. Alrts n s on vrity o thrshol n trn-s onitions n to ny lvl o rnulrity. Th srh lnu os yon simpl Booln srhs into il srhs, sttistil srhs n susrhs. You n orrlt on nythin you wnt n lrt on omplx pttrns suh s non shoppin rts, rut or ttks n ru snrios. Rport n Anlyz I you v vr wnt to nrt rport on th ly rom hrto-unrstn mhin t, you ll lov Splunk sotwr. Th Splunk Entrpris pltorm is pl o nrtin rports on n immns mount o t t lihtnin st sps. With uilt-in lrtion thnolois, you hv ss to ky t or spii tim winow to mk usinss-ritil isions. You n rt powrul, inormtion-rih rports to o nlysis, without n vn knowl o srh ommns. You n shul livry o ny rport vi PDF n shr it with mnmnt, usinss usrs or othr IT stkholrs. Rport on srh rsults. Esily uil vn rphs, hrts n sprklins rom srh rsults n visuliz importnt trns, s hihs n lows, summriz top vlus n rport on th most n lst rqunt typs o onitions. Th simpliity o nlyzin mssiv mounts o t will mz you (n your oss). For xmpl, rport n show th totl yts snt y IP rss rom irwll tivity vnts; tl showin yts pr protool pr IP rss; or hrt illustrtin irwll tri y hour or spii mploy s lptop. Virtully ny il n us s rportin ritri. An rmmr, us ils r intii s you srh, you n spiy nw ils without rinxin your t. Anlyz orrlt vnts. Splunk Entrpris supports iv typs o orrltion. Tim-s orrltions, to intiy rltionships s on tim, proximity or istn Trnstion-s orrltions, to tr trnstions tht spn multipl silos, systms n t sours so you n rport on n nlyz importnt tivitis Su-srhs, to tk th rsults o on srh n us thm in nothr Lookups, to orrlt t with xtrnl t sours outsi o Splunk, inluin rltionl tss Joins, to support SQL-lik innr n outr joins Plys wll with othrs. Now your ntir orniztion n lvr th vlu o mhin t. Rports n sv n shr with mnmnt or othr ollus in sur, ronly ormts, suh s PDF n vn intrt into shors. Custom Dshors n Viws Mk mor sns o th hu volums o t t your isposl. Crt ustom shors n viws or irnt typs o usrs, thnil n non-thnil. Intrt rports, srh rsults n vn t rom xtrnl pplitions. Eit shors usin simpl r-n-rop intr; intrt hrtin ontrols mn you n hn hrt typs on th ly. Doin this ll throuh th Splunk UI mns tht you n mpowr usinss usrs to o th sm. Rl-tim, intrtiv shors. Dshors intrt multipl hrts, viws n rports o liv n historil t to stisy th ns o irnt usrs. You n worklows nlin usrs to lik throuh to nothr shor, orm, viw or xtrnl wsit. Quikly uil n prsonliz shors or mnmnt, usinss or surity nlysts, uitors, vloprs n oprtions tms. Mshups with othr pps. Crt mshups with othr ws pps, suh s Tivoli, SAP, surity onsols n mor, to provi smlss viw ross silos. Dshors whrvr you r. Chrts n timlins in Splunk Entrpris on t us Flsh, whih mns shors n viw n it on tlts, smrtphons n non-flsh rowsrs. A Pltorm or Apps n Dvloprs Now tht you r inxin n mkin us o ll your mhin t, you n mk us o pps tht lt you o vn mor. Innovt on your own. Esily rt pps tht livr trt usr xprin or irnt rols n us ss. Th Splunk App rmwork provis th ility to vlop n pk pps throuh sinl usr intr. Dlivr usr xprin tilor to spii us s or umnt xistin vnor thnolois. Shr n ownlo pps. You n shr n rus pps within your orniztion n th rst o th Splunk ommunity. Thr r rowin numr o pps vill on Splunks ( our ommunity wsit uilt y our ommunity, prtnrs n Splunk. You n in pps tht hlp visuliz t orphilly, or tht support spii us ss, suh s ntrpris surity or PCI omplin. Thr r lso pps or irnt oprtin systms n thir-prty thnolois, suh s Winows, Linux, VMwr, Mirosot Exhn, Ciso, WSphr n F5 Ntworks. Simpl mnmnt. On Splunk Entrpris is instll, you n pply rol-s ss ontrols n ploy pps with 5

6 tilor usr xprin ross th orniztion, xtnin th vlu o your t to irnt usrs. Extnl pltorm. Th Splunk pltorm mks is sy to ustomiz n xtn th powr o Splunk Entrpris. Dvloprs n u n troulshoot pplitions urin vlopmnt n tst yls or intrt t rom Splunk sotwr into ustom pplitions. Th Splunk Entrpris pltorm hs uilt-in SDKs or JvSript n JSON with itionl ownlol SDKs or Jv, Python n PHP. Entrpris-sl Bi Dt With Splunk Entrpris you n sl your instlltion rom sinl ommoity Winows, Linux or Unix srvr, to th lrst most omplx multi-orphy, multi-tntr, lou-s inrstruturs inxin tns o tryts o t pr y. Th Splunk rhittur is istriut n sls linrly ross ommoity srvrs to unlimit t volums. You ll in wi rn o options to ss t, stor it, srh it n rout it to othr systms. Esy instlltion. A sl-ontin sotwr pk with no pnnis on thir-prty prorms mks Splunk sy-toinstll n t runnin. It works on ll mjor oprtin systms n hrwr pltorms. An us Splunk is sotwr, it n oprt ross physil or virtul inrstruturs rthr thn rquirin it hrwr, powr n rk sp. Anlyzs i t. Your tntr nrts mor mhin t thn you proly vr imin. A sinl proution srvr n nrt hunrs o myts o t y. Firwlls n w srvrs n h nrt mny tims tht mount. In t, mhin t is on o th stst, most omplx smnts o i t. This volum o t is lso sujt to rtntion rquirmnts rnin rom w ys or inint rspons, to months n yrs or omplin. Splunk sotwr sls linrly ross ommoity hrwr. Whn onsirin prormn n omprin pprohs to ollt, inx n nlyz n visuliz your mhin t hr r som thins to look or n onsir: Inxin throuhput. Evnts-pr-son (EPS) is ommon throuhput msurmnt, ut onsir tht vnt sizs n vry rom w hunr yts to myt or mor. EPS rtins r usully lult t whtvr siz is optiml or on spii vnor s pplin or solution. Splunk inxs vry yt in your t, without th n or ustom prsrs or onntors. I th vnor is unl or unwillin to quot you EPS iurs s on this ritri, mov on n in somon who will. Srh sp. Srhs o ny typ shoul rturn rsults in sons, not minuts or hours. Bs on istriut omputin rmwork, Splunk utomtilly onvrts srhs into prlll prorm proviin th ility to quikly rtriv n nlyz mssiv t sts. A sinl ommoity srvr will support srhin o illions o vnts in sons. Stor iiny. Msur s prnt o th oriinl t strm siz, stor iiny trmins th mount o stor pity you ll n to rtin your t n th ssoit inxs. A oo solution will rquir 25% to 50% o th oriinl t siz to rtin your t n usul st o inxs. Bwr o solutions tht lim 10% or lss o th oriinl t siz. Tht inits just th stor o omprss t n no inxin. Arhivin. Evntully you my i to tir th stor o your t. Tir stor n provi lowr ost n ttr runny. Arhivin t s on isk utiliztion or will om in hny or uilin multi-tir t stor. Mk sur your solution lts you st up n rhivin poliy s on tstor siz or n rstor your rhivs on mn. Linr slility. You n sl Splunk Entrpris horizontlly n vrtilly y simply in mor omputin powr. You n run istriut oniurtion on irnt physil srvrs, omintion o virtul n non-virtul srvrs, or on lr multi-or, multi-prossor mhin. Bln worklos y oniurin multipl inxrs n srh nins ross your oniurtion, usin Splunk sotwr. Avilility. Th vilility n intrity o t r ountionl lmnts or n ntrpris. Th t is missionritil n ns to vill t ll tims. Gin rtr prottion inst t loss whil mintinin t intrity. Th hih vilility rhittur o Splunk sotwr livrs uilt-in rsilin, so th riht t is vill whn you n it. Distriut srh. Otn it won t sil to physilly ntrliz ll your t in on pl. You will likly n to srh ross multipl instlltions n t stors in irnt thnoloy or orphi silos. Intrtion. I you r lik most IT shops, you v m siniint invstmnts in othr mnmnt tools, monitorin tools n nlysis tools. Wouln t it rt i you oul intrt Splunk sotwr with ll o thm? Imin lunhin in-ontxt srhs rom your ntwork mnmnt onsol, snin Splunk lrts to your systm mnmnt onsol, or utomtin troul tikt rtion whn unusul tivity ours. Splunk Entrpris provis multipl intrtion points n roust, oumnt API. Surity You ll n to kp your mhin t sur. Espilly s you rliz wht vlul inormtion sst you hv. Splunk Entrpris provis sur t hnlin, ss ontrols, uit-ility, ssurn o t intrity n intrtion with ntrpris sinl sin-on solutions. Sur t ss n trnsport. Mhin t n snsitiv. Splunk Entrpris supports vn nonymiztion to msk onintil t rom rsults. Privt onsumr, hlthr or orport inormtion lso rquirs sur ss, trnsport n stor. Enrypt ss to t strms, usin protools suh s TCP/SSL is must-hv tur or nsurin t surity. Usr ss shoul lso sur usin protools suh s HTTPS or SSH or ommn-lin ss. Grnulr ss ontrol. O ours you lso n th ility to ontrol th tions usrs n tk n wht t, tools n shors thy n ss. You on t nssrily wnt to llow th pplition vlopmnt tm ss to your IDS sns, 6

7 lrts n irwll los. Splunk is lxil, rol-s systm tht lts you uil your own rols to mp to your orniztion s poliis or irnt lsss o usrs. In som nvironmnts, lik multi-tnnt srvis, you my n to physilly ontrol ss to t. Th ility to rout slt t to istint Splunk instlltions will lt you physilly sprt t in irnt t stors. You ll lso wnt to intrt with LDAP n Ativ Dirtory n mp roups to irnt rols Sinl sin-on. I you r usin ss ontrols intrnlly n hv orniztionl ss ontrol poliis, you ll wnt to mk sur you n intrt your Splunk Entrpris solution with your uthntition systm, whthr it s LDAP, Ativ Dirtory, -Dirtory or nothr uthntition systm. Auit pility. On you hv your ss ontrols st-up, you n to monitor who s oin wht. Splunk los ministrtiv n usr tivitis so you n uit who s ssin wht t n whn. Dt intrity. You ll lso n to nsur th intrity o your t. How o you know th srh rsults or rport you r viwin is s on t tht hsn t n tmpr with? With Splunk sotwr, iniviul vnts n sin n strms o vnts lok sin. Splunk lso provis mss intrity msurs tht prov nooy hs insrt or lt vnts rom th oriinl strm. Hrn ploymnt. Kpin n uit tril n sinin vnts is worthlss i th srvr runnin Splunk Entrpris n ompromis. B sur your vnor provis hrnin uilins. Th worl s lrst B2B pokr provir, hostin 25 o th inustry s top rns n up to 45,000 onurrnt plyrs t pk hours, ru owntim y 30% n quntii n nnul svins o $1.9 MM (16x ROI in th 1st yr). On o th worl s lrst onlin trvl sits monstrt n nnul ROI ovr $14 million. This ROI ws omintion o tools onsolition, rtir linss, out voin n troulshootin iinis in usin Splunk Entrpris. Fr Downlo Downlo Splunk or r. You ll t Splunk Entrpris lins or 60 ys n you n inx up to 500 myts o t pr y. Atr 60 ys, or nytim or thn, you n onvrt to prptul Fr lins or purhs n Entrpris lins y onttin sls@splunk.om. ROI n Splunk Splunk ustomrs typilly hiv n ROI msur in wks or months, somtims vn or Splunk sotwr hs n ploy into proution. Splunk usrs n troulshoot pplition prolms n invstit surity inints in minuts inst o hours or ys, rmtilly improv srvi lvls, ru outs n livr omplin rportin t lowr ost. This visiility, typilly unvill prior to Splunk sotwr, livrs orniztions st ROI, nw proutivity n powrul insihts. Hr r w xmpls: A lin provir o hlthr mnmnt solutions voi $100K SLA pnlty oun urin th Splunk vlution phs. This sm ustomr hiv n nnul ROI o ovr $700,000. On o th worl s lrst usinss pulishrs rpl thir ol srvr monitorin sotwr with Splunk Entrpris n othr opn sour sotwr. This limint mintnn s n ru oprtions osts y $1.6 million/yr. A mjor ommunitions mnuturr voi $1.5M sotwr lins upr or thir xistin SIEM, rssin 5 ull-tim nlysts to othr utis ($600,000/ yr) n now monitors nw t sours to intiy prviously unknown ttks. 7

8 Skin st-in-lss solution or mnin your mhin t? Hr s wht to look or: 1 Inx Any Mhin Dt Inxs ny mhin t nrt y pplitions, srvrs or ntwork vis inluin los, likstrm t, oniurtions, msss, trps n lrts, snsors, GPS, RFID, mtris n prormn t without ustom prsrs or onntors or spii ormts (inlus virtul n non-virtul nvironmnts). Flxil rl-tim n on-mn ss to t rom ils, ntwork ports n tss n ustom APIs n intrs. Listns to TCP n UDP ntwork ports to riv syslo, syslo-n n othr ntwork inputs. Consums rhiv ils. Cpturs nw vnts in liv lo ils in rl tim. Monitors ils or hns. Quris ts tls vi DBI. Monitors Winows vnts rmotly vi WMI. Ntivly sss th Winows vnt API. Monitors th Winows ristry or hns. Connts to OPSEC LEA n othr ky surity vnt protools. Susris to mss quus suh s JMS. Cpturs th output o Unix/Linux systm sttus ommns lik ps, top n vmstt. Rmotly opis ils vi sp, rsyn, tp n stp. Extnsil vi sript inputs to ptur th output o nw sttus ommns, onnt to nw vnt APIs n susri to irnt kins o mss quus. Univrslly inxs t in virtully ny ormt without ustom prsrs or onntors or spii t ormts. Intiis vnts in sinl lin, multi-lin n omplx XML struturs. Ronizs n normlizs timstmps. Hnls or missin timstmps throuh ontxtul inrn. Cpturs n inxs th strutur o h vnt. Trks n inxs th host n sour o h vnt. Clssiis sour ormts ynmilly. Dnsly inxs vry trm in th oriinl t. Rtins oriinl, unltr mhin t. Buils n unstrutur inx on isk without shm. Supports orwrin n rivin o t rom rmot hosts or lo lnin, ilovr n istriut ploymnts. 8

9 2 Srh, Invstit, Explor h i j k l m n o Srh vnts ross omponnts in multipl ormts t on. Srh liv n historil t rom th sm intr n utomtilly kill historil t or rltim winow srhs. Fst rsults rom srhs on trms inst o quris optimiz or spii ils/olumns in prsistnt shm. Fr orm ho srh on ny trm in th oriinl vnts with support or Boolns, nstin, quot strins n wilrs. Pris srhs usin ils intii within th t t srh tim. Supports multipl shm viws into th sm t without runnt stor or r-inxin. Typ-h sustions to mk it sy to isovr wht to srh. Nvit to rlt vnts n rin srhs y likin on ils or trms within th srh rsults. Srh y tim ross multipl t ormts. Visuliz trns n nvit rsults usin intrtiv tim-s hrts, historms, sprklins n summris. Srh or trnstions ross irnt t sours n omponnts. Prsist srhs s vnt n trnstion typs n srh, iltr n summriz y vnt n trnstion typ. Disovr ils, vnt typs n trnstions intrtivly t srh tim. Sv srhs in rports, shors or viws to simpliy routin srh snrios. Browsr s, intrtiv AJAX usr intr. No plu-ins rquir. Optionl sriptl CLI intr or oth rl-tim n historil srh. 3 A Knowl Enl th systm n th usr to utomtilly smnti mnin to mhin t. Automtilly isovrs knowl rom th mhin t, suh s timstmp, nm/vlu pirs, hrs, t. Lt usrs itionl knowl out th vnts, ils, trnstions n pttrns in thir mhin t. Assin ts to il vlus to hlp srh roups o vnts with rlt il vlus mor iintly. Intiy n lssiy trnstions y orrltin vnts ross multipl t sours. Sv srhs tht rturn intrstin rsults y ithr svin th srh strin (to run th srh ltr) or th srh rsults (to rviw th rsults ltr). 9

10 h Shr n promot sv srhs, sv rports n vnt typs with othr uthoriz usrs. Din ustom input pility n rus othr inputs; nsur tht ll inputs r vill or us in th mnmnt intr. 4 Monitor n Alrt Run tim-s srh on shul n st lrtin onitions s on thrshols n lts in th numr n istriution o rsults. Trir lrts vi mil, RSS, SNMP or sripts. Tk utomt orrtiv or ollow-on tions vi sript lrts. Em sophistit orrltion ruls in lrts vi su-srhs. 5 Rport n Anlyz h i j k Buil summry rports s on th rsults o ny srh intrtivly y likin on vill ils n sttistis. Crt rports usin ils n shms intii t srh tim. Supports multipl shm viws into th sm t without runnt stor or r-inxin. Supports sophistit sttistil n summry nlysis y piplinin vn srh ommns tothr in sinl srh. Alrt rports y mintinin summris tht r up-to-t, sll n us y othr liil srhs. Viw rport rsults in tulr orm; s intrtiv lin, r, pi, sttrplot n ht mp hrts Pivot or rill own into ny il or trm. Clik throuh to nothr shor, orm, viw, or xtrnl wsit, rryin orwr ny rlvnt ontxt. Ch th rsults o shul rports or r-us. Crt rl-tim rports s on liv strmin t sours. Gnrt PDF vrsions o rports ithr on-mn or on shul sis. Shul srhs or rport or utomt livry vi mil or RSS. 10

11 6 Crt Custom Dshors n Viws Crt n it shors tht omin srhs, rports, hrts n tls usin visul shor itor. Buil sophistit shors with ntirly ustom usr intrs n rih visuliztions, inluin mshups with othr pplitions n t rom xtrnl sours. Provi pr-pk shors pitin ky inormtion n usr tivity suh s min tivity, srh tivity, inx tivity n inputs tivity. Lvr rport lrtion turs to iintly rport on th vry lr volums o t,.., lontrm trns. Expn or rstrit th rol-s r n writ prmissions or shor. Crt omposit shors s on liv n historil t sours. Dploy shors to vis n w rowsrs tht o not support Flsh. Gnrt PDF vrsions o shors on-mn or on shul sis. 7 Buil n Dploy Apps Provi th ility to uil n ploy pps on top o th mhin t pltorm or spii us ss. Pk ustom shors n oniurtions rnin rom sripts, knowl ojts n k-n sttins s pps. Esily rows n ynmilly swith twn pps runnin on th Splunk pltorm y usin n pp lunhr intr. Instntly s ll instll pps on instn tht th usr hs prmissions to s. Provi powrul rmwork to support th rtion o roust pps t ll lvls. Expn or rstrit th rol-s r n writ prmissions to th pp. 8 Dvlopr Pltorm n Intrtion Provi APIs to nl th quik intrtion with othr pplitions, IT mnmnt tools n systms. Minimum intr rquirmnts shoul inlu, ommn-lin Intr, DBI, t routin, oumnt SDKs, REST API, sript lrts, sript inputs. 11

12 9 Sl n Dploy h i j k l m n o p q r s t A sl-ontin sotwr pk with no pnnis on thir-prty prorms. It runs on prmiss, in th lou or in virtuliz srvr n stor nvironmnts. Ntiv pks (rpm,, pk, m, msi, t.) n rhiv ormt istriutions (.tz.,.zip,.tr.z) r vill or most wily-ploy oprtin systms inluin Linux, Winows, Solris, HP-UX, AIX, Fr BSD n M OSX. Srvrs work tothr support oth ntrliz n ntrliz mols or mhin t mnmnt ross th orniztion. Provis rl-tim ntrliztion o mhin t rom proution srvrs with rlil t trnsport ovr TCP. Distriut rhittur to support hihly vill oniurtions with intrt rsilin, ilovr n lo lnin. Poliy-s t routin mon srvrs n to thir-prty systms. Linr slin to tryts pr y vi istriut srh n t lnin s on th MpRu thniqu. Sinl viw ross silos vi istriut srh. Mintins omplt, sin uit tril o ministrtiv tions n srh history. Monitors its own oniurtions or unuthoriz hn. Cntrliz, poliy-s oniurtion mnmnt ross srvrs in istriut ploymnt. REST API nls quik intrtion with othr IT mnmnt tools n systms. Tunl inxin lvls n st or irnt sours or vnts. Extrmly st srh sp, livrs rsults st ross illions o vnts. Hihly iint omprss stor % o th oriinl t siz typil or syslo pnin on inxin lvl. Dtstor uss lol or ntwork stor n is omptil with inrmntl il systm k-up utilitis. Inx is srt y tim to support xtn rtntion tims without impt to srh prormn. Coniurl rhivin n t rtirmnt poliy y or siz. Arhiv n rstor omprss or ully inx t on mn. Filitts mintinin olst t usin lowr ost nrlin stor or xtn rtntion tims. Intrt us o MpRu to nl slin o rl-tim n histori srh untions ross ommoity hrwr. 12

13 10 Sur h Flxil rols or ontroll usr n API ss. Supports rnulr t ss n pilitis y rol. Enls rstrit ss to spii t sours, t typs, tim prios, spii viws, rports or shors. Authntition n uthoriztion intrtion with Ativ Dirtory, Dirtory n othr LDAP-omplint implmnttions. Intrtion to ntrpris sinl sin-on solutions nlin pss-throuh uthntition o thir prty rntils. Rl-tim rmot inxin o t to minimiz th opportunity or ltrtion o uit trils on ompromis hosts. Sur t strm ss n istriut untionlity vi SSL/TCP. Sur usr ss vi HTTPS. Blok-sins vnts to monstrt t intrity. Mintins omplt, sin uit tril o ministrtiv tions n srh history. Monitors its own oniurtions or unuthoriz hn. 250 Brnnn St, Sn Frniso, CA, ino@splunk.om sls@splunk.om Copyriht 2013 Splunk In. All rihts rsrv. Splunk Entrpris is prott y U.S. n intrntionl opyriht n intlltul proprty lws. Splunk is ristr trmrk or trmrk o Splunk In. in th Unit Stts n/or othr jurisitions. All othr mrks n nms mntion hrin my trmrks o