For this review, I installed Splunk 4.1.2 across a few different platforms. Splunk comes as a single installer, available for Windows (XP and later), Linux, Unix, BSD, Mac, and a few other operating systems, including a few of the most popular network devices.
Depending on how you decide to use Splunk, all the components can be installed on a single computer; at a minimum, Splunk requires dual processors and 8GB of RAM. In addition, the various components can be spread across multiple computers. Indexers host the Splunk data store and provide indexing services for local and remote data sources. Stored data is compressed to half its original size. Search heads, forwarders, deployment servers, and high-availability components can also be deployed in a distributed implementation. I installed all components on single servers since I wasn't testing enterprise performance. Online and downloadable documentation is particularly good.
Installation was as simple as clicking Next, Next, and Finish. Once installed, Splunk is accessed through an HTTPS web interface using TCP port 8000 by default, a command-line interface, or a custom third-party UI (if purchased or downloaded separately). The screen below shows the main Splunk Manager interface. Many of the available features, including reports, searches, and dashboard views, depend on which Splunk applications are installed. There is a healthy Splunk development community, and many of the Splunk add-ons are available for free.
Splunk allows various event sources to be added under the Data Inputs section. Events can be collected using WMI, syslog ports, scripts, and more. Splunk can monitor Active Directory LDAP actions, files, folders, and registry keys for changes.
When monitoring a folder, users can choose from more than 50 source types, including OS X, Snort, Asterisk, and several generic options. These source options can be selected on several of the different input types. Individual files within a selected folder can be included or excluded using regex (regular expression) syntax.
Long used across a very wide range of data sources, Splunk is very adept at handling unstructured data sources, allowing strong reporting and statistics to emerge, whereas many other solutions require that unstructured data be normalised before strong analysis can begin. New searches and reports (ad hoc or scheduled) can easily be created, either by inputting regex expressions or copying and modifying an existing object.
Windows Vista and later Windows versions have dozens of individual event log views beyond the legacy Application, Security, and System logs present in earlier Windows. As the screen image shows, Splunk allows you to choose one or more of the individual logs, which is not something most competitors easily allow.
With the default Windows application installed, Splunk comes with 23 default searches and reports, which is limited compared to the competition. Many more reports and views can be downloaded for free. In addition, Splunk offers numerous premium solutions, including the Enterprise Security and PCI Compliance Suites.