Maximizing performance with the latest Splunk platform capabilities
As you implement new use cases, staying informed about new Splunk platform capabilities will help you work more efficiently and effectively. This section connects you to resources that explain the most recent features that the Splunk platform teams are focused on enhancing. You might not be aware of some of the features in these focus areas yet, or you might not be using them to their full capacity. Take some time to familiarize yourself with the information below and how the capabilities can help you on your security or observability maturity journey with the Splunk platform.
The Platform Product Tips section is also a great place to scan for content relevant to your needs, and the Splunk Lantern home page is updated weekly with new and interesting best practices.
Flexible offering model
However you want to deploy and manage your Splunk environment, the Splunk platform can be deployed to meet those needs. Splunk offers the following models to help you customize the Splunk platform.
- ► Click to expand this section and learn more
-
- Self-Managed
- Bring Your Own License. Splunk uses the term BYOL (bring your own license) to refer to customers who manage their own deployments in a cloud service provider, such as AWS, using their Splunk Enterprise license.
- On-Premises. Splunk Enterprise.
- Fully Managed SaaS. With Splunk Cloud Platform, you spend more time innovating and less time managing infrastructure and software, ensuring your entire organization benefits from Splunk’s deep expertise.
- Hybrid. Self and fully managed deployments of Splunk Enterprise and Splunk Cloud Platform running together connected by Federated Search
- Compliance offerings. Splunk maintains a comprehensive set of compliance certifications and attestations to support customers in meeting their own compliance obligations across global regulated markets. These include: FedRamp, IL5, IRAP, HIPPA, and more.
- Cloud Partner Offerings. Splunk Cloud Platform offerings running on different cloud service providers, available for purchase through cloud partners and potentially with unique integrations.
- Cross-Region Disaster Recovery. Splunk Cloud Platform can gracefully fail over across regions to lower cost backups in case of disaster.
- Self-Managed
Data management
The Splunk platform offers numerous product capabilities to help you filter, transform, enrich, and route data. Most notably, the new Splunk Data Management Pipeline Builders are the latest innovation in data processing. They offer more efficient, flexible data transformation – helping you reduce noise, optimize costs, and gain visibility and control over your data in motion.
- ► Click to expand this section and learn more
-
- Data management. Monitor your data lifecycle from input selection to pipeline filtering and routing to the Splunk platform and third-party destinations of your choice.
- Edge Processor. Filter, transform, enrich, and route data at the edge, close to its source, before routing the processed data to external environments.
Splunk Lantern offers a number of interesting use cases with Splunk Edge Processor inlcuding: Reducing PAN and Cisco security firewall logs with Splunk Edge Processor; Using Edge Processor to save Splunk Virtual Compute; and Reducing Windows security event log volume with Splunk Edge Processor.
- Ingest Processor. Configure data flows, control data format, apply transformation rules prior to indexing, and route to destinations.
This Splunk Lantern use case teaches you how to use ingest actions to filter Palo Alto logs.
- Ingest Actions. Ingest actions represents a number of capabilities related to pre-index event processing and data routing.
- Edge Processor. Filter, transform, enrich, and route data at the edge, close to its source, before routing the processed data to external environments.
- Data Manager. Easily onboard cloud native data sources, such as AWS inputs and Microsoft Azure data.
- APIs/Custom GDI. The Splunk platform REST API gives you access to the same information and functionality available to core system software and Splunk Web.
- Technical Add-On Integrations. Load partner-specific data sources into the Splunk platform using technical add-ons.
While the number of officially supported add-ons is limited, there are hundreds of more add-ons available from Splunkworks, partner organization, and other Splunk experts. To find them, browse Splunkbase and the Data Descriptors on Splunk Lantern.
- Data management. Monitor your data lifecycle from input selection to pipeline filtering and routing to the Splunk platform and third-party destinations of your choice.
Scalable storage and structure
As your business grows, you need a security and observability solution that grows with you. The Splunk platform offers over a dozen ways to help you maintain scalability in your deployment.
- ► Click to expand this section and learn more
-
- Knowledge Value (KV) Store Lookups. Get the more specific and relevant search results by referencing data structures.
This Splunk Lantern use case teaches you how to enrich data via real-time threat detection with KV Store lookups in Splunk Edge Processor.
- Data Models and Accelerated Data Models. Get improved and faster search results by using prestructured data in data models.
- Search Head Clustering. Get faster search results when managing a large self-managed deployment by clustering search heads in an architecturally beneficial way.
- Splunk Index. Store near real time data in your Splunk index for high performance recent data monitoring needs.
- SmartStore. Decouple compute and storage for cost effective long term storage using cloud infrastructure.
Learn more about reducing SmartStore cache churn with this Splunk Lantern product tip.
- Dynamic Data Active Archive. Cost-effective, long-term storage using cloud infrastructure for Splunk Cloud Platform.
Learn more about setting data retention rules with this Splunk Lantern product tip.
- External Data Lake. Together, Amazon Security Lake and Splunk deliver an integrated solution for collecting, storing, managing, and analyzing security data.
- Data Summaries. If you have a transforming search that runs over a large amount of data and is slow to complete, and you have to run this search on a regular basis, you can create a summary index for it. When that summary index is built, the searches you run against it should complete much faster than they did before.
- Data Rollups. A metric rollup policy sets rules for the aggregation and summarization of the metrics on indexes with high-volume metrics. The rollup summaries contain metric data points that are aggregations of the raw metric data points in the source index. The summarized metrics take up less disk space and are faster to search than the original metrics.
- Administrative Monitoring. Monitor your Splunk deployment and take action on performance issues.
- Monitoring Console. The Monitoring Console is the Splunk Enterprise monitoring tool. It lets you view detailed topology and performance information about your deployment.
- Cloud Monitoring Console (CMC). The CMC lets Splunk Cloud Platform administrators view information about the status of their deployment. CMC dashboards provide insight into how various areas of a Splunk Cloud Platform deployment are performing.
- Workload Management. Workload management is a rule-based framework that lets you allocate compute and memory resources to search, indexing, and other workloads in Splunk Enterprise. Workload management lets you create system resource pools, called workload pools, and allocate search workloads to different pools. You can also monitor long-running searches and perform automated remediation actions.
Learn more about best practices for workload management with this Splunk Lantern product tip.
- Field filters. Field filters control visibility of data within events by redacting or obfuscating confidential information when users who are not exempt from the field filters run searches.
- Knowledge Value (KV) Store Lookups. Get the more specific and relevant search results by referencing data structures.
Search and analytics
You already know that the Splunk platform delivers fast time to value with powerful investigative search, dashboards, visualizations, reporting, and alerting. Now, search has been enhanced with several new and updated capabilities.
- ► Click to expand this section and learn more
-
- SPL2. SPL2 makes the Splunk search processing language easier to use, removes infrequently used commands, and improves the consistency of the command syntax. SPL2 is a more concise language that supports both SPL and SQL syntax. SPL2 is a product-agnostic, intuitive language that includes the best of both query and scripting languages. SPL2 is designed to work with the variety of runtimes in the Splunk product portfolio. It is backwards compatible with SPL, and can operate in parallel with SPL. It is currently used in the following products:
- Splunk Edge Processor
Click here for a comprehensive Edge Processor Setup and SPL2 Pipeline Introduction.
- Splunk Enterprise for application development (public beta)
- Splunk Search Experience (preview)
- Splunk Edge Processor
- Federated search. You can run federated searches to search datasets outside of your local Splunk platform deployment. From your local search head, federated search for Splunk gives you a holistic view of datasets across multiple Splunk platform deployments. Federated search is topology-agnostic, so it works despite the complexity of the Splunk platform deployments involved. You can run a federated search across any remote Splunk Cloud Platform or Splunk Enterprise deployment.
- Federated analytics. Federated Analytics brings an on-demand indexing option for data lakes starting with Amazon Security Lake (ASL), providing both in-place search capability without data duplication as well as a dynamic indexing approach to facilitate low latency searches. This enables organizations to gather context from diverse data sources, and bring selective datasets into the Splunk platform on demand, offering a perfect blend of cost efficiency and low search latency. Federated Analytics offers both cost efficiency and agility for organizations, to react to new information and not compromise on high performance searches because of the storage choices of the past. It offers optionality to leverage high performance searches for the limited duration of the investigation without incurring cost and management overhead.
- SPL2. SPL2 makes the Splunk search processing language easier to use, removes infrequently used commands, and improves the consistency of the command syntax. SPL2 is a more concise language that supports both SPL and SQL syntax. SPL2 is a product-agnostic, intuitive language that includes the best of both query and scripting languages. SPL2 is designed to work with the variety of runtimes in the Splunk product portfolio. It is backwards compatible with SPL, and can operate in parallel with SPL. It is currently used in the following products:
Artificial intelligence and machine learning
The Splunk platform features generative AI assistants embedded in your search experience, in addition to foundational AI across the platform, including:
- ► Click to expand this section and learn more
-
- Splunk AI Assistant for SPL (Cloud Version). The Splunk AI Assistant for SPL empowers users to search their data using plain English.
- The Write SPL tab is where you compose what you want to search in plain English, and the Splunk AI Assistant for SPL translates the request into Splunk Search Processing Language (SPL). You can run or build on that SPL search, all within a familiar Splunk interface.
- The Explain SPL tab explains what any SPL search is doing in plain English along with a detailed breakdown of the search.
- The Tell me about tab answers questions about Splunk documentation and any Splunk platform term or product.
Click here to walk through an example of how to use the Splunk AI Assistant for SPL.
- Splunk Machine Learning Toolkit (MLTK). This app delivers new SPL commands, custom visualizations, assistants, and examples to explore a variety of machine learning concepts. Each assistant includes end-to-end examples with datasets, plus the ability to apply the visualizations and SPL commands to your own data. You can inspect the assistant panels and underlying code to see how it all works. Learn more about what the MLTK can do:
- Splunk Docs: Splunk Machine Learning Toolkit Showcase
- Product Brief: Splunk Machine Learning Toolkit (MLTK)
- Splunk App for Anomaly Detection. This app finds anomalies in time series datasets and provides an end-to-end workflow to manage and operationalize anomaly detection tasks. The app detects seasonal patterns and finds anomalies in just a couple of clicks. Using the app, you can create anomaly detection jobs, run these jobs on a regular cadence, view SPL queries, and create alerts. The app works with any time series dataset that can be ingested into the Splunk platform, provided the points in the time series are evenly spaced.
- Splunk AI Assistant for SPL (Cloud Version). The Splunk AI Assistant for SPL empowers users to search their data using plain English.