Five years ago, Splunk was all the rage, especially when it comes to monitoring the health and security of large environments. We started deploying Splunk at CrossRealms in systems we deemed an ideal fit like large banking call centers, as well as systems that had little in common but were completely dependent on one another in a mission critical framework. Since then, many other vendors have stepped up like IBM QRadar, LogRhythm and HPE ArcSight but interestingly enough,Splunk persisted in being the leader amongst all its peers. – https://www.gartner.com/doc/3406817
Before I go through the details of why Splunk continues to move ahead of its peers, I want to explain the use-case scenarios and why Splunk and Splunk-like products create a material differentiator in environments that deem themselves mission critical.
Need for granular information: Search engines like Splunk provide the ability to collect information beyond syslog like NetFlow and Network Capture, which is much more informative than what the logging system on devices are programmed to do. This is primarily due to the fact that the case scenario of concern is usually beyond the scope of what the “vendor scenarios had envisioned when they designed their logging system”. One of the negative impacts of collecting all this information is the risk of information overload – however, Splunk configured correctly will digest and present the information in the context needed versus in raw form.
Need for a scalable and centralized system to be the source of truth: In most environments, the biggest obstacle to recognizing events of concern is dependent on having a consistent source of truth across all events. This unified platform will allow administrators and security engineers to have a quick visibility to the entire environment irrespective of the device. A simple denial of service attack against a firewall might not lead to any concern for the firewall engineer, however, that same attack coinciding with actual application access from a similar source would immediately flag a high risk and a potential security breach in progress. In addition, it’s extremely hard to reconstruct a situation in a post-mortem fashion without having all the logs readily available and synchronized for forensic analysis.
Need for a correlation engine to automate tasks: Systems today are comprised of many moving parts that are interdependent on one another. Most of these systems have different touch points of what is considered an “item of concern”, like storage disk failure versus a denial of service packet coming on the outside interface of a router, or even versus user authentication failures on an application server. As the network increases in size, the inter-dependencies grow exponentially, and any monitoring system that looks at events in their pure form (i.e. storage incidents, separate from firewall and/or application) slowly loses its ability to provide adequate information on the state of the environment.
And now for the big question – why Splunk?
From my perspective, there are a few differentiators that Splunk offers ahead of its competition:
- Extremely useful and intuitive dashboards across multiple environments which provide instantaneous value to clients as soon as the system is built
- Extensive search functionality that allows the advanced users to quickly find the information needed – especially when something is going wrong
- Ability to scale the installation to tens of thousands of devices by simply adding either more Index Clusters or Search Heads
- Filter events that are deemed “not interesting” before they get ingested into the system to save on costs
- Launch alerts as traffic patterns are streaming into the Splunk system which ensures extremely fast responses to events
That sums it up for this week’s blog. For next week, I will be writing about a new service offering that CrossRealms has developed as a pre-packaged solution for Backup, Disaster Recovery and Business Continuity for mid to large organizations!!
For more information on this week’s blog or others, please contact Usama Houlila at