The latest version of Splunk’s big data search and analytics platform offers security professionals quicker insights and intelligence gleaned from large volume of data.
Splunk 5, the company’s flagship offering, features dynamic drill-down capabilities, distributed indexing technology, and marked improvements in reports, Mark Seward, director of security and compliance solutions at Splunk, told SecurityWeek. Each of these features makes it easier for security professionals to work with large volume of security-related data, Seward said.
Splunk was designed to collect and index machine data. Security professionals can use Splunk to analyze log files from servers and routers, events data from endpoint, and other security-related information from the network. The data is often used to find problems and in security forensics.
“Bottom line, customers rely on Splunk to store large amounts of data,” Seward said.
In Splunk 5, the company introduced a new indexing technology that replicates the index across different servers. The distributed indexing technology adds redundancy to the data, which IT needs when making business continuity plans in case of a disaster or an outage. With distributed indexing, organizations will no longer need to keep backups on storage area networks but rely on commodity servers, Seward said.
The index in Splunk is used to answer user queries and find information. By making multiple copies across different servers, Splunk 5 ensures that even if one server goes down, the data is available on other servers so administrators can continue to run reports and queries. When the downed server comes back online, the server is updated.
“I don’t have to have a SAN in place to have failover, to have replicated data,” Seward said, adding that the new indexing technology makes the entire platform more resilient.
While organizations still need to source and provision additional servers to add that level of redundancy, “servers are still cheaper than SANs,” Joe Goldberg, a senior manager at Splunk, told SecurityWeek. When there is no outage to worry about, the index technology also means search queries run much faster because everything is distributed, Goldberg said.
For security professionals using Splunk for security-related investigations, the new dynamic drill-down capability helps find other related pieces of information in a more intelligent way, Goldberg said. If an investigator clicked on a malware event in Splunk 5, the platform uses the event ID to identify related information and details and displays the information, Goldberg said. The software uses dynamic drill-downs to direct the user on a path with relevant data.
With every release Splunk engineers try to make the platform more faster and more scalable, and to “accelerate the ability” for security professionals to get information out of their data, Seward explained. “Splunk 5 is no different.”
Administrators rely on Splunk to run search queries over tens of terabytes of data and build reports. With Splunk 5, administrators can choose to prioritize some queries and reports over others. If there are several reports running, and there is a more important, or complex, query that needs to run, administrators can move resources from lesser priority queries to speed up the process for the higher priority report, Seward said.
Reports are up to 1,000 times faster in Splunk 5 than in previous versions of the platform, according to the company. A report based on data in a large multi-datacenter web environment across multiple terabytes of data may normally take 30 minutes to run, but with Splunk 5’s report acceleration, the time may be drastically slashed to less than two seconds, Splunk said.
The latest version of Splunk also extends its API to make it easier for security professionals to remotely execute commands, run reports, and hook the data analytics platform to other products and applications, Seward said. A new JavaScript SDK included in Splunk 5 allows administrators to develop JavaScript applications that can take advantage of the data stored in Splunk. Previous versions of the software had SDKs for Java, Python amd PHP.
