This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Splunk has developed its own search technology specifically designed for the unique problem of indexing IT data in real-time. Splunk's R&D team includes some of the world's foremost search engine architects and they've spent years solving problems that are unique to this class of data.
Yes, Splunk has many features that correlate data. Splunk automatically classifies datasources and events, so that you can search for all occurrences of the same type of events over time, and alert based on seeing more than a certain threshold of a like set of events. It also automatically finds relationships based on values in the events, such as shared usernames and threadids. You can correlate data on an ad hoc basis by navigating events sharing IP addresses, user names and other values just by pointing and clicking. It provides robust alerting. Splunk 3.0's expanded search language lets you perform complex correlation within a single search, such as finding all IP addresses with more than10 firewall denies that also have accepts.