• General Information
  • General Info
    • What Is Splunk?
    • What problem does Splunk software solve?
    • Who uses Splunk?
    • How is Splunk used most often?
    • What is the ROI for deploying Splunk? Why should I use it?
    • When is your next release?
    • Is Splunk open source?
• Company Background
  • Company Background
    • When was the company founded? When was the product released?
    • Who are your investors? How much money have you raised?
    • What are your revenues? When do you expect to be profitable?
• How Splunk Works
  • Installation
    • How long does it take to install Splunk?
    • What is Splunk's impact on production systems, applications and networks? What is its memory footprint?
    • Which platforms does Splunk run on?
    • Does Splunk need agents?
  • Accessing data
    • What kind of data does Splunk support? Does Splunk support (name of product/log format here)?
    • Does Splunk integrate with any products?
    • Can Splunk access data on Windows? How?
    • Can Splunk access data on mainframes? How?
    • How does Splunk access data sources?
    • Can Splunk send alerts?
    • Can I generate reports with Splunk?
    • Does Splunk support compliance?
    • Does Splunk collect data securely and protect data integrity?
    • How does Splunk deal with logs from different time zones?
    • What if my logs don't have timestamps?
    • What are the differences between user levels (User, Power User, Admin) in Splunk when running with an enterprise license?
    • What language is Splunk written in?
  • Data Management
    • Does Splunk store copies of my log data?
    • How does Splunk store its data? Does it use a relational database? What database does it use?
    • How is the index structured?
    • Does Splunk compress the data it stores?
    • What are Splunk's storage requirements?
    • How much data can Splunk store online? How long can Splunk keep data online?
    • Can Splunk automatically retire older data? How do I avoid running out of disk space?
    • Splunk's stopped indexing my data. Is that because I exceeded my license limit?
    • How scalable is Splunk? How does Splunk scale?
    • How dense is the index?
  • Search
    • What search technology underlies Splunk? Lucene?
    • Does Splunk do correlation?
  • Licensing
    • What are the differences between the free and enterprise licenses?
    • What happens when my trial license expires?
    • Does indexing stop if I reach the limit of my license?
    • What happens when I exceed my license limit?
    • My 2.x license doesn't work with 3.0
• Purchasing Splunk
  • Purchasing Splunk
    • How much does Splunk cost? How is it licensed?
    • How do I know how much data I have?
    • Can I re-use the same license key on different servers?
    • What is Splunk's service and support offering?
    • Does Splunk offer installation assistance and other professional services?
    • Does Splunk offer training?
    • Can I schedule a demo with Splunk Sales?
    • Can I get an extension for my trial license?
• Splunk Base and the Splunk Community
  • SplunkBase and the Splunk Community
    • What is SplunkBase?
    • How do I use SplunkBase?
    • How does the Splunk Community fit with the Splunk software product?
    • How many members does the Splunk Community have?
    • Aren't there already a number of communities for systems administrators? Why should they come to SplunkBase?
• Customers and Partners
  • Customers and Partners
    • Who are your partners?
    • Who are your customers? How many customers does Splunk have?
    • Do you have a reseller program?
    • Do you OEM your product?
• Getting Started
  • Getting Started
    • How do I start?
    • I just installed Splunk with an enterprise and I'm trying to log into the web interface for the first time. It's asking me for a username and password. What are they?
    • How do I index a file?
    • I've gotten to my Splunk interface, but what do I search for?
    • Can I install a new version of Splunk over an older version, without losing any of my configurations or data?
• Accessing Data
  • Accessing Data
    • How can I customize the way Splunk handles my data?
    • How can I tell if all my data has been indexed?
    • I have more than 10,000 events indexed. Why don't they all show up when I run a "meta::all" search?
    • How do I configure Splunk to index archived (non-growing) files?
    • How do I configure Splunk to index live (constantly-growing) files?
    • Can I set up a live input of data from different hosts to my central Splunk server?
  • Windows
    • Does Splunk run on Windows?
• How Splunk Handles Data
  • How Splunk Handles Data
    • Splunk is handling multiple events as one. Splunk is splitting multiple line events in the wrong place. How do I fix that?
    • Splunk is not recognizing my timestamps correctly. How do I fix that?
    • I want to add custom fields such as user:: to the default fields like source::. How do I do that?
    • I have some sensitive data. Can I garble it before it gets indexed?
    • I want to search for messages in my email logs based on both sender and recipient, but these are recorded in different events with a common message id. Can Splunk handle that?
    • Does Splunk read milliseconds?
• Administration
  • Administration
    • I need to change the ports Splunk uses. How can I do this?
    • I want to clear out my index. How do I do that?
• Integrating and Extending Splunk
  • Integrating and extending Splunk
    • Can I use SOAP or REST to talk to Splunk from another application?
    • Can I send alerts based on Splunk search results?
• Troubleshooting
  • Troubleshooting
    • I type in a term I know is in my data. Why don't I get any results?
    • I go to the URL for my Splunk server and there's nothing there. What do I do?
    • Splunk starts but Splunkd won't start. What do I do?
    • The webserver is saying splunkd is down but it isn't. What is the matter?
    • I'm running low on disk space. What do I do?
    • I've made some config changes, but I'm not sure if they're working.
    • My 2.x license doesn't work with 3.0
    • I can't export results in Internet Explorer 6
• Getting Help
  • Getting Help
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?

Accessing data

What kind of data does Splunk support? Does Splunk support (name of product/log format here)?

Splunk universally supports all kinds of IT data in any format from any device or application. There is no functionality that requires special parsers or adapters for particular data formats. This universal data support depends on powerful algorithms that can learn how to process new sources automatically.

Does Splunk integrate with any products?

Splunk does not require integration to handle data from particular products. We do have numerous integration features including a browser toolbar, scripted alerts and a REST API for search that allows for seamless user interface and alerting workflow integrations. Our professional services team can also deliver integration services and has helped customers integrate with products such as Tivoli, Netcool, HP Openview, BMC Patrol and Nagios.

Can Splunk access data on Windows? How?

Yes. The Windows Event Log can be forwarded to a Splunk Server over syslog by using Snare, Kiwi or any other Windows Event to syslog reporter products. Other logs on Windows such as IIS access logs and Exchange message tracking logs can be read in real time by the Adiscon Monitorware Agent, which is available with a Splunk Enterprise license. Read more about accessing logs on Windows hosts in the Admin Manual.

Can Splunk access data on mainframes? How?

Yes. Mainframe logs can be routinely scp'd or ftp'd (depending on the specific mainframe) to a server running Splunk. Once there, they can be accessed like any other kind of data, as Splunk does not depend on adapters for specific log formats.

How does Splunk access data sources?

Splunk can read data in real-time from logfiles, FIFO queues, network ports, or databases. Splunk can be installed across hundreds of production hosts and forward to one or more central Splunk servers for real-time distributed data access. Read the Admin Manual for more information.

Can Splunk send alerts?

Yes, you can schedule any search and establish rules to alert via email, RSS or by triggering a shell script.

Can I generate reports with Splunk?

Yes, you can summarize the results of any search using either Splunk's built in statistical operators such as stats, sort and top or using full SQL select statements. However, instead of reporting on data stored in a structured schema in a relational database, Splunk's reports run on fields that are dynamically extracted at search time so it's flexible enough to be trained to recognize new fields without re-indexing the data.

Reports can be charted in many different formats, exported to csv, added to dashboards and scheduled for delivery in email.

Does Splunk support compliance?

Yes, Splunk supports compliance mandates that require you to collect and retain log data and generate alerts and reports on particular kinds of log events. It also helps meet compliance mandates that restrict access to production machines, as Splunk can provide developers and others the access they need to production logfiles without giving them access to the production machines themselves. Many of Splunk's customers use it to satisfy compliance mandates from PCI to SOX.

Does Splunk collect data securely and protect data integrity?

Yes. Splunk accesses data remotely in real time and can use encrypted network connections, so that data is not subject to tampering on a compromised host. Splunk's interface provides auditable, read-only access to the data via a web or commandline interface with user access controls.

How does Splunk deal with logs from different time zones?

Splunk can normalize timestamps based on per-host time offsets that you supply in a configuration file. It also reads and uses timezones in timestamps it finds in log events, if they are present. It normalizes all timestamps to the timezone of the host where the Splunk Server is indexing its data.

What if my logs don't have timestamps?

Splunk makes every effort to find a timestamp in the logfile. If some events lack timestamps, it uses the timestamp last seen until it encounters a new timestamp. If there are no timestamps whatsoever, Splunk assumes that you're accessing data in real time and uses the current time as the timestamp. You can configure Splunk to read the date from the filename as well.

What are the differences between user levels (User, Power User, Admin) in Splunk when running with an enterprise license?

A basic User can search for data, create personal Saved Searches and Alerts, and edit his or her own account info. A Power User can tag event types, edit source types, and create shared Saved Searches that appear on all users' menus. An Admin can also add, edit or delete other users' accounts, configure data inputs, configure server settings, and set up data forwarding, receiving, and cloning.

What language is Splunk written in?

Splunk is a high performance, distributed software server written in C/C++ and Python. The core data processing, indexing and search uses C/C++ for maximum performance.