• General Information
  • General Info
    • What Is Splunk?
    • What problem does Splunk software solve?
    • Who uses Splunk?
    • How is Splunk used most often?
    • What is the ROI for deploying Splunk? Why should I use it?
    • When is your next release?
    • Is Splunk open source?
• Company Background
  • Company Background
    • When was the company founded? When was the product released?
    • Who are your investors? How much money have you raised?
    • What are your revenues? When do you expect to be profitable?
• How Splunk Works
  • Installation
    • How long does it take to install Splunk?
    • What is Splunk's impact on production systems, applications and networks? What is its memory footprint?
    • Which platforms does Splunk run on?
    • Does Splunk need agents?
  • Accessing data
    • What kind of data does Splunk support? Does Splunk support (name of product/log format here)?
    • Does Splunk integrate with any products?
    • Can Splunk access data on Windows? How?
    • Can Splunk access data on mainframes? How?
    • How does Splunk access data sources?
    • Can Splunk send alerts?
    • Can I generate reports with Splunk?
    • Does Splunk support compliance?
    • Does Splunk collect data securely and protect data integrity?
    • How does Splunk deal with logs from different time zones?
    • What if my logs don't have timestamps?
    • What are the differences between user levels (User, Power User, Admin) in Splunk when running with an enterprise license?
    • What language is Splunk written in?
  • Data Management
    • Does Splunk store copies of my log data?
    • How does Splunk store its data? Does it use a relational database? What database does it use?
    • How is the index structured?
    • Does Splunk compress the data it stores?
    • What are Splunk's storage requirements?
    • How much data can Splunk store online? How long can Splunk keep data online?
    • Can Splunk automatically retire older data? How do I avoid running out of disk space?
    • Splunk's stopped indexing my data. Is that because I exceeded my license limit?
    • How scalable is Splunk? How does Splunk scale?
    • How dense is the index?
  • Search
    • What search technology underlies Splunk? Lucene?
    • Does Splunk do correlation?
  • Licensing
    • What are the differences between the free and enterprise licenses?
    • What happens when my trial license expires?
    • Does indexing stop if I reach the limit of my license?
    • What happens when I exceed my license limit?
    • My 2.x license doesn't work with 3.0
• Purchasing Splunk
  • Purchasing Splunk
    • How much does Splunk cost? How is it licensed?
    • How do I know how much data I have?
    • Can I re-use the same license key on different servers?
    • What is Splunk's service and support offering?
    • Does Splunk offer installation assistance and other professional services?
    • Does Splunk offer training?
    • Can I schedule a demo with Splunk Sales?
    • Can I get an extension for my trial license?
• Splunk Base and the Splunk Community
  • SplunkBase and the Splunk Community
    • What is SplunkBase?
    • How do I use SplunkBase?
    • How does the Splunk Community fit with the Splunk software product?
    • How many members does the Splunk Community have?
    • Aren't there already a number of communities for systems administrators? Why should they come to SplunkBase?
• Customers and Partners
  • Customers and Partners
    • Who are your partners?
    • Who are your customers? How many customers does Splunk have?
    • Do you have a reseller program?
    • Do you OEM your product?
• Getting Started
  • Getting Started
    • How do I start?
    • I just installed Splunk with an enterprise and I'm trying to log into the web interface for the first time. It's asking me for a username and password. What are they?
    • How do I index a file?
    • I've gotten to my Splunk interface, but what do I search for?
    • Can I install a new version of Splunk over an older version, without losing any of my configurations or data?
• Accessing Data
  • Accessing Data
    • How can I customize the way Splunk handles my data?
    • How can I tell if all my data has been indexed?
    • I have more than 10,000 events indexed. Why don't they all show up when I run a "meta::all" search?
    • How do I configure Splunk to index archived (non-growing) files?
    • How do I configure Splunk to index live (constantly-growing) files?
    • Can I set up a live input of data from different hosts to my central Splunk server?
  • Windows
    • Does Splunk run on Windows?
• How Splunk Handles Data
  • How Splunk Handles Data
    • Splunk is handling multiple events as one. Splunk is splitting multiple line events in the wrong place. How do I fix that?
    • Splunk is not recognizing my timestamps correctly. How do I fix that?
    • I want to add custom fields such as user:: to the default fields like source::. How do I do that?
    • I have some sensitive data. Can I garble it before it gets indexed?
    • I want to search for messages in my email logs based on both sender and recipient, but these are recorded in different events with a common message id. Can Splunk handle that?
    • Does Splunk read milliseconds?
• Administration
  • Administration
    • I need to change the ports Splunk uses. How can I do this?
    • I want to clear out my index. How do I do that?
• Integrating and Extending Splunk
  • Integrating and extending Splunk
    • Can I use SOAP or REST to talk to Splunk from another application?
    • Can I send alerts based on Splunk search results?
• Troubleshooting
  • Troubleshooting
    • I type in a term I know is in my data. Why don't I get any results?
    • I go to the URL for my Splunk server and there's nothing there. What do I do?
    • Splunk starts but Splunkd won't start. What do I do?
    • The webserver is saying splunkd is down but it isn't. What is the matter?
    • I'm running low on disk space. What do I do?
    • I've made some config changes, but I'm not sure if they're working.
    • My 2.x license doesn't work with 3.0
    • I can't export results in Internet Explorer 6
• Getting Help
  • Getting Help
    • How can I learn more about Splunk's advanced features?
    • I lost my Splunk.com password. What do I do?
    • How do I report problems?
    • How can I make suggestions?
    • I have some questions that aren't answered here. Where can I get help?

Search

What search technology underlies Splunk? Lucene?

Splunk has developed its own search technology specifically designed for the unique problem of indexing IT data in real-time. Splunk's R&D team includes some of the world's foremost search engine architects and they've spent years solving problems that are unique to this class of data.

Does Splunk do correlation?

Yes, Splunk has many features that correlate data. Splunk automatically classifies datasources and events, so that you can search for all occurrences of the same type of events over time, and alert based on seeing more than a certain threshold of a like set of events. It also automatically finds relationships based on values in the events, such as shared usernames and threadids. You can correlate data on an ad hoc basis by navigating events sharing IP addresses, user names and other values just by pointing and clicking. It provides robust alerting. Splunk 3.0's expanded search language lets you perform complex correlation within a single search, such as finding all IP addresses with more than10 firewall denies that also have accepts.