Explaining Splunk through Recipes

The community of Splunk users can be compared to a benevolent cult. There are those that are initiated, that have drunk the Kool-aid, that have used Splunk to solve problems the could not solve any other way. These people understand the beauty of Splunk because it has helped achieve their goals.

Then there are the uninitiated. The people who sort of understand but who don’t really get the idea. “Seriously, can’t you use grep and perl to do all this stuff?,” they say dismissively. “No, you can’t,” respond the believers.

Crossing this divide is made more complicated by Splunk’s simplicity and power. As I have come to know Splunk, I have thought of it as similar to the game of chess. There is an opening in which data is described and indexed, a middle game in which it is transformed, grouped, and summarized, and an end game in which it is displayed.  In Splunk, like in chess, the number of moves in each stage of the game is almost limitless. When you combine the three stages together, the options are impossible to describe in total.

The challenge of explaining Splunk is to show first show how it can do useful things, but then to continue the education so that more and more problems can be solved. The problem at many Splunk installations is that learning stops after Splunk has solved a set of urgent problems. People then come to think of Splunk as a solution to those problems, not as something that has much wider applicability.

Starting this summer, David Carasso, Chief Mind of Splunk, has asked me and my team at Evolved Media, to help find a new way of explaining Splunk. Our goal is to find a way to explain the power of Splunk to solve specific problems, which we call recipes. In describing these recipes, we want to suggest to the reader ways that they can deepen their knowledge of what Splunk can do by referring to the ample and well organized body of documentation the details of how Splunk works. Both and are deep pools of knowledge. Associating the nuggets of these resources relevant to each recipe will make the recipe better and will also show the reader how much more there is to learn.

Our first goal is to explain the most common Splunk recipes that will accelerate the time to value. Then, we will expand this set of recipes as the Splunk community tells us what’s important.

I’ll be hanging out during the whole Splunk conference, so if you have a recipe idea, please send it along to

Initially, we will be focused on the following categories:

  • Basic Splunk techniques
  • Time chart/Chart/Stats recipes
  • Transaction recipes
  • Summary indexing recipes
  • Dashboard and App recipes

Our goal is to create a book that shows the power of recipes and then see where it goes.

I look forward to meeting many Splunk true believers at the converence and becoming one of the initiated.

Post by Dan Woods, our special guest blogger who will be gathering recipes this week at .conf2011

Posted by