Splunk Enterprise 5, the latest version of the company's flagship big data indexing and analysis product, promises faster search and reporting capabilities than previous versions, the company has said.
Splunk could not offer any benchmarking evidence to back its claim to speedier reporting in Enterprise 5, but said on Wednesday that ad hoc report generation had shown that search for events over large-scale enterprise environments incorporating cloud could be up to a thousand times faster than Splunk Enterprise 4.x.
"An ad hoc report on 'Web Errors broken out by URL and WebServer over the Last Month' in a large multi-data centre web environment across multiple terabytes of data might take 30 minutes to run [in Splunk 4.x] ," Splunk's EMEA senior director of technical services DJ Skillman told SC Magazine UK on Wednesday. "With report acceleration in Splunk Enterprise 5, that same report would render in less than two seconds."
In Splunk Enterprise 4.x., skilled users could refine searches to save time, but "most users didn't have the skill set required", said Skillman.
"Now it's as simple as selecting the report acceleration button in the report builder to invoke the patent pending technology to get things back faster than previously possible, with or without the search skills," said Skillman.
PDFs of reports can be generated with a button in Splunk Enterprise 5, and PDFs can be scheduled to be shared with colleagues, said Skillman. Security professionals in large organisations may want to build reports that aggregate data such as firewall, IDS, authentication or anti-malware log events, to spot trends or deviations, said the company.
Splunk Enterprise 5 allows drill downs from one dashboard to another, without drilling down into raw data, said Skillman.
"Splunk Enterprise already provided the ability to search, analyse and visualise machine data on tablets, smartphones, laptops and non-flash browsers," said Skillman. "In Splunk Enterprise 5 we provide the ability to integrate simple workflows into dashboards, so users can click through to another dashboard, form, view or external website and carry forward any relevant context."
The product allows security professionals to control user drill downs from one dashboard to another, rather than a user drilling down from a dashboard into raw machine data, the company said in a blog post on Monday
Access to raw company data can be controlled for compliance purposes, said the company. For example, a user can click on a link that lists security events in progress, and be taken to a case management system for the detail behind a specific attack, without being able to access the raw data about the attack.
Splunk Enterprise 5, which was made generally available on Tuesday, has a feature called 'index replication' designed to make data more resilient and more available during search. Splunk indexers can be grouped to replicate each other's information, said the company.