Strengths: Intuitive interface, expansive documentation
Weaknesses: No functions specifically for forensic analysis and management of logs
Verdict: Powerful yet simple log aggregation, definitely worth a look
Where a normal search engine would let you search the web, Splunk is advertised as a software solution that indexes and searches all information in your data centre environment, giving easier access to logging utilities for incident response and network forensics.
Installation is simple, asking only whether or not to log data from the current machine. Splunk supports many log types and logging utilities from which it can monitor, analyse and correlate data. The interface is intuitive and easy to navigate. It takes little time to understand and uses basic features. The management system is hassle-free - from adding data inputs to adding users.
Users can be restricted to specific datasets and to displaying correlations of them. There are features to put data into a graph and chart, making it easier to grasp as well as to explain to others. The product also has a "live tail" feature, letting you view in near real-time all incoming logs. In our test bed, Splunk performed very well, with searches taking seconds.
Splunk has basic, free support options as well as paid options. At no cost there are support forums, email and online ticket-based systems; IRC support channels are also provided. Enterprise support is available at 20 per cent of the list price.
Global support, at 30 per cent of the cost, gives 24/7 phone support, "Customer Success Management" and quarterly account status reviews.
There are several different options for documentation - from a community wiki, to video help and product roadmaps and it is easy to understand and navigate. There are also FAQs and several cheat-sheets to help a beginner administrator or user.
Depending on the level of support needed and the amount of logging required, the enterprise licensing may be worth it - the free Splunk Basic can handle up to 500MB of data. But if more is needed, the enterprise edition is a must-have, starting at £9,475.
Splunk is an excellent and efficient product for aggregating the logs in your entire IT infrastructure, whether for security, network, event or general log management. However, it must be used with other forensic tools, since it is not really a forensic tool in its own right.