Splunk is searching software that is designed specifically for the indexing and analysis of data center and/or individual server data; i.e., logs, configuration files, message queues, and more.

The Splunk interface is accessed by Web browser, and provides a search facility for the IT data to be examined wherein keywords can be typed in and boolean options can be provided (i.e., find events matching a particular term that additionally do not contain a second term, for example) to locate specific events or data entries within the multiple logs and data files of the target system(s). Splunk automatically classifies datasources and events; and also automatically correlates information based on values within the events themselves.

The vendor states that IT data can be fed into Splunk from any source; including logfiles, FIFO queues, network ports, databases, and other Splunk Servers (Enterprise only). Compressed copies of the indexed data are stored in the Splunk repository along with the indexes themselves (so the data remains available even if the original source files are removed), in an architecture the vendor describes as more similar to a search engine model than a relational DB. Old data can be automatically deleted (based on age and disk usage). The platform attempts to find timestamps for data automatically in the input; and for those events that do not appear to have timestamps, it uses the last valid timestamp seen (and if no timestamps have been seen, the platform assumes you're using real-time data and applies the current time as the timestamp). Dates can also be read from the input filenames.

Any search can additionally be saved and then scheduled for re-running, with alerting capabilities (formerly called "Live Splunks" in previous versions). Alert conditions can be based on thresholds or deltas in the number of events, sources, and hosts; with alerts sent by RSS or E-mail, or triggering of a shell script.

Splunk is available in free (with features described above, and supporting up to 500MB/day of indexing), and commercial versions. Called Splunk Enterprise, the commercial version adds features targeted primarily to the processing and management of information in large data center environments, including higher daily index volumes, distributed search and clustering, multi-user role-based access controls, support contracts, and a deployment server (which provides centralized management and control of distributed Splunk deployments across large numbers of servers).

Key new features in the latest release of Splunk include:

- Interactive, real-time reporting, including the ability to visualize results as bar, line, pie or other kinds of charts and to view and sort the results table.

- Support for personalized dashboards; initial dashboards can be defined for each role, with individual user customization supported. Any report, chart, search or alert can be placed onto a dashboard.

- Expanded search language, with support for correlation between results of multiple searches.

- Support for the scheduling and indexing of the output of any shell script or command line action

- 64 bit support

- Support for wildcards in the middle of search strings and quoted search strings

Splunk is available now, in Free and Enterprise versions. Splunk Enterprise starts at $5,000 annually (peak daily volume up to 500 MB) for the software plus a one-year support contract for Splunk Plus Support ($1,000). A 30-day trial version of the Enterprise version is also available.

Visit the Splunk Web site for further information.