Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Rollout: Splunk 3.0: Page 3 of 4

Event logs can be cryptic, and there may be no documentation about what events mean. Splunk's community portal, Splunkbase, serves as a knowledge storehouse for log and event data. In previous versions of Splunkbase, community members would upload events and provide descriptions about what they mean. Using Splunk 2.2, you could look up an event from the Splunk UI to see what is known about it. Splunkbase 3.0, which wasn't available during testing, will add the ability to share bundles with others.

Complex searches are fairly easy once you understand the search capabilities. From a global search, the time can be narrowed by highlighting the time period on the timeline window or selecting specific dates and times. You can also use search terms, but the manual was a bit sparse on this topic.


VIRTUALIZATION
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

A number of modifiers, such as "top" or "count," will alter results, for example, showing the entries with the highest number of events, or simply counting the number of events. An interesting index is "punctuation," which is a template of how Splunk processes an event record. Some syslog entries can have specific formats. Rather than searching for keywords, a search on the punctuation will show all similar events regardless of source. It's a rather unique search method.

Log Rolling

Searching and indexing are Splunk's bread and butter. Not so with off-line archiving. The software has basic archiving features, but they may not be sufficient for companies that need robust, long-term log storage.

Data in Splunk moves through stages as it ages. Once it reaches what Splunk calls a frozen state, it is eligible to be deleted from the index. By editing a configuration file, frozen data can be archived using a file copy before they are permanently deleted. Before reaching the frozen state, database files can be moved after the directory has been locked. Archived data are restored by copying database files to the thawed directory, which then makes the data available to Splunk.