#Splunk
Enterprise log management and SIEM.
#Features
| Feature | Description |
|---|---|
| Search | Powerful search language (SPL) |
| Dashboards | Custom visualizations |
| Alerts | Configurable notifications |
| SIEM | Security analytics |
#Search Examples (SPL)
spl
1# Search errors
2index=main error
3
4# Count by host
5index=main | stats count by host
6
7# Time chart
8index=main | timechart count by source
9
10# Extract fields
11index=main | rex field=_raw "user=(?<username>\w+)"
12
13# Top values
14index=main | top limit=10 source#Universal Forwarder
bash
1# Install forwarder
2wget -O splunkforwarder.tgz 'https://download.splunk.com/...'
3tar xvzf splunkforwarder.tgz
4
5# Configure
6./splunkforwarder/bin/splunk add forward-server splunk-indexer:9997
7./splunkforwarder/bin/splunk add monitor /var/log#Pricing
- Volume-based (GB/day)
- Free tier: 500MB/day
- Enterprise license
[!TIP] Pro Tip: Splunk is powerful but expensive - consider Loki for cost-sensitive projects!