NW Linux : blog

Splunk 4 is a server-side Information and Technology (IT) tool designed to monitor and analyze server systems architecture. Tools such as Webmin or logfiles are great for analyzing problems. However, Splunk takes logfile and data analysis to a new level. View a product demonstration video – http://www.splunk.com/view/SP-CAAAEZY

Let’s get right to it shall we? Splunk is free, but comes with restrictions. The free version comes with real-time indexing, reporting, personal dashboards, API’s, and more. The real drawback on the free account is the 500MB/day indexing volume. The Enterprise version starts at $5,000 (US Dollars) and supports multi-user, distributed deployments with monitoring, alerting, and role-based access controls. If you are anything but a business with $5,000 or more to spend on an IT monitoring tool, the the free personal version will do just fine.

For this review, the installation used a .deb (also available as a .tar and .rpm), which was 48.1MB. Hardware specifications for the test machine included 4GB DDR2 RAM, a 3000 series 2.3GHz Xeon processor, and a 7200RPM SATA Ubuntu RAID1 array.  The Splunk data sheet indicates a minimum hardware requirement of Linux kernel 2.6+, 2*3.4GHz CPU with 4GB minimum RAM. Supported browsers include Firefox 2.0+ and Safari 4. Splunk is supported on Mac, Linux, or Windows.

Once you sign up and download your .deb, install Splunk with

dpkg -i splunk_package_name.deb

The installation does not actually begin until you start the splunkd daemon using the command below.

/opt/splunk/bin/splunk start

Once you accept license, the package installs and is available on http://hostname:8000.

The default login and password are admin:changeme. If you are concerned about something and need to uninstall Splunk, do so by using the following command.

<strong>dpkg -r splunk</strong> or purge with <strong>dpkg -P splunk</strong>

The initial view of Splunk is impressive and I had zero problems with getting things started.

The user interface (UI) is clean and relatively simple to use. The product really taylors to the IT  professional or serious home web server enthusiast. The serious hardware requirements and detailed interface and console options will take several days of solid learning to get a firm handle on this software.  Splunk has a detailed Manager or control panel for managing every aspect of your server architecture.

Initially, I had jumped right in and attempted to master Splunk. I quickly returned to the user community and documentation for further guidance. The documentation and support offered are clear and available without cost. With 30 minutes invested, I configured the test machine for logfile analysis, detection of port 80 requests, and carried out a variety of data searches.

After enabling the *nix Application, I took a look at my system hardware. If I had a test machine that utilized more than one piece of hardware, I believe that the results would look a bit different. However, I am certain that Splunk has the abiliy to independently analyze all installed hardware in the IT architecture. Splunk is hardware intensive as noted by my CPU analysis using splunk and htop. Even at idle, Splunk uses too many system resources for my taste.

Conclusion: Splunk quickly and accurately detects, monitors, and searches server data. I am pleased with the overall speed and detailed analysis that it provides. However, I am unable to rationlize its use on my production server because of the high system requirements. I woul however, recommend this product for individuals or groups with a powerful tower server (Intel i5 or better) or a rack server. The hardware and RAM requirements make this product a likely system hog for the typical home-based server enthusiast. My RAM usage increased approximately 100MB and my processors stopeed the workout when Splunk is at idle as shown in the htop images above and below. I guess it is time to upgrade?! Download a .zip of all the screenshots.