All Apps and Add-ons

How reliable is the log information on the Statistics Splunk Enterprise provides?

New Member

There is a video that explains the ability of the Splunk Enterprise to aggregate data total number of highest selling products i.e
Product Name : Total Sales : Number of Products

Will these values match with the actual Database Tables?
Does this mean the Application should ensure that logging mechanism should be in place?

0 Karma


I am not sure I understand the question though it sounds like you have a very specific "thing" you want to ask about, so let me try to get some more clarity. Please note none of this is critical, just questioning. Sometimes terminology is our only real problem.

Yes, Splunk can aggregate data as you mention. It does this in a very sane and predictable manner and ends up with the numbers you would expect. [see note 1]

So, what database tables would it match or not match? Splunk's own? (It doesn't use a database as you think of it, but if it didn't match its own data then something's very wrong). Some other DB? (In which case yes, it would, anything else would mean something's broken as well). [also see note 1]

"Should the application ensure that logging mechanisms should be in place?" Could you describe this more fully? What application, what logging mechanisms, and to what effect would they be put to? Why wouldn't this BE the primary data source Splunk is ingesting? [see note 2]

If you have a more specific question to ask, like about a certain type of data you may want to use Splunk for, just ask!

Note 1: Average, sum, and much more complex calculations can be done and they do what you'd expect. There's a whole list of statistical and charting commands available. There's a whole list of search commands available, too (look down the left of that link) (to handle events with multiple values, to generate stream statistics instead of time-chunk or overall statistics, to create and read lookup files to maintain some certain types of data, to extract more information, to group things in various ways and about a thousand other things). When you run out of those, you can continue building complexity (or simplifying!) using eval and its myriad options. You can build data models or summary statistics, each or which is a whole lengthy topic in itself but can perform calculations, rollups and all sorts of wonderful things. All this to be able to slice and dice and present your data in an understandable, useful way in a chart, graph, dashboard, or wherever. With right numbers. 🙂

Note 2: The largest use case for Splunk is probably in ingesting logfiles of some sort: log files written by applications, sent to a syslog server from firewalls, load balancers, spam filters, or event logs from Windows systems sent or retrieved by various methods. Other ways exist to get data in, though, like directly reading a database, querying external systems via scripts and/or an API (one of many examples), getting information in from AD or LDAP and so on. (All those are just examples - there are thousands of apps to get data from thousands of different places!)

This data all gets indexed, stored, parsed, transformed and normalized to various extents to ... well, do whatever you want. Often it's to sort of "homogenize" it so that you can search and correlate various pieces of data together. Like if you rename user, Username, User Name, UserName, Name, OperatorName and so on all to "user" (or whatever), then have various lookup files to indicate which user each actually points to so that you can report on what Jane Smith is doing, everywhere, regardless of what her username may be in disparate systems. Sometimes it's not homogenized but stored for audit trails - the monitoring of which is SO much easier in Splunk! The purposes are endless.

And that's only the smallest sliver of what you can do! Sorry, I may have gotten excited there, please excuse me. 🙂