Solved: Can Splunk be used as a Complex Event Processor (C...

hulahoop · ‎07-22-2010

Splunk has many capabilities for correlating events over time, by keyword, by dynamic transactions, and more. It also allows users to take action in an adhoc manner or via scheduled automated action. Does Splunk consider itself a CEP engine with the ability to identify patterns and complex events?

Michael_Wilde · ‎08-20-2010

Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.

View solution in original post

shalin · ‎10-04-2012

Is Splunk's CEP engine homegrown? Or is it using an open-source CEP engine, such as EsperTech?

Michael_Wilde · ‎08-20-2010

Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.

hulahoop · ‎08-30-2010

Thank you, Michael! Nice analogy.

araitz · ‎07-23-2010

The human being is the complex engine - well, some human beings. Splunk is the facilitator.

gkanapathy · ‎07-23-2010

Question sounds like a trap. We know what Splunk does and how it does it. The definition of CEP is somewhat fluid and "being used as a CEP engine" even more so. There is a class of items that is commonly considered CEP, and they have certain characteristics in common. Does Splunk have enough of those characteristics that you want to call it that? I don't know, but I don't think that the labeling really matters. Can Splunk handle and process the events the way you need them to be handled and processed, and let you define rules in an acceptable way? That seems like a more substantial question.

Can Splunk be used as a Complex Event Processor (CEP)?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation