Splunk has many capabilities for correlating events over time, by keyword, by dynamic transactions, and more. It also allows users to take action in an adhoc manner or via scheduled automated action. Does Splunk consider itself a CEP engine with the ability to identify patterns and complex events?
Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.
Is Splunk's CEP engine homegrown? Or is it using an open-source CEP engine, such as EsperTech?
Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.
Thank you, Michael! Nice analogy.
The human being is the complex engine - well, some human beings. Splunk is the facilitator.
Question sounds like a trap. We know what Splunk does and how it does it. The definition of CEP is somewhat fluid and "being used as a CEP engine" even more so. There is a class of items that is commonly considered CEP, and they have certain characteristics in common. Does Splunk have enough of those characteristics that you want to call it that? I don't know, but I don't think that the labeling really matters. Can Splunk handle and process the events the way you need them to be handled and processed, and let you define rules in an acceptable way? That seems like a more substantial question.