Splunk Enterprise Security

Can Splunk be used as a Complex Event Processor (CEP)?

hulahoop
Splunk Employee
Splunk Employee

Splunk has many capabilities for correlating events over time, by keyword, by dynamic transactions, and more. It also allows users to take action in an adhoc manner or via scheduled automated action. Does Splunk consider itself a CEP engine with the ability to identify patterns and complex events?

1 Solution

Michael_Wilde
Splunk Employee
Splunk Employee

Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.

View solution in original post

shalin
New Member

Is Splunk's CEP engine homegrown? Or is it using an open-source CEP engine, such as EsperTech?

0 Karma

Michael_Wilde
Splunk Employee
Splunk Employee

Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.

hulahoop
Splunk Employee
Splunk Employee

Thank you, Michael! Nice analogy.

0 Karma

araitz
Splunk Employee
Splunk Employee

The human being is the complex engine - well, some human beings. Splunk is the facilitator.

gkanapathy
Splunk Employee
Splunk Employee

Question sounds like a trap. We know what Splunk does and how it does it. The definition of CEP is somewhat fluid and "being used as a CEP engine" even more so. There is a class of items that is commonly considered CEP, and they have certain characteristics in common. Does Splunk have enough of those characteristics that you want to call it that? I don't know, but I don't think that the labeling really matters. Can Splunk handle and process the events the way you need them to be handled and processed, and let you define rules in an acceptable way? That seems like a more substantial question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...