Splunk Enterprise Security

Can Splunk be used as a Complex Event Processor (CEP)?

Splunk Employee
Splunk Employee

Splunk has many capabilities for correlating events over time, by keyword, by dynamic transactions, and more. It also allows users to take action in an adhoc manner or via scheduled automated action. Does Splunk consider itself a CEP engine with the ability to identify patterns and complex events?

1 Solution

Splunk Employee
Splunk Employee

Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.

View solution in original post

New Member

Is Splunk's CEP engine homegrown? Or is it using an open-source CEP engine, such as EsperTech?

0 Karma

Splunk Employee
Splunk Employee

Absolutely. Splunk Enterprise Security Suite is an implementation of such a CEP. On a periodic basis, search jobs run that analyze events as they are stored in Splunk. ESS has rules drive the creation of "notable events" -- those being the real "event" and not the "symptom". I liken a notable event to an earthquake. Log messages are not "events", they are a recording of things that have happened in the infrastructure. In the same way "the building is shaking" is not an event, whereas "An earthquake is happening" is the event--comprised of many symptoms and data that classify it as an earthquake. The building could be shaking for many reasons, but when you are notified an earthquake is occuring, the reason is obvious. An earthquake is a complex event. In IT--often in security, Splunk ESS's "notable events" are the result of Complex Event Processing--These being description of the actual event which is made up of rules that have triggered off of many log messages.

View solution in original post

Splunk Employee
Splunk Employee

Thank you, Michael! Nice analogy.

0 Karma

Splunk Employee
Splunk Employee

The human being is the complex engine - well, some human beings. Splunk is the facilitator.

Splunk Employee
Splunk Employee

Question sounds like a trap. We know what Splunk does and how it does it. The definition of CEP is somewhat fluid and "being used as a CEP engine" even more so. There is a class of items that is commonly considered CEP, and they have certain characteristics in common. Does Splunk have enough of those characteristics that you want to call it that? I don't know, but I don't think that the labeling really matters. Can Splunk handle and process the events the way you need them to be handled and processed, and let you define rules in an acceptable way? That seems like a more substantial question.

0 Karma