Re: Splunk as a general purpose data store?

rogeralsing · ‎09-05-2016

Can, or rather should I use Splunk as a general purpose data store?

We already use Splunk for logging and metrics and ingest about 100 gigs of data per day.

But the question have been brought up, if we need to do general purpose free text searches or structural searches from our line of business applications.
Is storing that data in Splunk a viable option?
If so, even long term storage?

Another usecase, if we do event sourcing (http://www.martinfowler.com/eaaDev/EventSourcing.html?s_tact=C43202QW)
Can Splunk be used as an event stream for that?

Or are the above usecases better suited for other tools?

//Roger

haley_swarnapat · ‎09-08-2016

Question> Splunk for general purpose free text searches or structural searches?
Splunk works best with time series data, while your use case might be more similar to master data management that changes often with update operation.
However you can all rows from DB everyday to Splunk using DB Connect Input Type = Batch if you want to, if it doesn't break your daily ingestion limit. With this, you will get all your data into Splunk, updated everyday.

Question> Can Splunk be used as an event stream for that? (event sourcing)
For the event sourcing you've mentioned, try STREAMSTATS command, the result will change as you change the time range of your search

rogeralsing · ‎09-08-2016

Anyone? .

Splunk as a general purpose data store?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?