What does Splunk do?
Splunk is a tool for storing and searching logs, specifically focused on security.
Last updated: March 3, 2025
Splunk is a tool for analyzing log data. It helps take this:
And turn it into this:
$SPLK went public in 2012, and did $2.7B in revenue in 2022, so they’re not a small company by any stretch; accordingly, the product suite has expanded and today is pretty broad. The theme that ties everything together is analysis and visualization of machine data, or in other words, turning that nasty looking set of text into something a human can understand and use to make decisions.
At the core of what Splunk does is the concept of the log – a bunch of unstructured data about events that happened in your system or application, like a server failing, a request to an API being made, someone’s access being revoked; literally anything. So let’s dive into what exactly a log is, how they get generated, and why they’re important.
A brief exploration of the log
“In an ideal world I would have all ten fingers on my left hand so my right hand could just be a fist for punching.”
– Dwight Schrute
In a really ideal world, all of the data we want to analyze would magically sit in perfectly manicured tables with nice column names and no missing data. Unfortunately, reality isn’t so rosy; data is only as good and clean as what generates it, and our systems can get pretty dirty. Data is really (usually) just a record of what happened, and the most popular way of generating and storing that today is a log. A log is just a line that says what happened, where, and when, and includes any necessary other information.
There are logs for everything – server logs, access and authorization logs, event logs, availability logs, resource logs…the list goes on. Let’s walk through a few examples.
Terms Mentioned
Companies Mentioned
Different types of logs
Here is a log that gets generated when someone makes an HTTP request to a web server :
[Apr 9, 2022 11:21:23 AM ] – 10.5.1.218 : GET /publications/technically HTTPS/1.1 200
We’ve got (in order) a date and time, our IP address , which HTTP method we used (GET), the URL, the HTTP version, and the response code. 200 means everything went smoothly.
Here is a log that gets generated when someone tries to access a server and enters the wrong password:
[Apr 9, 2022 11:21:24 AM ] adc1 sshd[41458] : Failed password for root from 192.168.1.3
And here’s a log that gets generated when Docker can’t connect to a socket properly:
[Apr 9, 2022 11:21:25 AM ] com.docker.osxfs Unexpected exception: Socket.Closed
You get the idea – every micro interaction with a computer system usually gets logged in a format like this. The nuances of exactly how these logs are structured varies by different systems, but the basics are the same. Even in databases – our last bastion of nice, structured data – everything is actually held together by a giant book of logs.
Log storage
When a log gets generated, it immediately gets stored somewhere so teams can look at them later on. It’s a lot simpler than you might think: most web servers will literally just store logs in a folder on the server called /logs or something similar. Even Kubernetes – the granddaddy of overcomplicated orchestration frameworks – stores logs in a big /var/logs folder by default. If things are running locally, you could actually navigate to these logs in your Finder window and open them in a text editor.
That folder is rarely the final destination for these logs, though. You can break log storage into two categories:
-
Temporary log storage – logs only get stored for a short time. Usually reserved for logs that are only useful during a particular period of work (e.g. installing software).
-
Persistent log storage – logs get extracted into some sort of long term storage, like a database, for later analysis.
The fun part starts when it’s time to analyze these logs. The command line is a powerful interface, but admittedly not for everyone: how do you search through your thousands (millions?) of logs to find the one you’re looking for that has the information you need? How do you see trends over time? Enter Splunk.