Technically
AI Reference
Your dictionary for AI terms like LLM and RLHF
Company Breakdowns
What technical products actually do and why the companies that make them are valuable
Learning Tracks
In-depth, networked guides to learning specific concepts
Posts Archive
All Technically posts on software concepts since the dawn of time
Terms Universe
The dictionary of software terms you've always wanted

Explore learning tracks

AI, it's not that ComplicatedAnalyzing Software CompaniesBuilding Software ProductsWorking with Data Teams
Loading...
I'm feeling luckyPricing
Log In

What does Splunk do?

Splunk is a tool for storing and searching logs, specifically focused on security.

Last updated Jun 18, 2026devops
Justin Gage
Justin Gage
Read within learning track:Analyzing Software Companies

Splunk is a tool for analyzing log data. It helps take this:

Loading image...

And turn it into this: 

Loading image...

$SPLK went public in 2012, and did $3.65B in revenue in 2023 [1] From Splunk's most recent 10-K filing: Total revenues were $3,653,708 thousand for fiscal year 2023, $2,673,664 thousand for fiscal year 2022, and $2,229,385 thousand for fiscal year 2021., so they’re not a small company by any stretch; accordingly, the product suite has expanded and today is pretty broad. The theme that ties everything together is analysis and visualization of machine data, or in other words, turning that nasty looking set of text into something a human can understand and use to make decisions.

At the core of what Splunk does is the concept of the log – a bunch of unstructured data about events that happened in your system or application, like a server failing, a request to an API being made, someone’s access being revoked; literally anything. So let’s dive into what exactly a log is, how they get generated, and why they’re important.

A brief exploration of the log#

Loading image...
“In an ideal world I would have all ten fingers on my left hand so my right hand could just be a fist for punching.”– Dwight Schrute 

In a really ideal world, all of the data we want to analyze would magically sit in perfectly manicured tables with nice column names and no missing data. Unfortunately, reality isn’t so rosy; data is only as good and clean as what generates it, and our systems can get pretty dirty. Data is really (usually) just a record of what happened, and the most popular way of generating and storing that today is a log. A log is just a line that says what happened, where, and when, and includes any necessary other information. 

There are logs for everything –  server logs, access and authorization logs, event logs, availability logs, resource logs…the list goes on. Let’s walk through a few examples.

Terms Mentioned

UI

Server

Infrastructure

IP address

Analytics

DevOps

Database

Query

Companies Mentioned

Splunk logo

Splunk

SPLK
Snowflake logo

Snowflake

SNOW

Different types of logs#

Here is a log that gets generated when someone makes an HTTP request to a web server:

[Apr 9, 2022 11:21:23 AM ] – 10.5.1.218 : GET /publications/technically HTTPS/1.1 200

We’ve got (in order) a date and time, our IP address, which HTTP method we used (GET), the URL, the HTTP version, and the response code. 200 means everything went smoothly.

Here is a log that gets generated when someone tries to access a server and enters the wrong password:

[Apr 9, 2022 11:21:24 AM ] adc1 sshd[41458] : Failed password for root from 192.168.1.3

And here’s a log that gets generated when Docker can’t connect to a socket properly:

[Apr 9, 2022 11:21:25 AM ] com.docker.osxfs Unexpected exception: Socket.Closed

You get the idea – every micro interaction with a computer system usually gets logged in a format like this. The nuances of exactly how these logs are structured varies by different systems, but the basics are the same. Even in databases – our last bastion of nice, structured data – everything is actually held together by a giant book of logs.

Log storage#

When a log gets generated, it immediately gets stored somewhere so teams can look at them later on. It’s a lot simpler than you might think: most web servers will literally just store logs in a folder on the server called /logs or something similar. Even Kubernetes – the granddaddy of overcomplicated orchestration frameworks – stores logs in a big /var/logs folder by default. If things are running locally, you could actually navigate to these logs in your Finder window and open them in a text editor.

That folder is rarely the final destination for these logs, though. You can break log storage into two categories:

  • Temporary log storage – logs only get stored for a short time. Usually reserved for logs that are only useful during a particular period of work (e.g. installing software).
  • Persistent log storage – logs get extracted into some sort of long term storage, like a database, for later analysis.

The fun part starts when it’s time to analyze these logs. The command line is a powerful interface, but admittedly not for everyone: how do you search through your thousands (millions?) of logs to find the one you’re looking for that has the information you need? How do you see trends over time? Enter Splunk.

Splunk helps make sense of logs#

A story as old as time, and one told by Technically Inc. many times before (i.e. New Relic, Datadog, JFrog), Splunk started with a specific log analysis product, but has since expanded into adjacent product areas in the name of providing a "platform" i.e. lots of products that help keep customers locked in.

They've also built an impressive ecosystem around the product, with ~2,800 apps [2] From Splunk's most recent 10-K filing: Over 2,800 apps and add-ons are currently available on Splunkbase, most of which are built and maintained by third parties. and add-ons available on their Splunkbase marketplace (the naming department was on vacation). Most of these are built by third parties – for example, the "Python for Scientific Computing" add-on lets you write Python on your Splunk data. Large ecosystems around infrastructure products tend to make a platform more valuable and customers less likely to leave; Snowflake has pursued the exact same strategy with the Snowflake Marketplace.

The Splunk core product – ingest and analyze logs#

At its core, Splunk is about making sense of giant piles of logs. Because it’s a large, only loosely developer-focused company today, I was only able to find the following plain english description after several clicks through their documentation:

“Splunk Enterprise is a software product that enables you to search, analyze, and visualize the data gathered from the components of your IT infrastructure or business. Splunk Enterprise takes in data from websites, applications, sensors, devices, and so on.”

And here is where we begin our journey. Remember: if you ever want to cut through the we hope CIOs are reading this! homepage copy, go straight to the documentation. When the company needs to talk to developers, they cut out the marketing and get real.

In their docs, Splunk breaks down the core logs analytics product into 7 parts, but we here at Technically Inc. think 2 simpler categories suffice:

  • Logs infrastructure – getting data into Splunk and organizing it effectively.
  • Analysis and visualization – searching through logs, building visualizations and dashboards, scheduling regular reports, and configuring alerts.

Though the first category may not seem very interesting or important, consider that Splunk’s target user is a team of developers at a huge (enterprise) company. And at that scale, they’re ingesting logs from tons of different sources at a breakneck speed. Figuring out how to get that data into a central location, index it, choose a schema, etc. is not straightforward.

Tesco, a massive food retailer outside the U.S., is one of Splunk's customers – they use it to ingest logs from all of their devices (point of sale, warehouse, trucking, etc.) and build dashboards and alerting.

And they're not alone - Splunk's products have been adopted by over 90% of Fortune 100 companies [3] From Splunk's most recent 10-K filing: As of January 31, 2023 we have customers in more than 130 countries and our offerings have been deployed by over 90 of the Fortune 100 companies..

Loading image...

Remember though, under the hood is unstructured log data, not neatly organized database tables. That’s part of what makes this product so useful, and hard to build in house. This security-focused use case is one of Splunk’s most popular, and is often called SIEM, if you’re interested in another acronym.

To build a visualization set of them (dashboard = set of visualizations) in Splunk, the usual entry point is to go through the search UI:

Loading image...

Splunk has a native search language they developed called Search Processing Language or SPL for short. That text on the top there – categoryid=sports – is an SPL query that filters ingested logs for that specific string of text. Splunk shows you the results on the right there, with the matches from your query highlighted. Notice how they look a lot like the simple example logs we talked about earlier.

Clicking on the visualization tab lets you build graphs from this data: maybe the number of results over time, the percentage of logs coming from specific devices, etc. Since these logs could contain data about literally anything – security and access events, web page visits, device updates and restarts – there’s a pretty broad array of use cases that companies use the product for.

The Splunk ecosystem – some other stuff#

Splunk has slowly been building out the platform to keep customers locked in. A few examples:

  • Machine Learning – apply ML models to your log data to identify anomalies and outlier events, forecast more effectively, etc.
  • Security Orchestration – lets teams run security workflows (disable this, pull that data, etc.) on top of their logs
  • On Call Automation – lets teams run DevOps workflows to remediate when servers or applications go down

There’s an interesting pattern emerging here. Splunk has a few core use cases – namely security and DevOps – and they’ve built automation suites on top of those. In other words, they may be trying to become not only a place where you analyze and visualize your data, but also a place where you can take action on what you’re seeing in that data. Here’s their admittedly complex diagram attempting to explain their On-Call product:

Loading image...

Normally, you’d sift through logs and get some sort of alert in Splunk that a server is down; then you’d find your way into other tools (like PagerDuty or Slack) to let your team know, create a ticket in a task management system that remains open until the issue is fixed, and notify stakeholders. Splunk wants you to do all of that in their product – which is probably a strategic move to increase their surface area and become more than just an analysis and alerting tool.

Up Next
What Does Sentry do?

Sentry is an error-tracking and performance-monitoring platform to help developers diagnose and fix issues in their code.

What does New Relic do?

New Relic is observability software: teams use it to monitor the performance of their apps and infrastructure.

The market for observability tooling

Welcome to the wild world of observability tooling. 20+ legitimate, mature vendor options across open source vs closed source.

Content
  • All Posts
  • Learning Tracks
  • AI Reference
  • Companies
  • Terms Universe
Company
  • Pricing
  • Sponsorships
  • Contribute
  • Contact
Connect
SubscribeSubstackYouTubeXLinkedInInstagram📞Call for advice
Legal
  • Privacy Policy
  • Terms of Service

© 2026 Technically.