New Blog Series: Splunk Cost Fallacy
I blogged about Splunk four times in the past, and I want to stand by my work…but the puns were getting irritating, even by my standards. After wading through a lot of that, I basically got back to an app a few of us made ten years ago that boiled down to this query:
<query>sourcetype=$diseasesourcetype$ coordinates.type=Point | rename coordinates.coordinates{} as lnglat | eval lat=mvindex(lnglat,1) | eval lng=mvindex(lnglat,0) | geostats latfield=lat longfield=lng count</query>
And I laid down what it meant:
- Sourcetype (https://docs.splunk.com/Splexicon:Sourcetype): Identifies the data structure of the event
- Rename: Self-explanatory
- Eval(https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandExamples): Carry out a calculation
- Geostats(https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Geostats): The command that makes it possible to generate statistics about geographic data.
We were creating a map by searching for disease symptoms. That’s it. It was quite a concept, but the execution wasn’t there yet.
You can already find a lot of content on Splunk on Medium and their actual blog, though a lot of it is paywall-blocked. Some of it carries a lot of weight because it was written by Bill Buchanan.
I got to thinking: Cisco owns Splunk. So if we strip out all the branding, and the t-shirts, and the puns…what are they? I mentioned PonyDocs before, but the link is dead and I’m not sure if they still use it. The versions used to be named after ponies, but I am not sure if this is still the case. I used to think of Splunk as a big data tool, but “Designing Data Intensive Applications” considers “big data” to be more of a buzz word than a concrete engineering term.
Splunk is a SIEM tool used by blue teams. Anyone familiar with the product would likely push back on that definition, as it’s a small part of what they do, but that’s the context I’ve heard the few times Splunk was mentioned.
Splunk is for cybersecurity.
Ten years ago I recall taking the Splunk video course, but I didn’t think it was very clear what the objective was. What is ButterCupGames? What is the purpose?
The cybersecurity team released these threat hunting tutorials. Looks a little more engaging.
Motivation
The last time I posted about Splunk, I said it would be the first of many posts. I never followed through, which is just a trend on this blog I want to own up to.
The ulterior motive is to review more of their core documentation. These blog posts are not in the same technical writing ecosystem, but their core documentation includes comment boxes. In my experience, they are very responsive to these: I corrected two very obvious (possibly obnoxious) grammar/command errors, if I remember correctly, and they made corrections and responded very quickly. I also bought their book on how to write documentation, though admittedly I was a little disappointed to see that authors didn’t write individual chapters. Most of them were just written by the Splunk documentation team, collectively.
It would be really nice to make a real, recent contribution to their documentation…not just some token thing.
