Splunk president and CEO Gary Steele announced the new release on the stage at Splunk .conf 2022 in Las Vegas this week. Splunk 9.0 enterprise comes with the theme of “see, act, extend” and this focus stands out through the rich new feature set that has been unveiled - features that shine a light on issues, allow teams to identify the root cause, remediate the problem, and potentially automate these actions.
Steele said "three realities shape today - unpredictability, digital domination, and complexity,” before adding these three realities shape tomorrow also. Splunk has risen to the challenge of helping customers tackle these realities now and tomorrow.
"We've become the unified security and observability platform pioneering the industry,” Steele said. “If an application goes down in the middle of the night alerts go off left and right. Is it a denial of service issue, an API issue, or simply real demand from customers?”
No matter whether you're a SOC analyst, NOC engineer, SRE, or developer … “you have a set of actions you need to follow,” Steele said. And, “to achieve these, you need the power of Splunk. All this starts with visibility. Only Splunk gives end-to-end visibility.”
It's a fundamentally different approach that Splunk takes from other vendors, Steele says, “who only give you access to parts of the data, or who require sampling.”
With this vision of providing NOC and SOC teams alike to share data, collaborate on incident resolution, and work with your data without limitations, Splunk highlighted several new features in particular:
Federated Search for AWS S3
Splunk enhances and simplifies investigation and search across hybrid cloud environments by providing users and administrators of the Splunk Platform a unified, single-pane view of their entire Splunk ecosystem to enable quicker actionable insights.
Previously, Splunk has enabled search across multiple Splunk installations - such as Splunk on-premises and Splunk cloud. However, this announcement now gives the ability to search in a non-Splunk repository, with AWS S3 the first cab off the rank.
Splunk senior vice president and chief product officer Garth Fort spoke with iTWire, explaining this fit into Splunk’s philosophy of “no data left behind.”
"What Splunk did uniquely in its early days was schema-on-read. The best diagnostic source of data was logs, and Splunk had no foreknowledge of the schema it was going to ingest. It worked this out on the fly as it ingested event logs.”
However, today, Fort explained, there are huge volumes of data everywhere. Companies are using data lakes, data warehouses, data lakehouses, and all kinds of unstructured storage too. For example, the most common pattern of dealing with application logs is to dump them into AWS S3 buckets and deal with it later. “Every customer has some strategy in place around that,” Fort said. “It’s useful to put a lot of data into Splunk for correlations and insights, but it’s impractical to put all data into Splunk at this point.”
Splunk senior director product management Faya Peng demonstrated an example: you receive a Jira ticket stating an account has been flagged due to suspicious activity, and you need to pull out all the transactions from this account in the last four years. And, because this is serious, you need to respond in 24 hours.
In this scenario, the retail logs are massive volumes of JSON data, stored in S3 buckets, one per calendar year. It’s archived data with a low signal-to-noise ratio. It would take hours to download and ingest into Splunk.
However, instead, Splunk demonstrated how easily Federated Search for AWS S3 allows you to set up a federated search provider for AWS S3 and use regular SPL to query it -
sdselect timestamp, user, statusCode, padder, method, url, message from federated:retail-logs where user = "lbosq" and url = “/retail/purchase”
This demonstration searched 20TB of JSON data in S3, providing the specific purchases that should be investigated - in minutes.
Data Manager for Splunk Cloud Platform
Data Manager delivers a scalable data onboarding experience across Amazon Web Services and Microsoft Azure today, with Google Cloud Platform support available later, providing an easy-to-manage hybrid cloud control plane of data flowing into Splunk within minutes.
What this means is you can effortlessly onboard data from hundreds of cloud-based services, for example, you select Azure, then Azure AD logs or Azure activity logs, or any one of a numerous array of options from different cloud providers.
The workflow has clearly undergone heavy customer experience review and displays a wizard-like flowchart of steps you will go through, highlighting exactly where you are in the flowchart at each step, and explaining the actions or commands that need to be executed within either Splunk or the cloud provider. There may be commands you need to run in Azure, for instance, but Splunk holds your hand the entire way through. Within moments you have data ingestion configured, and data flowing into Splunk from your chosen cloud-based source. A data management page shows the ingestions, daily volume, and other metrics.
Splunk Log Observer Connect
Log Observer Connect allows customers to visualise all their data in one place by combining the power of Splunk Cloud Platform and Splunk Observability, enabling site reliability engineers and DevOps engineers to access their metrics, traces, and Splunk Cloud logs in a single interface for faster, in-context debugging.
The feature connects infrastructure with the applications that run on it, delivering an integrated portfolio that is easy to drill down from the big picture into logs and information you need to fix the issue fast. It gives end-to-end visibility for NOC and SOC teams alike, displaying logs in context with metrics, traces, and end-user interactions. It’s easy to use, with no coding required.
Anomaly Detection Assistant
Anomaly Detection Assistant simplifies investigation and helps security analysts, IT operations and DevOps engineers find potential problems by using machine learning to craft a perfectly tuned query quickly in order to identify anomalies in time-series datasets.
Splunk has long allowed you to detect anomalies on time-sensitive data within SPL, but it's a high cost to tune it. Instead, the Anomaly Detection Assistant will automatically write a query for you to tune the lower and upper boundaries of an acceptable range to identify outliers. It creates auto-tuned queries and flags detected anomalies using clear highlights, also giving you the SPL code to copy and use. It helps drive faster investigation by auto-generating the right query.
Synthetic monitoring integrated into Splunk observability cloud
Splunk's synthetic monitoring allows you to create tests - choosing an application, a device type, a location, and frequency - to simulate load. Once configured, synthetic tests collect a host of metrics on performance and availability. These synthetic tests have already been part of Splunk but what’s new in Splunk Enterprise 9.0 is the ability to jump into test run data to identify the root cause of a problem, such as high latency. You can view the problem, view a trace to see the APM causing the issue, down to the exact line of code or database query, or whatever else it might be.
The connection between synthetic tests and Splunk's observability cloud mean operators can identify and troubleshoot critical user-impacting problems - the old needle in a haystack - and trace the problem down to its root.
Risk-based alerting in Splunk Enterprise Security, combined with risk-notable playbooks from Splunk SOAR, allows customers to enforce a zero-trust approach, prioritise high-fidelity incidents and ensure rapid time to action by automating containment and response tasks in seconds.
Zero trust is a concept many security professionals strive toward, and Splunk's new risk-based alerting combined with Splunk SOAR playbooks allows you to automate containment when an event exceeds a risk threshold, giving you time to investigate the root cause.
Splunk SOAR reports on all the containment activities it performed so this playbook pack drastically reduces the implementation time for any company that wants to implement zero trust. Over 350 technology partners are supported, so the visual playbook editor lets you integrate actions across Okta, ZScaler, Carbon Black, and many others - all taking effect for you when triggered.
The SOAR console further allows analysts to leave notes as they work through the incident, all on one page, helping teams collaborate, and enforce zero trust at scale.
Splunk Incident Intelligence
Incident Intelligence, now in preview, helps DevOps teams investigate incidents and take action to ensure better system resilience by providing event correlation, incident response and on-call routing, collaboration, and automation - all within a unified workflow.
Ingest Actions helps customers get data to the right places, in the right shape, and at the right time with granular controls to take action on data through filtering, masking, and routing of data in motion within the Splunk Platform or to external AWS S3 storage.
Splunk Assist is a new fully managed cloud service within Splunk Enterprise 9.0 that provides customers with deep insights into their security environment, leveraging insights from cloud deployments for a richer administrative experience.
Splunk Cloud Developer Edition
Now in preview, the Splunk Cloud Developer Edition lets developers easily create and test their applications, reducing time-to-value for enterprises building on, for, and with the Splunk Cloud Platform.
This free developer edition can be applied for via dev.splunk.com, but does require an existing Splunk account for authentication.
What features stand out to Splunk executives?
iTWire strives to understand what drives IT leaders, what their vision is, and what keeps them up at night. I ask company executives to identify the standout feature, for them, based on the challenges they see customers facing, or that align with their directions.
Splunk president and CEO Gary Steele said for him, it was the federated search across AWS S3, giving results in a single Splunk console. “One of the important strategic directions of the company is to get access to the data wherever it lives. Starting with AWS S3, this allows customers to leave data where it may be,” he told iTWire.
Splunk senior vice president and general manager APAC and Japan Simon Davies pointed to two; the first was risk-based alerting. “In isolation, an event might not be something you should put a human on like a failed login, but a failed login in four different pieces of equipment with the same credentials is,” he said to iTWire. “The risk-based engine looks at events in aggregate and scores them and considers what is the right time to investigate them. You don’t want to get caught up in alert storms, so Splunk brings AI and ML and tolerances to the environment and maps into the Mitre attack framework and response framework to remediate and orchestrate. This feeds back into time-saving and efficiency and it’s something that will grow and evolve over time.”
Additionally, Davies told iTWire he is "fascinated by Web 3.0 and blockchain and the business applications,” explaining Splunk for Blockchain has been released and has customers using it. It’s not about cryptocurrency or NFTs, “but supply chain and a high level of transparency around contracts and verifying ownership,” he said.
iTWire also tried its luck with senior vice president and chief product officer Garth Fort, though it was perhaps fanciful - or maybe foolish and cheeky - to ask the chief of product which of his children was his favourite. "Splunk 9.0 is the most significant release since 2019,” he told ITWire.
"Splunk was founded on a simple concept. The challenge with any really complex software system is the difficulty in understanding its internal state and troubleshooting. Splunk made searching through logs super easy and was a breakthrough for IT teams,” he said.
"Splunk was designed for enterprise-scale and flexibility from the get-go," Fort said.
Splunk pre-dated the cloud, and the environment users pointed it at back then were all on-premises and all using logs. “Today’s apps are different,” Fort said. “They run on the cloud as micro-services and are infinitely more complex.”
"We've been asked to do more," Fort said, explaining that Splunk had evolved to complement logs and events with metrics and traces, that its users expanded beyond security and IT to all manner of industries and business teams, and that Splunk had become a leader in security and over six acquisitions have built an observability cloud.
All this combines to deliver the "see, act, and extend" theme of Splunk Enterprise 9.0, and the features detailed above, and more, can make this happen in your business.