Splunk + Elasticsearch = logs**2 – ElasticSPL Announcement

Splunk Enterprise™ and Elasticsearch™ are often seen as the two most prominent players in the log analytics space. While Splunk Enterprise is mainly used for time series data, Elasticsearch acts as a database for all kinds of data. Due to this, more often than less, enterprises use both Splunk and Elasticsearch in their technology stack.

Splunk and Elasticsearch are great tools for defeating data silos but are creating two new, extensive data silos. The Splunk Supporting Add-on for Elasticsearch, better known as ElasticSPL, was developed with the mission in mind to bridge these data silos and provide a single plain of glass into the data in Splunk and Elasticsearch. With the two tools connected, Splunk users can query Elasticsearch for use-cases like Splunk Enterprise Security Notables or use aggregated data from Elasticsearch to power a dashboard in Splunk. The source of the data presented to the user is transparent, and there is no difference in working with data natively stored in Splunk or fetched from Elasticsearch.

 

Using ElasticSPL, a Splunk environment can query data from Elasticsearch or ingest data using a combination of saved searches and the collect command. It is possible to build native Splunk lookups based on the results of a result set returned by Elasticsearch.

ElasticSPL is a Splunk Add-on, adding multiple search commands to the default SPL. These commands allow querying Elasticsearch using DSL statements. The extensive feature set of ElasticSPL provides the following functionality:

  • Query Elastic Search in an ad-hoc fashion using DSL search statements for time-series data using elasticadhoc and elasticquery
  • Query Elastic Search in an ad-hoc fashion using DSL search statements for aggregated data using elasticadhocstats and elasticquerystats
  • Save DSL queries and share them with other users
  • Configure DSL queries to dynamically manage timestamps based on defined field names for filtering data by time
  • Configure DSL queries with replacements to adapt queries to the current requirement on the fly
  • Create DSL queries and preview results using an interactive explorer dashboard

In addition to the core features, ElasticSPL provides a user interface for managing Elasticsearch Instances and saved queries, including access control mechanisms for command execution, on Elasticsearch instances and saved query levels. ElasticSPL supports installation on a standalone Splunk Search Head and the installation in a Search Head Cluster environment. For Elasticsearch, ElasticSPL supports multiple concurrent instances and Elasticsearch clustering.

Sounds interesting? Contact us at apps (at) datapunctum.ch for any questions regarding Splunk™, Elasticsearch™ or ElasticSPL and get started with your journey to fully connected log analytics!