19 Replies Latest reply on May 1, 2014 10:01 AM by chaoslodge

    Anyone using Splunk?

    denny.lecompte

      Do you use Splunk?  How does it fit in with your use of Orion?  We're very interested in hearing about how you'd like to see Orion and Splunk play together...

        • Re: Anyone using Splunk?

           Yes, we use it at the company I work for.  All of our logs from all devices go to our Splunk server.  I prefer it much more than the built in Syslog server on Orion.  It's a lot more robust, scalable and the search capabilities are, for me, unmatched in the industry.  We have it integrated to Orion so that we can access it right from the Orion web site.  I think its really an invaluable tool.  It would be great if you guys would integrate it even further into Orion.

           Thanks.

          • Re: Anyone using Splunk?

            We use splunk and the only integration we currently do is add a custom property that links to splunk with a search for the host and drop a sopy of alerts into splunk for problem correlation.  Things I'd like to see:

            • APM monitor to execute a splunk search and alert based on either number of events returned or on a regex agains the returned result
            • Option in web interface to show last 10 events from host
            • Option in web interface to pull a report and display it inline on the node page (this is probably already possible, but I suspect, overly complex.. a handy button would be nice)
            • Ability to republish SNMP traps to splunk
            • Re: Anyone using Splunk?

              Haven't done it yet b/c I left the previous company but I was pushing hard for a Splunk purchase for over a year and was gonna implement with Orion as the first step.

              • Re: Anyone using Splunk?
                freak523

                We have been evaulating Splunk as a replacement to the Solarwinds syslogging tools due to their limited functionality.  We have a combination of syslogs and text logs from all our systems that we need a way to search, alert, and report off of.  It would be great if we could directly integrate alarms from splunk into the Orion alerting engine.


                -David

                  • Re: Anyone using Splunk?
                    Dal

                     This is the biggest limit, or lack, in Orion, a proper tool for handling logs (traps, syslogs, etc).

                     Instead of talking integration with another tool that you don't make yourselves, you should go for similar functionality within your own program (Orion).

                     When the amount of logging gets big, Splunk is VERY expensive, and I don't want to pay for 2 expensive programs, one is enough

                      • Re: Anyone using Splunk?
                        freak523

                        Dal

                        I certianly agree that it would be great if Solarwinds actually had a functional product for syslogs, text logs and traps but with a database based solution I don't know that they will meet the performance, volume, or robust search capibility that splunk offers.  It would be great if Solarwinds could write an integration for customers who's text logging requirements exceed the capibilities of a database based solution into an application that is substantially different then Solarwinds and offers a lot more power and functionality.  Of course I wouldn't complain about a number of improvements to the trap and syslog tools in Solarwinds either.

                    • Re: Anyone using Splunk?

                      We use Splunk. We use it more than anything for our firewall logs.  When we send logs to Orion, it eats up a steady chunk of CPU on the box and searching the logs often times out when done via the Orion web interface.  No real integration though, just log into a different interface to view them :(

                      • Re: Anyone using Splunk?
                        Bain_606

                        Hi-

                        I know this is an old thread, but I am very interested in some integration of Splunk graphs and charts into NPM. We now have 10.1.1 and APM 3.5 (looking at 4.0 now too) and are very happy with it.

                        Our devs want to stay with logs for now, and I'd like to tie in the NPM dashboards with Splunk. Has anyone here explored this?

                         

                        Thanks,

                        Mike

                          • Re: Anyone using Splunk?
                            Questionario

                            that would be really cool, splunk is one of the very few tools we haven't replaced with solarwinds products yet...

                              • Re: Anyone using Splunk?
                                freak523

                                If you want to place a Splunk graph or dashboard element on one of the Solarwinds pages where you are NOT passing anything to it you can use a simple iframe in the Solarwinds Custom HTML resource.  Splunk details how to do that here:  http://www.splunk.com/base/Documentation/latest/Developer/3rdParty

                                If you want to customize the splunk resource on node pages for example you will have to write something using the Splunk REST API.  Which has been on my list of things to do for the last year or so.  I think it would be extremely useful to be able to return customized results based off of a node name or a custom property for a node by passing that variable for splunk to run a customized search with.  

                                I know that Splunk is one product that we had to move to due to the limitations of Solarwinds for log collection (we collect ~20GB of logs daily with a 1 Year online retention), but I think the two could work together pretty well if the integration could be created.  Hopefully this summer I can spend a week or so and write it...

                                 

                                -David