Splunk Beyond Logs: Getting to Observability

Those of us of a certain age know well the saying “Nobody got fired for buying IBM.” In the log analysis and security world, we’ve become lucky to get to the point where people are saying “Nobody gets fired for buying Splunk.” Our success in these areas has definitely created a perception for what products Splunk has and what we can offer to our customers. The problem is that most of these perceptions don’t capture the full power of Splunk. If you ask the average person who codes or operates systems for a living, they’ll probably say that Splunk is a log analysis platform. That’s true, but that’s a mere fraction of the power that Splunk actually has. There’s a lot more that Splunk’s products can do, and this post will show you some of our other capabilities.

Moving Beyond Logs

Splunk, of course, is capable of handling huge volumes of logs and giving you insights from them. However, logs are only part of the data emitted by modern applications. A modern, microservice-based app hosted across multiple cloud environments produces not only logs, but also metrics, traces, and end-user events. In addition to being important to understanding your application, they’re also the types of data that unlock understanding about the health and performance of the business, making it easier for your management to care and support you in a journey towards getting observability in your business. Splunk’s Observability products analyze these and give you insights in ways that log analysis just can’t do. These additional data sources:

• Metrics are emitted by the application as numeric output and are lighter on the wire and easier to analyze and track.
• Traces are the secret sauce for successfully operating modern applications and enable you to determine where each user’s request was handled and what happened to all the downstream dependencies for it.
• Events let you see what’s happening on actual user browsers (or in simulated browsers) to verify end-user experience and make sure it’s awesome.
  
  

Many folks who use Splunk don’t use these data sources with their existing investment in Splunk Enterprise and Splunk Cloud Platform. These data sources can all be analyzed by those platforms, but getting them into Observability and our advanced tools like Splunk Application Performance Monitoring unlocks additional power and insight. Here’s how.

The Power of Observability

Sending all of these data sources into Splunk’s Observability platform lets you do things well beyond log analysis, quickly. For example, by emitting traces, you can see a dynamic service map that shows you where requests are going and where problems are happening. Instead of just seeing a 500 emitted by your most user-facing service and having to dig yourself through logs to find the failing downstream, wouldn’t it be nice to see the actual downstream failing pinpointed on a graph for the request? (See the angry red dot on the map below — this is where the error is)

In addition to the service map showing you errors, we provide an advanced tagging system for your data that lets you slice-and-dice within the traces to figure out more quickly why things are failing - you can separate analysis by tag to see things like if requests are failing more for certain types of users, or in a certain geo, or for a specific version of the app. This is done through Tag Spotlight, shown below. Using Tag Spotlight, you can see problems broke down by environment, error code, and more (click the image to zoom in):

Event analysis is the state-of-the-art for Observability. Since modern applications run as much (or more) in user browsers as they do on servers, you simply must have visibility into how your users interact with your application. The increased amount of third-party frameworks, CDNs, and the like means that you simply can’t have visibility into your entire application and user experience without having the user’s browser report what’s going on. RUM and Synthetics let you see what your users see, in real-time, so you can fix issues before they become angry tweets or impact the business.

How to Get Going

These three elements are just a fraction of the power of Observability, but I picked them to discuss because they show a huge return on investment and really supercharge your ability to troubleshoot problems and deliver better user experience. Going beyond logs makes a huge difference in your ability to solve problems faster. That said, we know logs are fundamental to troubleshooting, so if you’re an existing Splunk Enterprise customer, you can accelerate getting your logs into Splunk Observability through Log Observer Connect.

A big advantage of Splunk’s Observability system is that all of our Observability components (Application Performance Monitoring, Infrastructure Monitoring, Real-User Monitoring, Synthetic Monitoring, and Log Observer) are built on the industry-standard open framework of OpenTelemetry. Getting started with OpenTelemetry sets you up for long-term success in an observability journey. You do the work of instrumenting your applications only one time, and from there, you can take your data anywhere. We hope you’d keep using it with Splunk, but you can take it to most other commercial vendors or to open-source or homegrown solutions as well. Ownership of your data is a fundamental principle at Splunk and OpenTelemetry is our expression of that commitment.

Once you’ve instrumented your applications, you can see data stream into Splunk Observability in real-time in just a few minutes — check out our free trial to learn more, or talk to your Splunk sales team member to learn more about trying Observability and going beyond logs.