David Carasso

Splunk is familiar to those in the IT world who need to search the massive amounts of data that a computer, particularly a web server, generates. The software – available in a downloadable, free format from their website – epitomizes the definition of Big Data. The old way of searching logs involved opening up text files manually, searching for certain words, and compiling results in a spreadsheet. To replace it, the Splunk team created Search Processing Language (SPL) and wrote this book to explain it to the masses.

The audience of this book includes not only computer operators but also those on the IT business team. Indeed, SPL can serve business needs perhaps more then even IT professionals. For example, SPL provides a means for analysts to look up from logs website statistics over time. It can even compile them in helpful monitoring reports or display them in a chart. Alerts can be made to point out potentially dangerous conditions over email.

Although this book was written in 2012 (nine years ago at the time of my writing – an eternity in the tech world), SPL is still used in Splunk. Indeed, the Splunk documentation website maintains additional material to help the user better use the software. Perhaps most helpful to IT specialists, the last three chapters contain “cookbook” recipes to perform common procedures with SPL. Thus, someone can look up, modify, and then execute a series of instructions to analyze large amounts of data from their own system.

From a software design point of view, this book can be used as inspiration to architect impressive search features. It clearly shares how Splunk software is built and what features make it powerful. Efficient, easy-to-learn languages like SPL extend the power of the computer into big data sources like computer logs. Such an approach can be adapted to other uses in other domains. Thus can software developers learn from Splunk’s example.

My main criticism of this book is that at 154 pages, it’s a bit too short. It reads like it’s a section in a larger work instead of a whole work in and of itself. I’m not sure what I’d add to expand or accompany it since the documentation website is thorough (and free). Nonetheless, after only eight chapters (and a healthy appendix), I’m left wanting to extend some of the Splunk paradigm more. Perhaps I just need to spend more time with the software in my company’s data to discern new patterns inside…… (plus d'informations)