Splunk .conf Day 2 and 3

So when I last left you guys I was attending Splunk .conf.  My plan was to write each day but I quickly realized how long the day was when you included 9 hours of conference, plus commuting to and from DC each day so screw that.  I am currently waiting for Splunk to release the videos from the conference (that should happen in another week or two I expect) and when that does happen, I will write about a few of the specific talks that I attended.

In the mean time, some general thoughts.  There are a lot of people using Splunk and machine data in general to do some pretty cool things.  I think I’ve mentioned it before, but I’ve been using it on a nearly daily basis for the last year and have quickly fallen in love with it.  It’s intuitive, handles huge amounts of data very well (I think last time I looked my index had somewhere in the neighborhood of 400 billion events), and above all it’s flexible.  When you compare it to ELK, it is this level of flexibility that makes life so much easier.  Being able to define what my data looks like AFTER I have already ingested it is a game changer.

Another thing that I took away from it is just the breadth of sources people were using to get data, and what they were getting from that data.  Take for example this post on the Splunk Blog where they took publicly available information from a couple of sources and put it together to identify doctors who were suspected of committing medicare fraud.  Another group taking data from the national weather service, The Dark-Sky  Association and sunrise/sunset information to determine when and where was the best place to take astrophotography (a personal favorite of mine).  Many of the workshops that I spent time at focused on how to optimize your current use of Splunk for speeding us searches, to better visualizing data and things like that.  As I said, over time I will write about specific topics.