Splunk: Log Management & SIEM Overview
Official site · Latest version: 9.4
Splunk ingests machine data — logs, metrics, traces — indexes it, and lets you search it with SPL (Search Processing Language). It’s the dominant commercial SIEM and log analytics platform, available self-hosted (Splunk Enterprise), as SaaS (Splunk Cloud), or free for small volumes.
The pipeline in one paragraph
Forwarders ship data to indexers, which parse it into events and store it in indexes. Search heads run SPL queries against those indexes. In small deployments one box does all three roles; at scale you separate them and cluster the indexers.
SPL: the part you live in
SPL is a piped language — each | passes results to the next command:
index=firewall action=blocked
| stats count by src_ip
| sort -count
| head 10That’s “the ten source IPs with the most blocked connections.” Our SPL config examples cover stats, eventstats, transaction, lookups and more.
Licensing reality check
Splunk has historically been priced on daily ingest volume (GB/day), with newer workload/ingest-based options. Costs climb fast with noisy sources, so log filtering at the forwarder is a core operational skill — not an afterthought.