Scanner for Splunk

Problem: High volume log sources like WAF logs, VPC flow logs, and load balancer logs are often kept in object storage and are inaccessible from Splunk. It's painful to search through these log sources when you need them the most, like when you are investigating threats or debugging outages. Solution: Scanner provides custom search commands in Splunk that let you to query these logs in object storage at high speed. Get answers ASAP, and continue to use Splunk as your single pane of glass. Build reports and dashboards in Splunk that combine results from Splunk and from object storage logs. Your logs in object storage are no longer a blind spot. The high-volume log sources in object storage are now searchable from Splunk using custom commands. Scanner allows you to search at high speed, especially for needle-in-haystack queries. For example, searching a 100TB log data set for a list of IP addresses, emails, or UUIDs takes only 10 seconds in Scanner. Running the same search in a 1PB log data set takes about 100 seconds. This can be 10-100x faster than tools like Athena, especially against raw JSON logs that have not yet been highly optimized with Parquet and partitioning. To get started, you will need to sign up for a Scanner instance. When that is ready, there is a setup page in the Splunk app that allows you to set up Scanner API keys and assign them to Splunk roles. Scanner uses the "storage passwords" feature of Splunk to store API keys, so roles that interact with Scanner will need the "list_storage_passwords" capability. If you want Splunk to be your single pane of glass where you can analyze both Splunk logs and the logs you have in object storage, Scanner can help you make this happen. Using Scanner, you can run fast queries against your object storage logs, join them against your Splunk logs, create dashboards from object storage logs, and more. With your object storage logs easily queryable from Splunk, you can avoid blind spots and get answers rapidly.