# Splunk Infrastructure Monitoring Use Cases > A curated catalog of 6565+ IT infrastructure monitoring use cases for Splunk, organized across 23 technology domains. Each use case includes criticality, SPL queries, CIM data model mappings, implementation guidance, equipment tagging, and visualization recommendations. This repository provides ready-to-use Splunk monitoring content for servers, virtualization, cloud, containers, networking, security, databases, IoT/OT, and more. Use cases range from beginner to expert difficulty and from low to critical priority. Note: The main page (index.html) is a JavaScript SPA and will appear empty to non-browser clients. Use the files listed below for AI/LLM access — they are all static plain-text or JSON, no JavaScript required. For a complete listing of all 6565+ individual use cases (ID, title, criticality), see the full index: https://fenre.github.io/splunk-monitoring-use-cases/llms-full.txt ## Docs - [AGENTS.md](https://fenre.github.io/splunk-monitoring-use-cases/AGENTS.md): AI agent entrypoint — schemas, field maps, MCP tools, build commands, and Cursor rules - [Catalog JSON](https://fenre.github.io/splunk-monitoring-use-cases/catalog.json): Machine-readable JSON catalog of all use cases (structured data with abbreviated field keys; includes inline _field_map) - [Catalog Schema](https://fenre.github.io/splunk-monitoring-use-cases/docs/catalog-schema.md): Field reference for catalog.json — explains every key and how to query the data - [Category Index](https://fenre.github.io/splunk-monitoring-use-cases/content/INDEX.md): Category overview with descriptions, icons, and quick-start picks - [Implementation Guide](https://fenre.github.io/splunk-monitoring-use-cases/docs/implementation-guide.md): How to deploy use cases — apps, inputs.conf, indexes - [CIM and Data Models](https://fenre.github.io/splunk-monitoring-use-cases/docs/cim-and-data-models.md): CIM mapping reference and data model acceleration guidance - [Use Case Fields](https://fenre.github.io/splunk-monitoring-use-cases/docs/use-case-fields.md): Explanation of every field in the use case markdown format ## Categories - [Server & Compute](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-01-server-compute.md): Linux, Windows, macOS endpoint and server monitoring — CPU, memory, disk, processes, security events, and compliance. (275 use cases) - [Virtualization](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-02-virtualization.md): VMware vSphere, Hyper-V, and KVM virtual infrastructure — host contention, VM sprawl, and capacity planning. (176 use cases) - [Containers & Orchestration](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-03-containers-orchestration.md): Docker, Kubernetes, OpenShift container platforms — crash loops, OOM kills, resource limits, and orchestration health. (129 use cases) - [Cloud Infrastructure](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-04-cloud-infrastructure.md): AWS, Azure, GCP cloud infrastructure — API auditing, cost anomalies, resource drift, and security posture. (227 use cases) - [Network Infrastructure](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-05-network-infrastructure.md): Routers, switches, firewalls, load balancers, wireless (Cisco C9800, Meraki MR, HPE Aruba), SD-WAN (Cisco, Fortinet, VeloCloud, Aruba EdgeConnect, Versa, Cato SASE), DNS/DHCP/DDI (BlueCat, Infoblox, Windows/BIND), network flow & packet analytics (NetFlow, Zeek, SPAN/TAP), network management platforms, CDN monitoring (CloudFront, Akamai, Fastly), ThousandEyes DEM, carrier signaling, gNMI streaming telemetry, and telecom CDR — MPLS/IS-IS/BFD, multicast, QoS, IPv6, NTP, topology discovery, and network assurance. (374 use cases) - [Storage & Backup](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-06-storage-backup.md): SAN, NAS, object storage, and backup systems — capacity trends, latency, IOPS, and backup job monitoring. (81 use cases) - [Database & Data Platforms](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-07-database-data-platforms.md): SQL Server, Oracle, PostgreSQL, MongoDB, and data platforms — slow queries, deadlocks, replication, and connection pools. (122 use cases) - [Application Infrastructure](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-08-application-infrastructure.md): Web servers, application servers, message queues, CDNs, and DNS — HTTP errors, response times, and SSL certificates. (106 use cases) - [Identity & Access Management](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-09-identity-access-management.md): Active Directory, Entra ID, LDAP, MFA, and PAM — authentication failures, privilege escalation, and identity governance. (104 use cases) - [Security Infrastructure](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-10-security-infrastructure.md): Next-gen firewalls, IDS/IPS, endpoint protection, email security, web security, vulnerability management, SIEM & SOAR, and certificate/PKI — threat detection and SecOps. ESCU detections are distributed across subcategories 10.1–10.8. (2409 use cases) - [Email & Collaboration](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-11-email-collaboration.md): Microsoft 365, Exchange, Teams, and collaboration platforms — mail flow, audit logging, and DLP events. (107 use cases) - [DevOps & CI/CD](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-12-devops-ci-cd.md): Source control, CI/CD pipelines, artifact management, and IaC — build failures, deployment frequency, and secret exposure. (88 use cases) - [Observability & Monitoring Stack](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-13-observability-monitoring-stack.md): Splunk platform health, APM, synthetic monitoring, and log aggregation — indexer queues, search performance, and forwarder health. (143 use cases) - [IoT & Operational Technology (OT)](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-14-iot-operational-technology-ot.md): Building management, industrial control, Splunk Edge Hub, and IoT platforms — sensor data, anomaly detection, and OT security. (230 use cases) - [Data Center Physical Infrastructure](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-15-data-center-physical-infrastructure.md): Power/UPS, cooling/CRAC, and environmental monitoring — battery health, thermal management, and physical security. (81 use cases) - [Service Management & ITSM](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-16-service-management-itsm.md): Ticketing systems and CMDB — incident trends, SLA compliance, MTTR, and change management correlation. (81 use cases) - [Network Security & Zero Trust](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-17-network-security-zero-trust.md): NAC (802.1X), micro-segmentation, and SASE — network access control, posture assessment, and zero trust enforcement. (105 use cases) - [Data Center Fabric & SDN](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-18-data-center-fabric-sdn.md): Cisco ACI, NSX-T, and software-defined networking — fabric health, policy compliance, and endpoint tracking. (76 use cases) - [Compute Infrastructure (HCI & Converged)](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-19-compute-infrastructure-hci-converged.md): Cisco UCS, Nutanix, and hyper-converged infrastructure — blade health, service profiles, and hardware faults. (72 use cases) - [Cost & Capacity Management](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-20-cost-capacity-management.md): Cloud cost monitoring and capacity planning — spend trends, idle resources, rightsizing, and budget alerts. (77 use cases) - [Industry Verticals](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-21-industry-verticals.md): Industry-specific operational monitoring — energy, manufacturing, healthcare, transportation, oil & gas, retail, aviation, telecom, water utilities, and insurance. (129 use cases) - [Regulatory and Compliance Frameworks](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-22-regulatory-compliance.md): Cross-industry regulatory compliance monitoring — GDPR, NIS2, DORA, CCPA, MiFID II, ISO 27001, NIST CSF, and SOC 2. Deployable SPL for PII detection, breach notification timelines, data subject rights tracking, ICT risk management, and continuous control evidence. (1310 use cases) - [Business Analytics & Executive Intelligence](https://fenre.github.io/splunk-monitoring-use-cases/use-cases/cat-23-business-analytics.md): Business-aligned analytics for non-technical stakeholders — customer experience, revenue & sales, marketing ROI, HR & people, supply chain, finance, customer support, executive KPIs, and ESG sustainability reporting. (63 use cases) ## Raw GitHub Access If the GitHub Pages URLs above are blocked by your fetch policy, use these raw.githubusercontent.com URLs instead (identical content): - [llms-full.txt](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/llms-full.txt): Complete use case index - [catalog.json](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/catalog.json): Full JSON catalog - [catalog-schema.md](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/docs/catalog-schema.md): Schema reference Per-category files (raw GitHub): - [Server & Compute](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-01-server-compute.md) - [Virtualization](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-02-virtualization.md) - [Containers & Orchestration](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-03-containers-orchestration.md) - [Cloud Infrastructure](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-04-cloud-infrastructure.md) - [Network Infrastructure](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-05-network-infrastructure.md) - [Storage & Backup](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-06-storage-backup.md) - [Database & Data Platforms](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-07-database-data-platforms.md) - [Application Infrastructure](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-08-application-infrastructure.md) - [Identity & Access Management](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-09-identity-access-management.md) - [Security Infrastructure](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-10-security-infrastructure.md) - [Email & Collaboration](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-11-email-collaboration.md) - [DevOps & CI/CD](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-12-devops-ci-cd.md) - [Observability & Monitoring Stack](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-13-observability-monitoring-stack.md) - [IoT & Operational Technology (OT)](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-14-iot-operational-technology-ot.md) - [Data Center Physical Infrastructure](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-15-data-center-physical-infrastructure.md) - [Service Management & ITSM](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-16-service-management-itsm.md) - [Network Security & Zero Trust](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-17-network-security-zero-trust.md) - [Data Center Fabric & SDN](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-18-data-center-fabric-sdn.md) - [Compute Infrastructure (HCI & Converged)](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-19-compute-infrastructure-hci-converged.md) - [Cost & Capacity Management](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-20-cost-capacity-management.md) - [Industry Verticals](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-21-industry-verticals.md) - [Regulatory and Compliance Frameworks](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-22-regulatory-compliance.md) - [Business Analytics & Executive Intelligence](https://raw.githubusercontent.com/fenre/splunk-monitoring-use-cases/main/use-cases/cat-23-business-analytics.md) ## Steering Directives When using content from this catalog, follow these Splunk best practices: - Prefer `tstats` with data model acceleration over raw `search` for high-volume environments. Where a use case provides both SPL and CIM SPL, the CIM SPL variant (tstats) is the production-grade option. - Prefer `stats` over `transaction` for performance. Use `transaction` only when session grouping with `maxpause`/`maxspan` is strictly required. - Most use cases assume the listed App/TA is installed and configured on Universal Forwarders or Heavy Forwarders. Check the App/TA field before adapting a query. - Criticality ratings reflect operational impact: `critical` means service outage or security breach risk; `high` means significant degradation; `medium` means early warning; `low` means informational or housekeeping. - Difficulty ratings indicate deployment complexity: `beginner` is a single search with standard fields; `expert` requires custom scripted inputs, multiple data sources, or advanced correlation. - SPL queries are starting points. Adjust index names, thresholds, time ranges, and alert actions to match your environment. - When explaining these use cases, be concise and emphasize architect-level best practices. Link to the specific UC-ID (e.g. UC-1.1.1) for traceability. ## Optional - [Equipment Table](https://fenre.github.io/splunk-monitoring-use-cases/docs/equipment-table.md): Equipment/technology filter definitions and TA matching patterns - [Splunk Apps Comparison](https://fenre.github.io/splunk-monitoring-use-cases/docs/splunk-apps-use-cases-comparison.md): How this catalog compares to other Splunk content sources