The general idea is that Splunk can take any data, any log, from anywhere in your infrastructure and add it to a searchable, intelligent index through which you can extract all sorts of meaningful data about what's happening. By default, the system will watch all the logged events and return slices of interesting data. For instance, from the dashboard you can see that a specific server name or event type is occurring at a higher than normal frequency. From there, you can drill down and chase the cause of the error from the hypervisor to the storage, networking, and even the VM.
more you can get in below link
https://helgeklein.com/blog/2014/09/splunk-work/there are some video lecture also available in it. you can check online
https://www.coursera.org/learn/bigdata-analytics/lecture/rFnSu/how-splunk-works-hands-on-tutorial
If there's gold in log files, Splunk, Inc's Splunk Enterprise will help you to find it. Splunk bridges the gap between simple log management and security information and event management (SIEM) products from vendors such as ArcSight, RSA, Q1 Labs, and Symantec.
http://www.networkworld.com/article/2181089/security-vulnerability-mgmt/splunk-explains-it-all.html
Ref:-
http://www.networkworld.com/article/2181089/security-vulnerability-mgmt/splunk-explains-it-all.html
https://www.coursera.org/learn/bigdata-analytics/lecture/rFnSu/how-splunk-works-hands-on-tutorial