Scheduled Export of Indexed Data

I’m really enjoying playing with all the new Developer hooks in Splunk 6.3 such as the HTTP Event Collector and the Modular Alerts framework. My mind is veritably fizzing with ideas for new and innovative ways to get data into Splunk and build compelling new Apps.

When 6.3 was released at our recent Splunk Conference I also released a new Modular Alert for sending SMS alerts using Twilio, which is very useful in it’s own right but also a really nice simple example for developers to reference to create their own Modular Alerts.

But after getting under the hood of the Modular Alerts framework, this also got me thinking about other ways to utilise Modular Alerts to fulfill other use …

» Continue reading

Splunk at the Wall for DEF CON 23

Every year since 1992, security geeks and nefarious hacker types have descended upon Las Vegas for DEF CON, a hacking conference that started with hackers and crackers phreaking AT&T payphones. Twenty-three years later, this pilgrimage has changed, it’s much bigger now and sadly plain old telephone systems (POTS) have taken somewhat of a back seat. Despite the fact that the rumors of cancellation flew around again this year (as it does every year) DEF CON 23 did indeed take place and Splunk was there. In this blog post and the next, I’ll describe what we (Splunk and the Security Practice) did at DEF CON, how we did it, and what is coming next!

Let me begin by describing a bit …

» Continue reading

Smart AnSwerS #39

Hey there community and welcome to the 39th installment of Smart AnSwerS.

Playing catch up with work after .conf2015 last week in Las Vegas has been hard, but well worth it. It was great getting to meet many Splunk users for the first time in person, and I have to say, you’re pretty awesome ;D The folks I had the chance to speak to were excited to see old faces, network with other users passionate about our various products, and learn everything and anything possible. Even just overhearing conversations over meals at the same table or in passing, I could feel good vibes all around as the community of users got value not only from the content of …

» Continue reading

Hunk, HDFS, and Indexes

I’ve been asked a number of times why Hunk does not create a physical index like Splunk.

First, let me point out that your Hunk instance can search both physical and virtual indexes, allowing you to correlate data from disparate sources and stores within your farm without incurring the cost of duplication.

Now back to the question, which should really be: why can’t a physical index be created in HDFS?

HDFS is a non-POSIX filesystem. In layman’s term, a POSIX file-system is one that can be written to and read from in real-time. One of HDFS shortcomings is that data is not persisted until the file is closed. Therefore, you cannot read data that “you think” has been written until …

» Continue reading

Use Custom Polygons in Choropleth Maps

In late September, 4,000 attendees gathered in Las Vegas for .conf, our annual user conference. Among a host of other features, we introduced Choropleth Maps, a new visualization type in Splunk 6.3. We’re very excited to see the various use cases where Choropleth maps will come in handy. If you already have ideas how to make use of the maps in your dashboards but don’t know how to get started, this article is for you. Also don’t forget to check out the Choropleth Maps documentation to get an idea about the different configuration options.

Under the covers the Choropleth maps make use of Geospatial Lookups, another new feature in Splunk 6.3. Geospatial lookups are what really power using Choropleth Maps on …

» Continue reading

Random Words on Entropy and DNS

During my last blog post, I mentioned that I would delve more into how to detect subdomains with relatively high entropy. But first I think it is important to discuss WHAT is entropy; WHY do I care if a domain or subdomain has high entropy; and finally, HOW you can use entropy in Splunk to find potentially bad things.


So, what does entropy mean? For the purposes of computer science, I tend to use the definition of entropy as “… a measure of uncertainty in a random variable” [1]. For most things in computer science, entropy is calculated with the Shannon Entropy formula invented by Claude Shannon:


In other words (since if you are still reading this section, …

» Continue reading

Splunking Box Data – Content Events

In my last post about Splunking Box data, we focused on user authentications including percentage of failed logins, where logins are coming from, user accounts associated with failed logins, etc.  In this post, I want to focus on some of the events surrounding Box content once a user is authenticated.

Content Events

In the context of this post, we will call a content event anything that happens to your Box content.  For example, a content event may be a file preview, upload, download, sharing, delete, etc.  There is a handy event type defined in the Splunk Add-on for Box called box_events_change.  Using this event type, we can get an idea of the type of activity going on within the …

» Continue reading

Splunking NRL 2015. The winner will be…




The 2015 National Rugby League (NRL) season comes to a breathtaking end this weekend with Brisbane Broncos playing the North Queensland Cowboys in Sydney this Sunday. While I was planning out the weekend I started wondering how would these two Queensland teams perform playing in Sydney. As most sports fans would know, there is a common myth that teams perform their best when playing at home…but is this really true? I thought I’d try and find out by Splunk’ing some historical NRL data and asking some tough questions. I then created four dashboards that I’ll discuss below.…

» Continue reading

We proudly announce: the 2015-2016 SplunkTrust Membership!

Whew! Now that we’re back from .conf and the dust from Megacup’s hooves has settled, I’m proud and pleased to announce the inaugural membership of the SplunkTrust!

We created the SplunkTrust Community MVP program to recognize our community’s top contributors, and to involve them in planning and policy decisions as our community grows. These community members have shown the very highest level of commitment to helping others succeed with Splunk, and are the first year’s SplunkTrust member roster:



  • Aleem Cummins
  • Bernardo Macias
  • Camille Balli
  • Charlie Huggard
  • Chris Kurtz
  • David Shpritz
  • Duane Waddle
  • George Starcher
  • Gregg Woodcock
  • Jacob Wilkins
  • Kate Lawrence-Gupta
  • Kyle Smith
  • Martin Müller
  • Mason Morales
  • Michael Uschmann
  • Mark Runals
  • Mike Langhorst
  • Nick Mealy
  • Rich Mahlerwein
  • Sherman Smith
» Continue reading

Cheers to .conf2015 with Three Clicks and a Beer

ThreeClicks2.jpgTuesday was the kickoff of .conf2015: The 6th Annual Splunk Worldwide Users’ Conference in Las Vegas and it was incredible.  After months of preparation, we were ready to hit the stage for the keynote and show the audience – our customers – how much we appreciate their loyalty, their innovation, and their inspiration.  The room was packed.  The staging was absolutely impressive. The place was buzzing.  I was, and still am, in awe of the amount of work, preparation, and production needed to pull off an event of this scale. It’s just one more example of why I am so thrilled to be part of this team.

I was the third speaker in an impressive lineup of Splunkers …

» Continue reading