Blogs

Happy new year (bit early) all dev.splunk.com readers….
We have just posted our second 3.2 preview release. (build number 30455)

Its packed with holiday goodness, albeit very raw.

First you will notice we have posted a windows build. Its been in the cooker since last Feb and thanks to Mitch, Ledio, Igor and a bit of Amrit we now have a single code base that rocks on linux, mac, solaris, freebsd, aix, AND windows. This was not an easy feat as evidenced by our gift of a pony (soft and electronic) to Mitch for his effort. Its still very raw (the build not the pony), and has a tendency to crash because of a memory fragentation and limited vm space. Which will be fixed…

Last week I made a video about how to setup new roles in Splunk 3.2 preview release. The video will demonstrate creating a new type of power user, with the same capability of a standard power user, and the addition of the ability to manage and create new users. You will also see how to create new roles by configuring authorize.conf.

(Update): While watching the video again and realized I sent a mixed message about where to edit configuration in splunk. I made it clear that you want to edit in the local bundle directory, and if you look at the terminal that is where I was editing my configuration, however, I later said “default over-rides local, so always edit in…

I’ve written previously about our experience this year raising a $25M Series C round of venture financing. Venture Diaries: Part One discusses why you want to think before you act and investigate who to target as potential investor partners. Venture Diaries: Part Two looks at how to perform your investigation. In this third part, I look at how to handle the horse race that inevitably develops once you get a few term sheets.

For me it all started when the first term sheet came in. Funny how some VCs still use fax machines. I had to go figure out where ours was. In the current seller’s environment (yes that’s what you are, a seller of equity in your company) one thing to keep…

Here are a couple more of my conf files explained. First the simple one:

server.conf

[sslConfig]
enableSplunkSearchSSL = true

All this says is that I’m using SSL on the front end. I clicky clicky the nice UI control and it magically happens. There could be a pile of other stuff in here, like specifying real paid-money-for certs if I were using any. But I’m not. Self-signed works for me, even if it means my users get whiny messages from their browsers. Whatever.

access_controls.conf

[roles]
apache2 = source::/var/log/apache2

[groups]
hosted_user = apache2

[users]
user1 = hosted_user

I added some access controls to help out one of my novice users, somebody who maintains the content on several sites but isn’t a big sysadmin. I set up a role…

I’m going over some stuff for the new support engineers, so I thought it would be useful to put it in a blog post. As an example of what you can do with conf files, I’ve got the changes I make to my own configuration and why. This is more focused on 3.1.x rather than preview, but I’m basically using the same configuration in both so far. For public consumption, I’ve changed some names but otherwise this is the contents of my conf files.

This first post is about inputs.conf, props.conf and transforms.conf, the basics of event handling.

inputs.conf

host = myhost

[tail:///Library/Logs/CrashReporter]
disabled = false
sourcetype = crashreporter

[tail:///Library/Logs/MySQL.log]
disabled = false

[tail:///Library/Logs/Software Update.log]
disabled = false

[tail:///Library/Logs/DirectoryService]
disabled = false

[tail:///var/log]…

Common Event Expression (CEE) standardizes the way computer events are described, logged, and exchanged. It is an effort hosted by Mitre, as so many other computer security standards like CVE, or OVAL. The CEE effort is subdivided into four sub-efforts. Each of them will publish their own set of requirements to guarantee seamless future interoperability of devices and applications:

• Event Syntax
• Event Taxonomy
• Event Transport
• Event Logging Recommendations

The order in which I listed these efforts is most likely the order in which CEE is going to address the different standards and how they are going to be standardized. There is a real need to standardize all of these items if we want companies (mainly vendors) to focus on building meaningful and interesting analysis capabilities, instead…

The common event format (CEF) is a standard for the interoperability of event- or log generating devices and applications. The standard defines a syntax for log records. It comprises of a standard prefix and a variable extension that is formatted as key-value pairs. The standards document is unfortunately only available if you register on the Web site. I wish ArcSight would post a link to the standards document, instead of making you register to download it. If you want more detailed information about CEF, check out an older post that I have written when I was still working on CEF.

I just wrote a CEF add-on for Splunk. It defines field extractions for CEF formatted messages. Just install the add-on, set your source type to cef and…

For those interested in monitoring real-time data being consumed by Splunk we’ve introduced a new feature called Live Tail to the latest preview release. Additionally, we’ve added a nifty new REST endpoint /v3/splunk/tail for your custom application needs.

More information can be found in these videos:

• A quick walkthrough of the new preview release feature Live Tail, its UI, and some sample code – See Video
• An overview of the architecture used to integrate real-time data from Splunk Live Tail in a web browser. Challenges and workarounds when using JavaScript/Flash hybrids – See Video

Happy Streams!

Preview is out the door, woohoo! So up here in support I’m busy with the existing versions so I hadn’t checked out many of the new features. I wanted to mess with real data I care about, so I figured I’d copy my existing index and drop it into my splunkpreview directory. I host a handful of domains at home (on Leopard Server) and I’m using Splunk to watch various things I want to know, like who’s commenting on my blog and how many dictionary attacks I’ve had today. I thought it would be nifty to look at the same data in both 3.1.3 (my current production version) and preview.

The first time I tried it, I thought I’d be clever…

Hi Kids,

So we have added in flexible roles into the preview release. Well, what does that mean.
We will now allow folks to create their own roles. The previous ones of Admin, Power
and User will be included as defaults.

There is currently no GUI available for editing roles but you can directly edit the
config file $SPLUNK_HOME/etc/bundles/default/authorize.conf.

To add in these roles we did an audit of our system and broke down various actions
into capabilities. These capabilities can be grouped together to create any role.
Please bear with us here, this is just a first cut and we may not have chopped up
things in a way that makes sense to you. This is the beauty of preview, you got a suggestion
about capabilities you’d like to…