Blogs

One of our partners in Asia came up with the interesting catch phrase “Everybody Splunk”, which we say internally. Today’s topic is about everybody using Splunk’s SDKs. As I’ve spoken to Splunk users, I’ve noticed that many of them are not aware of their existence. This topic has been discussed elsewhere in the development guide, but I’ll summarize. Splunk has SDK API to perform Search outside of using Splunk Web and the CLI that is available for

• Java
• Python
• C#
• PHP

If that doesn’t cover your favorite language, then, use the REST API which is the foundation for the SDKs. With the REST API, you can use any language you want that supports URI communication to search an index. The approach in each SDK is essentially…

PCI compliance isn’t easy, but it is important if you’re a retailer processing more than 20,000 transactions annually. Proving compliance affects your profitability, your reputation, and your ability to keep doing business.

Splunk addresses many of the PCI requirements, and has pre-built searches, reports, alerts and dashboards to get you going. You can track a particular transaction across your entire infrastructure, and do it while the auditor is there looking over your shoulder. And perhaps that’s why we’ve had so many IT pros coming to us lately asking about the Splunk solution for PCI compliance.

And as you asked, we’re answering. Next week, we’ve got two events featuring two different customers detailing the challenges with delivering PCI compliance.

First up: Suky Bal, IT Director…

When you think about Service Oriented Architectures (SOA), Splunk doesn’t come to mind first. However, it is important to realize that any entity that is able to consume or produce services is by definition a participant in a SOA. With that said, let me state that Splunk can easily capture and index the output of a web service later used for search.

The next question is what are the use cases. Information that can be captured in a time series manner is ideal for Splunk. For example, suppose a warehouse is using a RFID reader to capture the movement of goods in and out of its facilities. This information usually drives a software business practice, which in turn may have web…

Update: If you’re interested in checking out the Recorded Webinar as a result of the news below, it is located here:

RightScale / Splunk Webinar

If you’re new to the cloud, and new to Splunk–or neither–spare an hour tomorrow, February 10th at 11am PST.  Splunk and RightScale will be putting on a pretty cool webinar about IT search in the cloud.  Infrastructure-as-a-service is becoming more popular as a solution to many challenges IT faces in the coming years.  Our friends over at RightScale have quite an amazing platform for managing cloud infrastructure.

RightScale makes it dead simple to get infrastructure deployed in the cloud, but once you’re up and running, what about your IT data–logs, configurations, messages, etc?  Thats where our partnership comes in. …

Scenario: You deploy a Splunk forwarder, disable the web interface, and now you want to add inputs. What do you do? You could SSH to the box, do it through the CLI locally… you stop… think about it.. and you think to yourself, “No way, that’s how a pirate rolls.”

You’re a ninja. You use Splunk. You’re going to use a search to add an input to the remote Splunk server (the forwarder) in the same fashion that you throw ninja stars to lay the smack down from a distance everyday.

1. Go to the CLI (command line interface) of any server that has Splunk on it (ie. the indexer).

2. Execute a Splunk CLI search using the crawl command, the input command, and…

Well if you ever wanted to integrate Splunk into your own product or service, free is now really, well … free. We’ve always had a free Splunk license for end users. But now we have the same for software, hardware and service provider partners. Now as a Splunk Powered Associate you can distribute Splunk with the free license key as part of your offering. You can also link to the Splunk free license download and earn referral credits if the download leads to a purchase. Pretty cool heh? Now the free license is still limited to the 500MB daily uncompressed indexing volume but hey that’s a lot of data for free.

A few of our Splunk Powered partners have picked up on…

Recently I was speaking with a customer who was concerned that one of the Windows admins was reading the email of regular users. Thought I’d share this tidbit as a simple example of the power of search. In this case, we didn’t even have to go to other data sources other than the relevant event log, though later analysis of netflow logs triangulated from where the admin was connecting to the Exchange server from.

Problem: Senior admin has reason to think another admin is abusing privileges and reading other people’s mail on Exchange.
Use Case: Splunk the Exchange event logs to check for insider threat.
Search 1: bad_admin_username “EventCode=1016”

Finds: User who has opened up a mailbox that is owned by someone else.

Search…

Welcome to my first blog entry. Hopefully, this will be a productive experience for all of us.

For my first topic, I’ve decided to talk about customizing Email Alerts in Splunk. Currently, in the 3.x version of Splunk, you can easily specify an alert to send an email, which can even include search results. Some people have asked me about customization such as controlling the from, subject, and mail host to send the email alert. One quick way to do this is to use a Scripted Alert in which the alert script has environment variables already set up to edit the To, From, Subject, and Host for the email. The alert scripts can then use your favorite email application to send…