Smart AnSwerS #56

Hey there community and welcome to the 56th installment of Smart AnSwerS.

We just hosted the March SF Bay Area User Group meeting last night at Splunk HQ and had a great conversation about various real and hypothetical security scenarios in spirit of RSA. It was awesome to hear a mix of experiences and lessons from Splunkers, partners, and customers. If you want to learn about all the juicy details from the meeting, visit the #sfba channel in our Splunk User Group Slack Chat where smoir (thank you!) “liveslacked” all the key topics discussed. It will only be available to view for a limited time, so act fast! Otherwise, feel free to hang out in that channel during our next meeting on Tuesday, April 19th @ 6:00PM at Yahoo! HQ in Sunnyvale, CA, hosted by Becky Burwell.

Smart AnSwerS will be taking a break for the next 3 weeks as I’ll be on PTO in a land far far away, but will jump back into action at the end of March. Until I return, enjoy this week’s featured Splunk Answers posts:

As part of a Splunk alert, is it possible to include 100 lines from the log prior to the event that triggered the alert?

cybrainx wanted to set up and trigger an alert when an ERROR string was found, but also include 100 lines from the log prior to the trigger event in the results. SplunkTrust member rich7177, with an assist from fellow member MuS, came up with a search to capture all necessary raw data before using a combination of eval, streamstats with window=100, and transaction to make this alert requirement possible.
https://answers.splunk.com/answers/310019/as-part-of-a-splunk-alert-is-it-possible-to-includ.html

What is the recommended compatibility sequence of upgrading instances in my environment from Splunk 6.2.7 to 6.3.2?

rcreddy06 had an environment with a search head cluster, indexer cluster, deployment server, heavy forwarders, and universal forwarders running Splunk 6.2.7, but wanted  to upgrade everything to 6.3.2. To tackle this properly, recreddy06 needed to know in what order and how to upgrade each instance or group of instances for a smooth transition. esix breaks down the upgrade process in phases with things to look out for and references the relevant documentation.
https://answers.splunk.com/answers/340953/what-is-the-recommended-compatibility-sequence-of-1.html

How to make a world map dashboard using logs from an email server with no IP addresses?

emixam3 was looking for a way to use logs from an email server to plot dots on different countries in a world map based on the domain of receiver email addresses, but had trouble figuring out how to do this without associated IP data. yannK points out that map tools rely on longitude and latitude coordinates, and geoip tools rely on IPs to convert them to coordinates, but gives emixam3 another approach. He suggests creating a lookup with domain, country, lat, and long fields to use for searches in combination with the geostats command to create map visualizations.
https://answers.splunk.com/answers/343068/how-to-make-a-world-map-dashboard-using-logs-from.html

Thanks for reading!

Missed out on the first fifty-five Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo