Managing your Ingestion with the search bar

Many of our cloud customers have asked me how to better manage their data, e.g. determine volume by sourcetype, or volume by forwarder.  This is typically available via the Distributed Management Console, but in some cases, a person’s role prevents them from getting full access to it.  In the article below, I will guide you through several searches aimed to let anyone dive a bit deeper into their Splunk Cloud service.

Below are a few searches I find helpful

Total Ingestion Volume over time

index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type="RolloverSummary" | eval GB=b/1024/1024/1024 |timechart span= 1d sum(GB) as GB |


Be sure to double check your time range selector here, I usually search over the past 7 days. If you want to look …

» Continue reading

Adding a Deployment Server / Forwarder Management to a new or existing Splunk Cloud (or Splunk Enterprise) Deployment

As part of the Cloud Adoption team, I am working with Splunk Cloud (and Splunk Enterprise) customers on a daily basis and I get asked questions quite frequently about how to optimize, and effectively reduce, administration overhead. This becomes especially relevant when I am talking with new or relatively new customers that are expanding from a handful of forwarders, into the 100’s or 1000’s of forwarders. And I always say…. start with a Deployment Server.

For larger customers that have trained and experienced Splunk Administrators, or have engaged with Professional Services, this is a given and typically already exists in their deployments.

On the other end however, new Splunk Cloud and Splunk Enterprise customers may not have this luxury.…

» Continue reading

Capturing Akamai Data with Splunk

#### UPDATE ####
Some of the information in my article below is now out of date.  For more information on capturing Akamai data or the HTTP Event Collector, please visit


Before we begin, I would like to give a very big and very public “Thank You!” to all of the people that have assisted with this, especially Jason Conger.  If you will be attending .con2015 in a couple of days, please be sure to stop by the Akamai booth.

If you’re an Akamai user, you can’t afford to not monitor your data.  By pulling it into Splunk, you can easily monitor SLA’s of cloud service providers, gain instant visibility into applications, and monitor security events and incidents …

» Continue reading

End-to-End Protection and Threat Mitigation for Cisco Network Environments via Splunk, ISE, and pxGrid

In our previous post, and the subsequent Cisco article, we delved into how Cisco Identity Services Engine can be used to enrich operational analytics with Splunk with personal data. Let’s look at a real-world example plus explore the latest Splunk and security integration.

At Cisco Live Cisco product manager Kevin Guidinger delivered a great session detailing how Cisco Cloud and Managed Services (CMS) uses Splunk to manage more than 2.5 BILLION security events per day across Cisco security and third-party security products. That is nearly 30,000 events per second, and no trivial matter.

Kevin highlighted a financial services organization his team works with that requires deep visibility into their BYOD deployment. It’s critical that the team can easily identify and investigate rogue network access, even coming from company issued devices, and then quickly re-mediate …

» Continue reading

Making machine data personal with Splunk and Cisco ISE

Welcome to 2015, year of the hover-board (if you don’t get that reference, you should watch more movies). In the first of a multi-series posts, lets start by taking a look at the goodness Splunk and our partner Cisco have been cooking up to help you understand who is doing what in your environment. We will be covering a series of topics, so be sure to stay tuned.

As a Splunk customer, Cisco uses Splunk Enterprise Security extensively across Cisco IT, Engineering, Advanced Services and Security teams. For example, Cisco’s Computer Security Investigation Response Team (CSIRT) uses Splunk …

» Continue reading

Accelerate troubleshooting in Application-Centric Infrastructures with Cisco & Splunk

Cisco Application Centric Infrastructure (ACI) delivers a holistic architecture that closely links the provisioning of data center networks with the applications running over those networks. The Cisco ACI for Splunk Enterprise App, created in collaboration between Splunk, Cisco, and our joint partner Crest Data Systems, enables users to centrally view operational health of their entire ACI environment, and the underlying entities in real-time. Operators can quickly correlate data from Cisco ACI with data from storage resources, operating systems, applications, and more for enterprise-wide visibility. Anomaly and error detection has never been easier.


Tracks key metrics such as health scores of all ACI entities including the APIC, fabric, tenants, end-point groups. The add-on also includes VMware correlation for deeper visibility into …

» Continue reading

Tracking mobile presence w/ Cisco Meraki

Following our amazing turn out at .conf2014, I’ve had a lot of inquiries into how we were able to track the attendees based on their location as well as proximity to the wireless Cisco Meraki devices that were setup.


We accomplished this using the Cisco Meraki Presence Modular Input, created by Damien Dalmore, and dashboards created by our .conf dashboard team. Before you’re able to create anything, you need to enable the CMX API as well as traffic analytis.


Once this is completed, you will want to install the Cisco Meraki Presence Modular Input, and exchange the private keys between the two interfaces. ProTip: Ensure that your post URL ends with the suffix ‘/events’.

This is all you need …

» Continue reading

Splunk Sales Engineer Certification – a few tips and tricks

I know that a lot of our partners and internal SE’s have had some questions regarding just exactly what it takes to get certified.  It isn’t rocket science, and having the ability to confidently present a solution in a fluent, and smooth fashion is critical to not only your personal success, but the success of your team and your company.  As someone who assists with scoring presentations, I would like to offer a few bits of advice.

#1 – Come prepared and know your product!  You need to know the product inside and out, and be fully prepared for questions that customers will have… with the right answers! I’ve heard a lot of answers to simple questions over my years, …

» Continue reading

Tips and Tricks with ServiceNow for Splunk

Given Splunk’s release of a full integration with Service Now , I thought it may be nice to describe some functions and possibilities available within the app.  If you download and deploy it today,  you’ll be able to generate events or incidents within ServiceNow (with event generation being a relatively new offering).  You can also track those events and incidents that have been generated within Splunk, via the feed coming from Service Now.  We’ve also included several ‘basic’ dashboards to give users a taste of what they can do.  So lets explore what you can do and what you can splunk, beyond the configuration that is included out of the box.

Within the app, there are three very important files. …

» Continue reading

Integrate Splunk and ServiceNow

If you were to poll the operators of today’s datacenters, they would tell you that there are two fundamental problems:

Not having enough information, and having too much, disparate information.  It is often difficult to trace the root of an enterprise wide problem without having some expertise in understanding exactly what is going on across all tiers of your technology.  It is equally difficult when you’re presented with meaningless errors across these tiers and your operators must rely upon  previous experience, or worse, there are multiple errors to correlate across different systems and no way of understanding the exact transactional or casual pattern of these events.

Splunk is here to bridge this fundamental gap in IT operations. The “ServiceNow

» Continue reading