Blogs: guest

Guest Blogger: Corey Williams

Here at Centrify, we were pleased as punch to learn that our first attempt at a Splunk application, Centrify Active Directory Integration for Splunk, was chosen as the “Splunk app of the quarter” earlier this year. Centrify Active Directory Integration for Splunk is an add-on for scripted authentication using Centrify Express. Centrify Express is a free solution for integrating *NIX or Macs with Active Directory (which has already been downloaded over 100,000 times in the past year!).

“But I thought that Splunk provides Active Directory Integration?” – Great question! As it turns out Active Directory can be a very complicated system to robustly integrate with in the real world. Centrify has built an entire company…

A friend of mine called me up a while ago. He and his colleagues were evaluating a couple of log management solutions in his organization and one of the use-cases they had developed was to use the solution for getting useful information out of their Squid proxy logs. Among other things they wanted to be able to see how much traffic was flowing through their proxies, what sites were visited the most and whether their proxies were performing efficient caching. After explaining the situation my friend asked “Can Splunk do that?” to which I of course immediately replied “Sure!”.

After supplying my friend with field extractions for the default Squid log format and some initial searches to get him going, he was getting all kinds of information that had previously been a pain to retrieve from his proxy logs. With the field extractions done in Splunk, getting this kind of information was (and is) easy thanks to Splunk’s powerful data retrieval and statistics generating capabilities. Give Splunk a couple of fields to operate on and it can slice and dice their information pretty much any way you want. It almost becomes an addiction – so many things you can do, it’s harder to stop than to keep going!

(This post was written by Dan Woods, CTO and Editor of CITOResearch.com.)

Last week, while at the Splunk .conf 2011, I did a research experiment and asked conference attendees to explain Splunk in one sentence. (See “Explaining Splunk in One Sentence”).

I did my experiment on the first day of the conference before hearing the vision for the product at the keynote sessions. The question I will answer in this blog is: “What are people likely to say Splunk is in 2012 after the company has spent 12 months executing toward its vision?”

To set the stage for my predictions, I would like to explain what I learned about the challenging task of explaining Splunk during my three days…

(This post is from Dan Woods, CTO and Editor of www.CITOResearch.com, who is working on a book to help Explain the Splunk Search Language using Recipes.)

While talking to all sorts of Splunkers, Splunk devotees, and hangers on during the first day of Spunk Conf 2011, I had a fun idea. How could you explain Splunk in one sentence? This is a challenge of course because Splunk is both wide and deep in its capabilities and the applications there of. Another challenge comes from the fact that Splunk is being crafted to meet the needs of many different types of users, from the braniac early adopters on Wall Street, in universities, or at research organizations, to system administrators…

As a Splunk partner specializing in Federal deployments, one question Aplura consultants are repeatedly asked by our clients is “Can I use Splunk to check our events for matches against a watchlist of IP addresses or domain names?”. Of course, the answer is “yes” watchlists can be configured, leveraging Splunk’s “lookup” functionality, and then used in searches to find and alert on matches. Splunk makes this pretty easy. Find more on lookups in the Splunk docs.

Implement Watchlists as Lookups in Splunk
For many of our clients, managing the lookup tables can be challenging The watchlist gets downloaded, perhaps reformatted, then uploaded to the Splunk server, where it can be used as a lookup table. In some situations, however,…

The community of Splunk users can be compared to a benevolent cult. There are those that are initiated, that have drunk the Kool-aid, that have used Splunk to solve problems the could not solve any other way. These people understand the beauty of Splunk because it has helped achieve their goals.

Then there are the uninitiated. The people who sort of understand but who don’t really get the idea. “Seriously, can’t you use grep and perl to do all this stuff?,” they say dismissively. “No, you can’t,” respond the believers.

Crossing this divide is made more complicated by Splunk’s simplicity and power. As I have come to know Splunk, I have thought of it as similar to the game of…