Join us for the Splunk SFBA User Group next week!

user-groups-header-logoBay Area Splunkers, don’t forget to join us Apr 19th for this month’s meeting! We are changing it up this time and meeting in Sunnyvale at Yahoo HQ which will hopefully draw a great crowd. You can find the full details and RSVP at the new usergroups website. (Bonus: if you RSVP, then we will feed you!)


  • Becky Burwell (Flickr/Yahoo) will talk about their Splunk Deployment Server rollout
  • Chuck Gilbert (Comcast Innovation Center) will highlight some tips and tricks used in visualizing usage of the new Xfinity X1 platform
  • Todd Untrecht (Splunk Enterprise) and Hal Rottenberg (Splunk developer evangelist) will speak about new features in 6.4 (and maybe a peek into the future), and show a demo of the HTTP Event
» Continue reading

Using Splunk to Monitor Changes to PowerShell Scripts

I had a question this morning from a customer who was looking for ways to monitor changes made to PowerShell scripts in their environment. They wanted to know who made the changes, but also what changes were made. Well, I thought to myself–that’s a great excuse for a blog post!

Let’s break this down into two separate requirements:

  1. I want to know when a PowerShell script has been modified
  2. I want to know the changes between two versions of a file that has been modified

Who changed a file and when?

Requirement #1 is not hard to do using Splunk in combination with some native Windows file auditing features. In fact, it’s such a common use case that we’ve documented all the steps in …

» Continue reading

Join Splunk at the Emirates Travel Hackathon next weekend!

Emirates Travel Hackathon logo

Splunk is pleased to be sponsoring the Emirates Travel Hackathon next weekend, and we want to see you there! The event is taking place Nov 7th in San Francisco, and is open to all who want to participate in a great event with real prizes. Come out, learn something new, and solve challenging problems in the realm of travel! What should you build? Here’s what Emirates is looking for (from the FAQ page):

The hack should revolve around the experience of traveling. There are many websites and applications that focus on the logistics of travel – scheduling flights, reserving seats, booking hotels, etc. However, we’re looking for apps that help people experience the excitement of travel to the fullest extent, so get creative

» Continue reading

Splunk admin & some basics around working with REST APIs


I saw an interesting thread today on an internal list that I would like to share with the world. After all, while each of us is a precious snowflake, our problems and challenges are not always unique. :) If one person has this question, there’s a good chance that someone else does as well!

Let’s the set the stage. You have a typical Splunk environment with a bunch of servers with forwarders installed on each one which grabs data and sends it to the indexers. Automation is important, so you want to ensure that the configuration on these forwarders is consistent. One way to do this is to use our Deployment Server feature, which uses a pull model to ensure that all forwarders check in periodically to a …

» Continue reading

Splunkers in Atlanta, Meetup this Friday! Learn what’s new with Splunk App for Stream & more

splunk app for stream screenshot showing HTTP payloadHeadline says it all, but to elaborate just a tiny bit, be sure to join us in Atlanta this Friday! The user group meeting will be held in the Cumberland / Windy Hill area. Show up for a great time of learning more about Splunk, and networking with your colleagues in the Metro Atlanta area. Food will be provided. For full details and to register, please RSVP at our event page so that we have an accurate count for food.


11:00 – Welcome & networking

11:30 – Lunch served

11:40 – Housekeeping, group introductions

11:50 – Main speaker: Clayton Ching, Sr Product Manager at Splunk. Topic: What’s New with Splunk App for Stream

12:40 – Lightning rounds, member presentations

13:30 – User Group planning / networking

14:00 – Event …

» Continue reading

Integrating with Splunk: You Gotta Think Outside the Box

This morning, a question was asked about integrating with Splunk that started with something like, “but I can’t send syslog from my system, so how can I get that data in Splunk?” It really doesn’t matter what system or what data; before digging in, I already knew that the answer was out there.

“But wait a second, Hal, how could you know that?”, you might be thinking.

Well, it’s just a matter of knowing a bit about how computer systems work, and understanding that Splunk has many ways of ingesting data. You see, at a very high level, there are only two ways that Splunk can integrate with another system. I’ll call these integration types “intentional”, and “operational”. Let’s define them:…

» Continue reading

Integrating Splunk with Docker, CoreOS, and JournalD

Hal here, your friendly Lorax and developer evangelist! I wanted to share with everyone a guest post from a Splunker whom I met and see regularly at the Metro Atlanta Splunk User Group, Robert Labrie. Robert is a DevOps Engineer at The Network Inc, a company which builds solutions that prevent, detect and remediate misconduct to help companies maintain ethical cultures.

This post is about how Robert approached building out a new architecture, and of course, how to index the data generated by all of the components. Without further ado, take it away, Robert!


The team at TNWDevLabs started a new effort to develop an internal SaaS product. It’s a greenfield project, and since everything is new, it let us …

» Continue reading

Splunk and Microsoft Azure – Intro and Resource Roundup

Update Mar 15th, 2016: Jason Conger has announced the beta of the Azure Add-On for Splunk!

Update Feb 18th, 2016: Roy Arsan has announced the launch of Splunk Enterprise in the Azure Marketplace!

Note: the below article was written back in Dec 2014, but still gets a ton of hits and questions. Be sure to check out the Azure tag here on Splunk Blogs for the latest news.

We are often asked by customers about how Splunk can integrate with, or run in Microsoft’s Azure cloud platform. There’s actually a fair bit of information about this broad topic on and elsewhere, but it can be a bit hard to find. This post will serve as an introduction to a few Azure …

» Continue reading

Don’t Forget to CIM! Or, How I Learned to Love Tags

Let me tell you a little story about something which I learned (or re-learned!) today. For the impatient, you can read Jack’s previous article on building technology add-ons, and go learn CIM (which stands for Common Information Model). I’ll put some other resources as the end as well.

The silly thing I have to admit first of all, is that I thought I knew this stuff. I’ve been involved in making data models for the CIM app, for cryin’ out loud! Anyway, to the story…

In my prior role in business development as a solution architect, and now as a developer evangelist, I frequently work with ISVs, IHVs, SIs and others who want to integrate their stuff with Splunk. …

» Continue reading

Atlanta Splunk User Group this Friday!

Just a reminder to folks that the monthly user group meeting is this Friday! If you haven’t already, please RSVP to the Meetup page so that we have an accurate count for food and building security.

The agenda:

• 11:30 – 12:00 Networking, lunch

• 12:00 ( 5-10 min) – Welcome, introductions

• 12:10 – 1:20 Presentations:

Michael Conner, Coke CCR – Automating Splunk app deployment in AWS

Hutch, Splunk – Advanced Visualizations

Hal, Splunk – Techniques for analyzing Splunk performance

• 1:20 – 1:30 Open discussion, next meeting logistics, close…

» Continue reading