Event Calendar Custom Visualization

A while back, I wrote a blog post about using a custom calendar visualization in Simple XML dashboards.  To accomplish this, I used a technique sometimes referred to as escape hatching JavaScript into Simple XML.    While this works okay for a developer, the technique does not lend itself well to the end user.

Splunk Custom Visualizations

Splunk 6.4 introduced reusable custom visualizations which allows a developer to package up a visualization and integrate it into Splunk just like the native visualizations.  This also addresses the limitation mentioned above – meaning any end user can use the visualization without mucking around with the Simple XML.

So, revisiting the older escape hatch calendar technique, I thought it would be a good …

» Continue reading

Encrypt a Modular Input Field without using Setup.XML

Modular Inputs are a great addition to Splunk Enterprise.  One of the things I really like about Modular Inputs is that they allow you to create inputs that “look and feel” as if they were part of the Splunk installation by providing a nice user interface for parameter input.

But, what if you need to encrypt a Modular Input value?  This could be a password, OAuth secret key, or some other confidential piece of information.  Traditional Splunk applications use setup.xml and the storage/passwords endpoint to accomplish this.  If you just need to encrypt an input value specific to the input (as opposed to the entire application), it may be cumbersome to the end user to first run through a setup.xml …

» Continue reading

Using HTML5 Input Types on Splunk Forms

Text inputs on Splunk forms allows for free-form user input.  However, there are times when you need to control the type of this data input.  HTML5 has several input types that control what can be entered in text boxes and how the text box behaves during user input.  Wouldn’t it be cool if you could apply these HTML5 input types to Splunk text boxes?  Hint: the answer is “yes”.  Read on to find out how.

What we will be creating

We will control text box inputs using JavaScript.  Below is a screen shot of the final product:

Input Types Example

This is basically a 2 step process:

  1. Create a Simple XML form
  2. Wire up some JavaScript to manipulate the text fields in the form


» Continue reading

Splunking Continuous REST Data

One of the ways vendors expose machine data is via REST. There are a couple of ways to get REST data into Splunk today:

  1. Use Damien Dallimore’s REST API Modular Input – you can provide a custom response handler for this input to persist state.
  2. Use the new Splunk Add-on Builder – this method will do a “one shot” of the REST endpoint – meaning, every time the input runs, it will get all the data every time.

In this post, I will show you how to implement a cursor mechanism (i.e. pick up where you left off last time) for REST endpoints that continually have new data over time using the checkpoint mechanism built into modular inputs.

The Data Source

For …

» Continue reading

Splunking Microsoft Azure Audit Data

Azure We recently made available a community-supported Splunk Add-on for Microsoft Azure, which gives you insight into Azure IaaS and PaaS. I am happy to announce that this add-on now includes the ability to ingest Azure Audit data. The idea behind Splunking Azure Audit logs is to be able to tell who did what and when and what events might impact the health of your Azure resources.  In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

This update adds a new modular input to your Splunk environment:



This modular input grabs data using the Azure Insights Events API.

How to

» Continue reading

Splunking Microsoft Azure Data

AzureThere are a lot of services in Microsoft Azure, and a lot of those services are producing machine data. Hal Rottenberg wrote a post covering several of these services and some ways to integrate Splunk with Microsoft Azure. We recently released a new cross-platform Azure add-on that consumes data for some IaaS and PaaS services. In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

The add-on ships with three modular inputs:

  1. Azure Diagnostics – this input collects data from an Azure Storage account that contains virtual machine diagnostic information.
  2. Azure Website Diagnostics – this input collects server and application data for Azure
» Continue reading

IoT and Flying Ponies at .conf 2015

One of the coolest demos I witnessed at Splunk .conf 2015 was the one by Nate McKervy. The reasons this demo was so cool is 1) it was live, 2) it involved audience participation, and 3) it involved shooting stuffed ponies out of an air cannon. This article will explain a little more of what was going on under the covers.

Skip to 19:18 for the demo

Getting Data from the Audience

To kick off this live demo, some data was needed. What better way to get real data than to get the audience involved? To do this, a mobile website was created that prompted for a couple of questions and then instructed you to shake your mobile device …

» Continue reading

Splunking Box Data – Content Events

In my last post about Splunking Box data, we focused on user authentications including percentage of failed logins, where logins are coming from, user accounts associated with failed logins, etc.  In this post, I want to focus on some of the events surrounding Box content once a user is authenticated.

Content Events

In the context of this post, we will call a content event anything that happens to your Box content.  For example, a content event may be a file preview, upload, download, sharing, delete, etc.  There is a handy event type defined in the Splunk Add-on for Box called box_events_change.  Using this event type, we can get an idea of the type of activity going on within the …

» Continue reading

Splunking Box Data – User Authentications

The Splunk Add-on for Box collects a lot of valuable data including Box users, files, folders, groups, and more.  Included in the Splunk Add-on for Box are several pre-built panels to get quick insights into this data.  The purpose of this post is to introduce various use cases around Box data included in the pre-built panels and custom searches and visualizations not included in the pre-built panels.

User Authentications

Before a user can access Box content, they have to authenticate.  It is important to keep an eye on the percentage of failed logins, where logins are coming from, user accounts associated with failed logins, etc.  The Splunk Add-on for Box has an event type named box_events_authentication that gives you all the …

» Continue reading

RDP to Windows Server from a Splunk Dashboard – Example Code

A while back, I wrote  blog post explaining how to RDP to a Windows Server from a Splunk Dashboard.  The steps involved the following:

  1. Create a Controller – this generates the .rdp file on the server and delivers it to the client.
  2. Create a custom endpoint in web.conf – this part enables url access to the controller created above.
  3. Add Javascript to the dashboard – this part renders the icon and passes the necessary parameters to the controller (via the custom endpoint).

All the nitty-gritty details were spelled out in the blog post.  However, if you learn better by example (like I do), then there is a new GitHub repo that has a working example for you.  In the …

» Continue reading