How to Create a Modular Alert
What’s a Modular Alert (and why should I care)?
Modular Alerts is a feature in included in Splunk 6.3 and later that allows it to actively respond to events and send alerts, gather more data, or perform actions. Splunk includes an API that makes it easy for people to write their own apps with modular alerts that can be shared on apps.splunk.com. See the official docs for more detailed information.
Modular Alerts can used for things such as:
- Notifications: send out a message letting people know something happened (e.g. Twilio SMS Alerting, Slack Notification Alert, HipChat Room Notification Alert(
- Automation: perform an action whenever a particular event is detected by Splunk (e.g. Insteon Home Automation Control, IFTTT Alert Action, Octoblu
- Custom editors or management interfaces (e.g. lookup editing, slide-show creation)
- Custom visualizations (though modular visualizations are likely what you will want to use from now on)
How to edit Notable events in ES programatically
Several people have asked if the Splunk for Enterprise Security has an API for programmatically modifying notable events. It does, and this post will outline how to use it.
A little background…
Notable events in ES are associated with an event_id field. This field uniquely identifies a notable event. You can see this field if you run a search for notable events and select the event_id field using the field picker. Make sure to use the notable macro when searching for notable events since this macro handles some things necessary for examining notable events. The search should look like this:
After selecting the event_id field in the field picker, you should be able to see the event_id in search …
Making a dashboard with tabs (and searches that run when clicked)
In this post I am going to walk through how to make a dashboard with content separated into tabs. Not only will the content be divided into tabs, but the searches in the panels will not execute until the tabs are clicked. This prevents the dashboard from running all of the searches at once when the view is first opened.
Using tabs in this way serves two purposes:
- Prevent showing too much to a user all at once; a dashboard with more than 4 panels will require scrolling and may overwhelm the user
- Prevent too many searches from executing at once; this will improve load times, prevent time outs, and reduce load
The best way to walk through this tutorial …
Working with spreadsheets in Splunk (Excel, CSV files)
I was recently talking to a customer and he mentioned how he needed to do a search in Splunk for events that matched something in a list provided to him in a Microsoft Excel spreadsheet. Basically, he needed to search for events in Splunk that matched a list of IP addresses in the spreadsheet. In order to make the search, he took each item from the spreadsheet and added it to a search. Needless to say, this is painful.
In Splunk, there is a better way.
As a former security practitioner, I had been there and have done similar things. Let’s discuss some things that you can do in Splunk that makes this drop dead easy.
In this post I’m going to …
Have you ever had a situation where you found information on a webpage that you wanted to get into Splunk? I recently did and I wrote a free Splunk app called Website Input that makes it easy for everyone to extract information from web-pages and get it into a Splunk instance.
There are many cases where web-pages include data that would be useful in Splunk but there is no API to get it. In my case, I needed to diagnose some networking problems that I suspected was related to my DSL connection. My modem has lots of details about the state of the connection but only within the web interface. It supports a syslog feed but it doesn’t include …