Last year, I created an app template to detect whether your users went to a phishing web site where you would supply the app the sourcetype name of your proxy logs and the URL destination field where they went. You can still download this Phishing app template from Splunkbase. In the same manner, I have created an app template called SQL Injection Search that you can download from Splunkbase.

Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible…

One of the most common requests I get from new customers is that they want to centrally collect all their machine generated time series data and search for a keyword like error or RuntimeException. Obviously Splunk can do this. Then, the next set of questions concern things like give me the top hosts or applications producing this keyword, show me a baseline of last week vs this week for this keyword, show me a slope line on the trend for this or any keyword(s), find outliers that go beyond the average occurrences for the keyword and then try to predict what may happen in the future.

To answer these questions and then some, I’ve created an app template that you…

Last year, I put out a Java version of a RSS Input program that was based on included open source to parse RSS. It used the beta version of the Splunk Java SDK to check for duplicates to make sure in a reasonable time period the same RSS link wasn’t already indexed into Splunk. With the GA release of the Splunk Java SDK, I updated the contents on Splunkbase to include the GA Splunk Java SDK jar file and also used a more efficient way to check for a duplicate entry. You can download the distribution on Splunkbase.

To recap, the distribution uses a scripted input to index the contents of configurable RSS feeds every configurable N seconds. You…

I have a college friend who after years of working in the IT field decided to become an 8th grade math teacher. This is a noble endeavor. After hearing this, I began to think about what it was like to learn math in my own youth and quickly thought about the usual word problems such as when will two trains intersect if heading at certain speeds at each other or finding the X value given an equation. These type of problem solving skills probably meet the needs of most students, but some want more. In fact, they want their math problems to apply to real world scenarios to make them more realistic and interesting.

This is where Splunk can play…

By the title of this post, many of you may assume that I am referring to network traffic. However, today’s topic is about monitoring vehicular traffic incidents or what some of us call accidents in most cases. I found a feed from http://cityrss.traffic.com/feeds that lists recent incidents for a known USA city if the city is used as the last part of the URL. The information returned explains the jam factor (how crowded the roads are), severity of the incident and its location. Armed with this information, I created a Splunk app around it and put it on Splunkbase for you to use. Instructions are provided on what text file to update to add or delete the cities you…

The first NY Metro Splunk Users Group meeting was held in Jersey City on July 12, 2012. It was attended by a small group of Splunk Users as this was used more as a planning meeting to launch the group and add more community members.

We first had a presentation by Adrian Hall on the new Splunk for Active Directory app on Splunkbase. Then, the group was formed as Splunk users Al Berg and Reed Kelly agreed to be the group’s first leaders. A subsequent group meeting will follow in the next quarter.

If you are an active Splunk user who would like to participate in the dialog, you can join the online LinkedIn group, NY Metro Splunk Users Group.…

Occasionally, people ask me how to get a message from a message queue such as JMS to deliver its messages into Splunk. I point them to the approach I put up on Splunkbase where a JMS listener is called by Splunk as a scripted input and dequeues messages that are put on queues of interests. Obviously, after the message is dequeued, it is meant to to go into Splunk in this case. No other business application would have subsequent access to the same message on the same queue. Therefore, if you want to use a pure messaging system that is not part of your application to send time series messages to Splunk, this is not the approach you should…

Recently, I thought I was caught in a phishing scheme where I created an account on an e-commerce site to checkout and as soon as I clicked on the checkout button, it asked me to log onto a well known site. It turned out that the original site was badly implemented and it should have told users that they are affiliates with the other site. Nevertheless, I went to Phishtank to make sure that no one had complained about the original e-commerce site.

This got me thinking that since phishing occurs all too often, there must be a way for a corporations to verify that their users are not going to phishing sites and if they are to know…

In my last blog entry, I wrote about asking vendors to make their log event formats follow industry best practices. Now, if the log events reside in files or can be broadcast out on network ports, this makes it quite easy to access them with technologies such as Splunk Universal Forwarders. However, if the log events are buried deep within the application, device, or system that created them, then there is is one more issue to address to get to the events and that is having an accessible transport mechanism with examples on usage.

By transport, I obviously am not referring to some futuristic vehicle transportation.

What I am talking about is a way for one computer…

Here at Splunk, we often talk about best practices to create log events regardless if they are written to file, a network port, or come from the standard output of some program. Since this has been discussed before, I won’t enumerate these practices here, but I will allude to them for the purposes of this topic. Furthermore, adding useful information to your generated log events so they can be used for multiple contexts, a concept in line with semantic logging, discussed in this video by Rob Das, compliments the best practices. This is great for log events (or time series events as I use this phrase interchangeably with log events) that you yourself can generate, but what…