Look at all the pretty colors!

Well, it’s Sunday here in Las Vegas, and  .conf2014 is about to go down. I’m sitting in one of our Splunk University classes at the MGM, with many of our fine customers.

The class is our Power User Bootcamp, and we just finished talking about Splunk’s tagging, event types, and lookup functionalities. One of our more security-minded customers asked “hey – that ability to assign a color to event types in the Splunk search GUI is pretty cool – I’d like to use that to prioritize the events I’m looking at based on the risk profile assigned to a user. From a lookup. Can I do that?”

A second customer said “I like that idea.”

So, since this …

» Continue reading

Updated Traffic App

A few years ago, I created a publicly available traffic app for monitoring traffic incidents in major US cities configured by user. Since then, the provider of the feed has cut down on the number of cities they monitor and no longer provide incident counts per intersection. Nevertheless, they still provide a Jam Factor. A Jam Factor is a subjective number provided for a roadway that indicates how busy (or jammed) the roadway is.

For my reference implementation, I used this Jam factor field to visually allow you to to see your city’s (assuming the provider covers it) current Jam Factor for major highways. This updated traffic app that you can download has new dashboards that you can use to …

» Continue reading

APP WALKTHROUGH: Workflow Actions

One of the best ways to learn is by example.  If you want to build your own Splunk app, one of the best things you can do is dissect other apps.

In the below youtube video, I slowly go through a simple but useful app that adds “workflow actions”, which allow you to write custom actions for events and their fields.  This video shows you how it works and how you can make apps like it.

I go line-by-line, file-by-file, explaining everything.  You will learn something.

» Continue reading

PDF printing and logos

Working on the Splunk OEM team, we are often asked if it is possible to replace the logo printed on PDF reports. The short answer is yes, it is possible but it is kind of a hack. The workaround would not be Splunk upgrade safe, there are some limitations to what the SVG can do, and you would need to edit some Python. With that being said, the request to make this easier is already in the laundry list of improvements we are looking at for PDF printing.

Let’s get started:

  • The default Splunk logo is hardcoded in the $SPLUNK_HOME/lib/python2.7/site-packages/splunk/pdf/pdfrenderer.py file. Make sure you backup the file before editing!
  • At the bottom of the file, you will notice a variable
» Continue reading

What are Splunk Apps and Add-Ons ?

If you have ever uploaded a contribution to Splunk Apps you’ll see the following option : app_addon   But what does this really mean ? What is the difference between an App and an Add-on ? Both are packaged and uploaded to Splunk Apps as SPL files and then to install them in your Splunk instance you simply untar the SPL file into etc/apps .But the content and purpose of Apps and Add-ons certainly differ from one another.

Add-ons

An Add-on is typically a single component that you can develop that can be re-used across a number of different use cases.It is usually not specific to any one single use case.It also won’t contain a navigable user interface.You cannot open an Add-on from …

» Continue reading

Announcing the Splunk Add-on for Check Point OPSEC LEA 2.1.0

Check Point administrators rejoice, Splunk Add-on for OPSEC LEA 2.1.0 has been released! The free update provides useful improvements to almost every aspect of the add-on.

 

User Interface

The old OPSEC interface has been completely overhauled and streamlined. The interface is no longer stuck in the past and should look right at home on your Splunk 6 search heads.

manage

 

The manage connections page now offers a much more powerful overview of your Check Point connections. As you can see on the screenshot, every connection has a set of metrics available. These differ based upon the connection type. An audit connection displays the timestamp of the last event collected. A normal connection displays throughput over the last 24 hours …

» Continue reading

Splunk’s New Web Framework, Volkswagen’s Data Lab, and the Internet of Things.

There are many incredible features in Splunk 6. Pivot, Data Models and integrated maps really stole the show at .conf2013. But I really have to give credit to our developer team in Seattle for the massive leap forward in user interface possibilities with the addition of the integrated web framework, which is included in Splunk 6 but is also available as an app download for Splunk 5.

In the midst of all that Splunk 6 excitement at .conf, I was introduced (at the Internet of Things pavilion) to the team at Volkswagen Data Lab, and had some great discussions with them about their interest in using Splunk as a  platform for the management, analysis, and visualization of data from …

» Continue reading

Custom Icons in Splunk 6 Tables

“Daddy. DADDY! We’re out of Sriracha. Does Costco sell Sriracha? Can you go get some before you start working today?”

That was my five-year-old son at breakfast this morning, after he turned the Sriracha bottle upside down and banged the heck out of the bottom of the rooster-adorned bottle with his tiny fist, trying to get the last bits of the dark-red chili sauce deposited onto his scrambled eggs.

While I’m certain we will solve the 2014 Sriracha Crisis at the Brodsky household, the whole episode reminded me of a question (stick with me, you’ll see why) that a Splunk customer asked me a few months ago, which went something like this:

“When creating a dashboard in Splunk 6,

» Continue reading

Using Bootstrap Modal with Splunk Simple XML

While working on a performance dashboard recently, I wanted an area to further explain the performance metric currently being displayed without taking up too much screen real estate. In the end, I ended up using a Bootstrap modal dialog to display the metric details when a user clicks an information icon. Here is the end result:

ModalDescription

 

 

Step 1 – Add the Bootstrap modal markup to your dashboard

Pulling the syntax directly from Bootstrap (http://getbootstrap.com/javascript/#modals), this is what the Simple XML looks like:

 

<row grouping=”2”>
    <chart id=”chart1”> … </chart>
    <html>
        <a href="#" id="btn1" class="btnModalInfo" data-toggle="modal" data-target="#desc1">…</a>
        <div class="modal fade" id="desc1">
            <div class="modal-dialog">
                <div class="modal-content">
                    <div class="modal-header"></div>
                    <div class="modal-body">…</div>
                    <div class="modal-footer">…</div>
                </div>
            </div>
        </div>
    </html>
</row>

 …

» Continue reading

Add an icon to your app or add-on

The “icon” has become a de-facto standard element of content description; it helps users to discover relevant content with just a quick look and helps your content to stand out from other apps. Until now, due to packaging limitations, only content hosted directly on Splunk Apps supported the display of  an icon.

As part of the user experience improvements we’ve made to Splunk Apps, we are introducing a new feature that allows you to attach an icon to externally hosted apps and add-ons.

To add an icon to your app: visit your app’s Edit page and look for the new option there.

Screen Shot 2014-02-03 at 2.03.15 PM

Drag and drop your new icon into the box and click Update.

Based on my observations, apps …

» Continue reading