Introducing the new Splunk App for AWS

Today we’re excited to announce the release of a fully re-written and much expanded Splunk App for AWS. Get it here and gain immediate operational assurance and visibility for your AWS-hosted infrastructure.

What’s new with the app?

  •  Works with Splunk Add-on for Amazon Web Services
  • New dashboards and visualizations for AWS Cloudtrail
  • New alerts for AWS CloudTrail
  • New dashboards and visualizations for AWS Config
  • Billing Reports provided by Splunk Add-on for Amazon Web Services

AWS CloudTrail
AWS CloudTrail records user API activity and related events for your AWS account. Using the <Splunk Add-on for Amazon Web Services> you can retrieve details about the actions made by the caller, including the caller’s identity, the time of the call, the request …

» Continue reading

Machines, People, and Categories, Oh My!

Let’s say you’re working with Enterprise Security and you need to figure out how to put more devices into the asset and identity correlation framework. Here are some resources to get you started!

There are two useful types of data to integrate: lists of assets or identities, and attributes of assets or identities. In both cases, it may also be interesting to enable ad hoc, real-time queries of your data source for individual terms.

A list can be dumped from a directory, systems management tool, asset discovery system, or the like. These are typically accessed via DB Connect or Splunk Support for Active Directory. Other ways to get at this data include modular inputs to query web-based APIs. …

» Continue reading

Protocol Data Inputs

It must have been about a year ago now that I was talking with a Data Scientist at a Splunk Live event about some of the quite advanced use cases he was trying to achieve with Splunk. That conversation seeded some ideas in my mind , they fermented for a while as I toyed with designs , and over the last couple of months I’ve chipped away at creating a new Splunk App , Protocol Data Inputs (PDI).

So what is this all about ? Well to put it quite simply , it is a Modular Input for receiving data via a number of different protocols, with some pretty cool bells and whistles.

pdi

 

So let’s break down some of …

» Continue reading

Splunk 6.2 Feature Overview: Perfmon Delocalization

Last week, I covered the XML Event Logs – an awesome feature that will reduce your data ingest, increase the fidelity of the data that is stored and allow us to work with localized data. Today, I want to discuss another localization feature – or at least a delocalization feature – perfmon.

Prior to Splunk 6.2, Windows perfmon was always collected localized. If you wanted the % Processor Time counter, you had to specify the localized version of this. If you were running on a french version of Windows, you would have to specify object=Processeur and counter=”% Temps Processeur” in both your inputs.conf and searches. Given that there are over 30 different localized versions of Windows, this really meant that …

» Continue reading

Splunk 6.2 Feature Overview: XML Event Logs

We’ve been (rightly) criticized for a couple of things in recent years. Firstly, when you configure a Windows Event Log, it’s too big. This is because we combine the event log object with the message from the locale-specific DLL and that includes a bunch of common explanatory text. I don’t really need to know what a login really means (to the tune of 1K of data ingest) every time someone logs in, especially when these events are happening hundreds of times a minute. Secondly, our event log extractions are for US/English only. Got German Windows? Sorry – our extractions don’t work for that. Finally, we discard the additional data that is provided in the event log object. A primary example …

» Continue reading

Biking With Splunk>4Good for Early Cancer Detection!

Earlier this year, a group of Splunkers decided to embark on the Canary Challenge—getting involved with the fight against cancer to benefit the Canary Center at Stanford.

To help make a difference in the lives of many family, friends, and colleagues who have been touched by cancer, each Splunker was tasked with training for a 50km, 75km, 75mile or 100mile bike ride through the beautiful scenery of the Peninsula and at least $400 worth of fundraising. Our team here at Splunk was able to use some creative fundraising campaigns to raise $7,986 as a team towards exceeding the overall Canary Challenge goal of $1M. In the end, the final fundraising tally of $1,094,322 will help the Canary Center …

» Continue reading

What can you get for $10.74 / hour ?

Why $10.74 you may ask? Well, that’s the minimum hourly wage in San Francisco (at least as of this writing Nov 2014) …

With that out of the way let’s see what else you could get for $10.74/hour …

  • you could rent a “deluxe” bicycle and tour SF for ~$9/hour, but don’t forget to add the tax ;)
  • you could rent a car from one of the car sharing companies in SF and tour the entire Bay Area …
  • you also have enough dough to pay for Hunk on a 14 node EMR cluster

Let me expand on that last item a bit: you can get over 10 years of Splunk’s experience in working with machine data, packaged up, configured and …

» Continue reading

My .conf2014 Data Adventure Part II. Leaving Las Vegas

Bye_Bye_VegasI hope you all had a suitably spooky Halloween. In Part I of my round up of .conf2014 I went through the keynote speakers on the first day (GE, Red Hat, Coca Cola and NASDAQ) and how they used Splunk for a wide range of operational intelligence use cases. Day two and three of .conf were a huge selection of customer presenters, technical workshops and best practice sessions. We also had SiliconAngle’s “The Cube” at the event interviewing Splunk users, customers, analysts and employees. There was some great press coverage too, following the interviews earlier in the week. In part II, I wanted to highlight some of the stories from Credit Suisse, BNP Paribas, BskyB, Dominos Pizza, FINRA and …

» Continue reading

Detecting outages caused by unauthorized changes

Splunk is a great solution to search, investigate as well as monitor your IT environment, whether it is application, infrastructure or network related. One perplexing issue to detect is related to unauthorized changes. Per ITIL, an unauthorized change is a “change made to the IT infrastructure that violates defined and agreed Change policies”.

Let’s take a simple example where you have a multi-tier application and one of the admins made a change on one of the configuration files without running through the CAB or the Change and Release manager for impact analysis. This config change resulted in an application outage. Using Splunk, you can easily detect the outage,  no doubt about that.

The challenge is how can you isolate the …

» Continue reading

Tracking mobile presence w/ Cisco Meraki

Following our amazing turn out at .conf2014, I’ve had a lot of inquiries into how we were able to track the attendees based on their location as well as proximity to the wireless Cisco Meraki devices that were setup.

meraki1

We accomplished this using the Cisco Meraki Presence Modular Input, created by Damien Dalmore, and dashboards created by our .conf dashboard team. Before you’re able to create anything, you need to enable the CMX API as well as traffic analytis.

meraki2

Once this is completed, you will want to install the Cisco Meraki Presence Modular Input, and exchange the private keys between the two interfaces. ProTip: Ensure that your post URL ends with the suffix ‘/events’.

This is all you need …

» Continue reading