Blogs: IP

Splunk users are familiar with real-time indexing, real-time search, and with release 4.2, real-time alerts. I’d like to take these concepts of real-time monitoring one step further to provide pro-active status of an entity while a search is being processed for entities (i.e., ip address, URL, hostname, etc) that are already in your index. I call this real-time status. For instance, suppose you already have URL’s indexed via Apache or IIS log files. Among the many things these events provide you are the HTTP status codes for the indexed URL’s per event. This only tells you the status code at the time of indexing. What used to be not found (code 404) could now as we speak be OK (code…

Last year, fellow Splunker, Dave Croteau, created a prototype to daily index the world’s top 100 suspicious, or in some cases malicious IP addresses, by using a list created by the dshield.org web site. One thought is that these addresses may be compromised by trojans or botnets, so you would not want them to appear as sources connecting to your network. Dave also used the Splunk Maxmind add-on to show a simple dashboard that map’s these addresses to country and city with the Splunk Top command.

Next, I took this app and changed the scripted input to use curl to gather the data so the same approach could be ported to Windows as well as *Nix based machines.…

Splunk 4.1 re-introduced a feature called workflow actions, that allows users of Splunk Web to click on a drop down next to a field to send the field as an argument to a remote HTTP server via POST or GET. The 4.1 version is much improved in that the administration and authorization of the feature can be done via Splunk Manager, workflow actions can be set for entire events as well as fields, and one of actions of clicking on the drop down can initiate a new Splunk Search rather than make a remote HTTP call.

This provides an incredibly easy way to integrate external web sites with events and fields in your data. For instance, if one of…