From API to easy street within minutes

30? 20? …15? It all depends on how well you know your third-party API. The point is that polling data from third-party APIs is easier than ever. CIM mapping is now a fun experience.

Want to find out more about what I mean?  Read the rest of this blog and explore what’s new in Add-on Builder 2.1.0.

REST Connect… and with checkpointing

Interestingly  this blog happens to address a problem I faced back on my very first project at Splunk. When I first started at Splunk as a Sales engineer, I  worked on  building a prototype of the ServiceNow Add-on. Writing Python, scripted inputs vs mod input, conf files, setup.xml, packaging, best practices, password encryption, proxy and even checkpointing… the list goes …

» Continue reading

SSL Proxy: Splunk & NGINX

Who is this guide for?

It is a best practice to install Splunk as a non-root user or service account as part of a defense in depth strategy. This installation choice comes with the consequences of preventing the Splunk user from using privileged ports (Anything below 1024). Some of the solutions to this problem, found on Splunk Answers require iptables rules or other methods. In my experience, the iptables method is not that reliable, and many newer distributions of Linux are abandoning iptables in favor of firewalld as the default host firewall. In this guide, I will show you how to use Nginx, and Let’s Encrypt to secure your Splunk Search Head, while allowing ssl traffic on port 443.



» Continue reading

Splunk DB Connect 3 Released

Splunk DB Connect has just gotten a major upgrade! Let’s take a look at it.

What’s New

Splunk DB Connect 3.0 is a major release to one of the most popular Splunk add-ons. Splunk DB Connect enables powerful linkages between Splunk and the structured data world of SQL and JDBC. The major improvements of this release are:

  • Performance improvement. Under similar hardware conditions and environment, DB Connect V3 is 2 to 10 times faster than DB Connect V2, depending on the task.
  • Usability improvement. A new SQL Explorer interface assists with SQL and SPL report creation.
  • Improved support for scripted configuration, via reorganized configuration files and redesigned checkpointing system. Note that rising column checkpoints are no longer stored in configuration files.
  • Stored procedures support
» Continue reading

Splunking Microsoft Azure Network Watcher Data


Microsoft has released a new service in Azure called Network Watcher.  Network Watcher is a network performance monitoring, diagnostic, and analytics service which enables you to monitor your network in Azure.  The data collected by Network Watcher is stored in one or more Azure Storage Containers.  The Splunk Add-on for Microsoft Cloud Services has inputs to collect data stored in Azure Storage Containers which provides valuable insights for operational intelligence regarding Azure network workloads.  In this blog post, we will explore how to get Azure Network Security Group (NSG) Flow Logs into Splunk and some possible use case scenarios for the data.

Getting Azure NSG Flow Log data into Splunk

NSG flow logs allow you to view information about …

» Continue reading

Using machine learning for anomaly detection research

Over the last years I had many discussions around anomaly detection in Splunk. So it was really great to hear about a thesis dedicated to this topic and I think it’s worth sharing with the wider community. Thanks to its author Niklas Netz in advance!

Obviously anomaly detection is an important topic in all core use case areas of Splunk, but each one has different requirements and data, so unfortunately there is not always an easy button. In IT Operations you want to detect systems outages before they actually occur and proactively keep your depending services up and running to meet your business needs. In Security you want to detect anomalous behavior of entities to detect potential indicators for breaches …

» Continue reading

Splunk AWS Quick Start: Deploy Your AWS Splunk Environment In Minutes

If I told you that a fully operational Splunk Enterprise deployment in AWS could be yours in a matter of minutes, would you be interested? Sit down, relax, and I’ll tell you all you need to know to have a Splunk Enterprise deployment ready to index; fully configured with indexer replication and search head clustering in less than an hour.

Late last year, I wrote a deployment guide for Splunk Enterprise on AWS that explains your options when deploying Splunk Enterprise in AWS. Today, it gets better: I’m happy to report that document has been expanded upon, and Splunk has released an official Splunk Enterprise AWS Quick Start.

If you’re not familiar with AWS Quick Start, the underlying …

» Continue reading

Everything You Need to Know About Splunk ITSI

ITSI_PointWith the latest version of Splunk IT Service Intelligence (ITSI), you can apply machine learning and advanced analytics to:

  • Simplify operations with machine learning
  • Prioritize problem resolution with event analytics
  • Align IT with the business with powerful real-time service-level insights

So how do you get started?

Learn More About Splunk ITSI’s Benefits and Features

Watch this 2-minute overview of Splunk ITSI:

Getting ready for a deployment? For a closer look at Splunk ITSI’s capabilities, check out these resources.

» Continue reading

Your Splunk Workspace

What is a Workspace? In my mind, it’s a well defined area within which one can construct and create without impact to and by externalities.

Implemented in Splunk, it’s a user logging into Splunk, getting escorted to content for their domain, and not being distracted or impacted by the activities of others.

As you might have guessed, this concept IS implemented already in Splunk by means of visible “apps.” Unfortunately, many of us don’t embrace apps in this fashion – and for good reason! We often associate apps with the rich contributions available on Splunkbase and rarely consider the simplest of apps, as a Workspace for user groups.

Let’s change that today. Let’s reset how we think about apps and …

» Continue reading

How to stream AWS CloudWatch Logs to Splunk (Hint: it’s easier than you think)

At AWS re:Invent 2016, Splunk released several AWS Lambda blueprints to help you stream logs, events and alerts from more than 15 AWS services into Splunk to gain enhanced critical security and operational insights into your AWS infrastructure & applications. In this blog post, we’ll walk you through step-by-step how to use one of these AWS Lambda blueprints, the Lambda blueprint for CloudWatch Logs, to stream AWS CloudWatch Logs via AWS Lambda and into Splunk for near real-time analysis and visualization as depicted in the diagram below. In the following example, we are interested in streaming VPC Flow logs which are stored in CloudWatch Logs. VPC Flow logs capture information about all the IP traffic going to and from …

» Continue reading

How to Stop Playing the Blame Game in Your IT Department

It’s a familiar scenario: a problem is discovered, and a Service Desk Team gets a help ticket. The Service Desk Team tells Operations that there’s an outage. The Operations Team suggests that the problem could be the result of bad code and passes the issue to Dev. The Dev Team responds that it doesn’t have the tools to solve the problem and asks for logs from production systems.

Suddenly the situation is escalated.

A war room’s assembled. Here you’ll often find a DBA, Docker specialist, network specialist, release manager, site reliability engineer and a developer, sometimes calling in remotely from separate locations. The pressure’s on for everyone to prove their innocence and confirm individual components of the infrastructure are ok. …

» Continue reading