APP WALKTHROUGH: Writing a custom search command

One of the best ways to learn is by example.  If you want to build your own Splunk app, one of the best things you can do is dissect other apps.

In the below youtube video, I slowly go through a simple but useful app that adds a single search command: timewrap.

I go line-by-line, file-by-file, explaining everything.  You will learn something.

Youtube video: Splunk App Walkthrough: Timewrap

A few notes:

  • Yes, that’s a Hobbit movie poster behind me
  • It’s about 50 minutes long, most of it dealing with the details of the python search command.
  • Tell me if it was helpful, or what I could do to improve it.

» Continue reading

Is Big Data IT’s gift to the CEO?

Data Gift copyAt the beginning of June, I was at the Gartner CIO & IT Executive Summit in Berlin. It was an interesting event to attend in terms of the advice given to the CIOs at the event, how to deal with the “digital industrial revolution” and how to support the CEO’s top business priorities.


From the Gartner survey, a CEO’s top five priorities for 2014/15 are growth, costs, profit, IT and the customer.

Growth was number one and to support the CEO’s top priorities, Gartner suggested that the CIO will need to deliver a digital technology architecture, an enterprise information architecture, a strong cybersecurity & risk program and an industrialized IT infrastructure.

After the keynote, I attended one of the presentations …

» Continue reading

Streaming a new class of data into Splunk – Introducing the Splunk App for Stream

Last year in December, we announced the acquisition of Cloudmeter – a company with technology that captures data directly from the network traffic – a rapidly growing source of big data.

Today, I’m stoked to announce the general availability of the Splunk App for Stream v6.0, which stems from that acquisition.

So, why is wire data  (data from the network) important? Wire data has the benefit of capturing all data in real-time – it is the communication vehicle for applications and systems to talk to each other, making it a very authoritative source of critical information. It serves a broad range of analytics across different use cases; it is non-intrusive with no impact to workloads and it can be collected …

» Continue reading

PDF printing and logos

Working on the Splunk OEM team, we are often asked if it is possible to replace the logo printed on PDF reports. The short answer is yes, it is possible but it is kind of a hack. The workaround would not be Splunk upgrade safe, there are some limitations to what the SVG can do, and you would need to edit some Python. With that being said, the request to make this easier is already in the laundry list of improvements we are looking at for PDF printing.

Let’s get started:

  • The default Splunk logo is hardcoded in the $SPLUNK_HOME/lib/python2.7/site-packages/splunk/pdf/ file. Make sure you backup the file before editing!
  • At the bottom of the file, you will notice a variable
» Continue reading

Sqrrl Connects to Hunk for Exploratory Analytics and Visualizations


In a Sqrrl press release today, Splunk partner Sqrrl introduced a connector to Hunk, joining the previously published Hunk apps with Amazon Web Services and MongoDB.

Using Hunk’s virtual indexing and result preview capabilities, you see search query results as they are streamed back from the Sqrrl Enterprise server, while taking advantage of Apache Accumulo’s cell level security. Apache Accumulo is based on Google’s BigTable design and is built on top of Apache Hadoop, Zookeeper and Thrift. Gartner recently named Sqrrl a 2014 Cool Vendor.

“Integration between Sqrrl Enterprise and Hunk opens the door for our joint customers in the U.S. Department of Defense, intelligence community and private sector to benefit from rapid schema-less search, analytics …

» Continue reading

routr : App that Shares Splunk Alerts on Social Media

What is routr ?

routr is a simple if-this-then-that workflow app to share Splunk alerts on your Twitter or Tumblr. It is easy to install, configure and run. This app is bundled together with a sample Splunk saved search that searches on failed login events to post a tweet on Twitter or an article on Tumblr whenever the alert is triggered from your Splunk instance. The search is triggered every 1 minute and looks for matching events in the relative past 1 minute.

Screen Shot 2014-08-01 at 2.07.20 AM   Screen Shot 2014-08-01 at 2.07.33 AM

Requirements to run this app ?

  1. Splunk installed
  2. Twitter and/or Tumblr account

How To Obtain Twitter OAuth And Access Tokens ?

  1. Sign up at Twitter if you are new to Twitter.
  2. Go to
  3. Click at “Create New App”
» Continue reading

Quick Tip: Wildcard Sourcetypes in Props.conf

Here is a quick one I use often.  Here is an excerpt from props.conf.spec:

* This stanza enables properties for a given <spec>.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.


However, I often want to wildcard a sourcetype for …

» Continue reading

RDP to Windows Server from a Splunk Dashboard

Say you are browsing a Splunk dashboard and notice something odd in the data about a Windows server and you feel compelled to remote in to that server to do some more investigation. Sure, you could pull up your favorite RDP client and connect in. Or, you can save a couple of clicks and RDP to your server directly from the Splunk dashboard in one click.

Here is what the end results looks like in a dashboard:

RDP from Splunk

Clicking the RDP icon generates a .rdp file on the fly.  Your system’s file type association picks up the .rdp file and launches the RDP client with the correct parameters filled in.

RDP Connection

Generating a .rdp File on the Splunk Server

To RDP to …

» Continue reading

What’s new in TA-windows 4.7.0?

If you are a Windows admin and use Splunk then you’ve likely deployed Splunk_TA_windows on your endpoints. It’s a central method for handling Windows data and has all the extractions you need to handle Windows event logs. We’ve just released version 4.7.0. So what’s new and should you upgrade?

The first thing we did was we organized the data. The well considered best practice is to not put data in the default index. Yet here we were putting data in the default index. That has now changed. By default, we create three indices for you:

  • perfmon is used for performance data
  • wineventlog is used for event logs
  • windows is used for everything else

This change will not affect you if …

» Continue reading

Indexing data from Saas solutions running on relational databases

As we began work on building the app, I was again face to face with a familiar challenge…a challenge that you would encounter anytime you want to ingest structured data coming from any Saas based application that is running on a back-end relational database. In such a Saas based environment, the data is usually exposed via a REST, Webservices API or similar. As you know, in a typical relational database, all data is stored in multiple tables and records are linked across tables using ID’s. For instance the Incident table in ServiceNow does not have the Username that created that ticket but has a User Identifier (long cryptic string) referencing another record in the “Users” table that includes the …

» Continue reading