Splunk Command> diff
What’s the grooviest Splunk search command goin’ round? It’s diff man, can you dig it?
That’s right, diff. What other command is based on a *nix file comparison utility that’s been around since the early 70’s?
Splunk’s diff operates just like good ol’ diff does on a *nix platform – it compares two inputs and tells you what the differences are, in a very distinct format. But where *nix diff normally compares two files, Splunk’s diff compares the content of two events.
We can use diff to compare one field in an event to that same field in another event, or we can go for broke and have diff compare “_raw” – or the content of the entire event – …
Custom Threat Feed integration with Enterprise Security
Threat intel feeds are a good way to add security context to your Splunk data with IP addresses, domain/host names or files. These feeds are generally accessible via some manner of web requests. Splunk Enterprise Security App has a Unified Threat Management framework for integrating threat intelligence feeds that makes these integrations easy . If the threat content you need to use is easy to download, you should be able to simply use the Configure -> Data Enrichment -> Threat Lists -> New form in the ES product.
But sometimes, a feed provider may require a number of steps before we can get the actual feed. Here’s how to handle a more difficult integration easily, using Symantec DeepSight’s threat feed …
Correlating Cisco ESA with Microsoft Exchange for Message Tracking
One of the great features of the Splunk App for Microsoft Exchange is that you can track messages to the edge. It doesn’t matter what type of devices we go through, we get to see the messages and what hops they go through. Doing that requires some knowledge of the data flow and the construction of appropriate searches.
Let’s take an example of the inbound message flow. To track an inbound message, we use a macro – msgtrack-inbound-messages. The comments in the macros.conf file tell us that we need to have a table that has the date/time, message-id, cs-ip, sender, sender-domain, recipient-count, list-of-recipients and message-size. It then goes on to show off the Microsoft Exchange version. How would we alter …
Introducing the Hunk App for AWS Elastic Load Balancing
Today we’re excited to announce the addition of a new member in the class of apps that integrate with the Amazon Web Services ecosystem: Hunk App for AWS Elastic Load Balancing. Other apps in the class include the Splunk App for AWS that collects, reports and visualizes data from AWS CloudTrail and the AWS Billing App that helps you gain greater visibility and assurance in managing your AWS-hosted infrastructure.
What is AWS Elastic Load Balancing? In Amazon’s own words,
ELB is an AWS product that automatically distributes incoming application traffic across multiple Amazon EC2 instances. It detects unhealthy instances and reroutes traffic to healthy instances until the unhealthy instances have been restored. Elastic Load Balancing automatically scales its request
Announcing Splunk and Tableau strategic technology alliance
We’re very excited to announce the alliance between Splunk and Tableau Software that extends machine data insights to Tableau users. As part of a joint technology investment, the latest version of Tableau software (8.1.4) includes Splunk Enterprise as a native data source using Splunk’s recently launched ODBC driver. The integration provides Tableau users direct access to saved searches within Splunk Enterprise 6 from Tableau Desktop and Tableau Server, using Splunk’s new ODBC driver, for further data exploration and visualization.
The joint investment supports the following needs:
• Makes it easier for Tableau users to gain machine data insights – Business users who are more familiar with Tableau can now explore machine data from Splunk Enterprise, enabling new business insights from …
Correlating Windows and VMware Host Information
When you install a new virtual host on VMware, you get to give it any name you want. The name has nothing to do with what is running on the host. How can we go from the Windows information to the VMware information? We’re here to help.
Let’s take a look at the VMware side of things for a moment. If you have the Splunk App for VMware installed, then you likely already have this information. The sourcetype is “vmware:inv:vm” and there is one event for every virtual host in there. Since we need a common field on which to correlate, I’m going to choose the network interface MAC Address. The “vmware:inv:vm” event is JSON data, so we need to …
Over the day in the life of a Splunk user, he or she probably utilizes less than 50% of the available Splunk commands. It may be that the most popular commands such as stats, transaction, eval, top, timechart, chart, etc are already sufficient enough to do the types of manipulation and reporting that is required for the use case. Another way to look at it is that the other commands are not being utilized because of their lack of high cardinally and hence popularity in the abundant Splunk blogs, documentation, wiki’s, and answers.
In order to provide more awareness for many of these commands that are not as prevalent in use for the Splunk community, the field engineers at Splunk …
Splunk Apps installation assistant
So you were browsing the Splunk Apps portal and just found an app you’d like to try. You click “Download”, accept the license agreement and some file gets saved. Now what?
You quickly glance through the documentation to find out that you need to login to your Splunk server, open “Manage Apps”, find “Install app from file” button and then find the file you just downloaded… Sounds pretty boring?
If you happen to be a Chrome user, there’s some good news for you: this little extension will save you from those extra clicks. Once installed, tell it the url of your Splunk instance and the next time you find that interesting new app on Splunk Apps, it will display a …
Introducing the Cisco Security Suite for Splunk 6
I know. I normally blog about Microsoft stuff. Recently, however, I’ve been helping out on another project – updating the Cisco Security Suite to be compatible with Splunk 6. The Cisco Security Suite is the most downloaded app on Splunkbase behind the *Nix and Windows apps and exposes Cisco specific information about your Cisco specific security devices.
We had many aims for this project, aside from just upgrading everything to work with Splunk 6. We wanted it to use the Technology Add-ons that you may already have from a deployment of Enterprise Security. If you were considering an upgrade to Enterprise Security in the future (and you should – it’s awesome), then we wanted the data you have already …
Data Model Cheat Sheet
Have you been curious about how to incorporate data models into your Splunk life, but unsure about how to take the first step? Try this cheat sheet! It takes you step-by-step through the process of thinking about your data and creating usable data models to use yourself and share with others!