Splunk takes a flexible approach to license enforcement with Splunk Enterprise 6.5

I can’t believe that Splunk .conf2016 is already behind us. If you joined us in-person in Orlando or watched the keynote on Splunk.com, you know an important theme for Doug Merritt, Splunk President and CEO, is making it easier to do business with Splunk. In his keynote, Doug announced an important change to Splunk Enterprise – the removal of metered license enforcement.

We know that Splunk plays a mission-critical role for your business. With metered enforcement, unanticipated data growth or bursts of new data during an incident investigation could cause disruption in your Splunk operations. So starting with version 6.5, Splunk Enterprise no longer disables searches when you exceed your licensed data ingestion quota.

table summary viewThis will be standard for any …

» Continue reading

Smart AnSwerS #79

Hey there community and welcome to the 79th installment of Smart AnSwerS.

It was great meeting a good handful of folks at .conf2016 just two weeks ago, and finally getting to put more faces to names among our awesome Splunk community. The enthusiasm, excitement, and overall energy throughout the conference is always revitalizing, reminding us Splunkers how important it is to maintain an open environment and culture moving forward. It’s thanks to the feedback of the many users in every type of role and level of experience that continue to make Splunk what it is today. I’m looking forward to more good times of learning and engaging with you all in the coming year.

Also, big congrats to our …

» Continue reading

Dashboard Digest Series – Episode 2: Part Deux

geoheatmap_hurricaneBefore moving on to the next episode 3 I decided to do a part two of Episode 2 – Waves!  The reason being is two-fold.  1) Splunk Enterprise 6.5 was recently released and 2) Hurricane Matthew had quite the effect on some of these buoys/stations.  See the original blog post here: Dashboard Digest Series – Episode 2

Purpose: Display meaningful statistics on NDBC buoy information in historical and real-time.  Easily drilldown, aggregate and visualize data from 1000s of buoys transmitting information.
Splunk Version: Splunk 6.5 and above for table coloring
Data Sources: Polling NDBC RSS feed that produces JSON payload
Apps: Add-on for NDBC, Custom Cluster Map Visualization, Clustered Single Value Map Visualization, …

» Continue reading

Building add-ons just got 2.0 times easier

Are you trying to build ES Adaptive Response actions or alert actions and need some help? Are you trying to validate your add-on to see if it is ready to submit for certification? Are you grappling with your add-on setup page and building credential encryptions? If you are, check out Splunk Add-on Builder 2.0.

Below is a brief overview of what’s new in Add-on Builder 2.0:

  • You can now leverage the easy-to-use, step-by-step workflow in Add-on Builder to create alert actions and ES adaptive response actions. No need to deal with .conf files and Python, let the tool do the work for you.



  • The validation process has been enhanced to include App Certification readiness. This validation process can also be performed on apps and add-ons
» Continue reading

Buttercup Games – Level 3: The One-Millionth Flap


On the final day of .conf2016 some of us were having dinner and I noticed the number of total flaps was approaching 1 million. That means people tapped their screen nearly 1 million total times to make Buttercup fly! So of course I needed to open a real-time search and watch it click over.

This made me wonder who was the person who actually touched their screen for the 1 millionth time?  The answer is always just a search away in splunk.

Screen Shot 2016-10-03 at 10.39.08 AM

Congratulations to Mike Ruszkowski, I hope bells rang and confetti rained! I know my co-worker Matt Oliver (at the top of the table above) was gunning for that 1 millionth flap.

Beyond the millionth flap there have been some other impressive statistics. I’m …

» Continue reading

Encrypt a Modular Input Field without using Setup.XML

Modular Inputs are a great addition to Splunk Enterprise.  One of the things I really like about Modular Inputs is that they allow you to create inputs that “look and feel” as if they were part of the Splunk installation by providing a nice user interface for parameter input.

But, what if you need to encrypt a Modular Input value?  This could be a password, OAuth secret key, or some other confidential piece of information.  Traditional Splunk applications use setup.xml and the storage/passwords endpoint to accomplish this.  If you just need to encrypt an input value specific to the input (as opposed to the entire application), it may be cumbersome to the end user to first run through a setup.xml …

» Continue reading

Analyzing the Mirai Botnet with Splunk

On September 20th, the largest Distributed Denial of Service attack ever recorded targeted security researcher Brian Krebs. This attack was made up of Internet of Things (IoT) devices such as cameras, wireless controllers and internet enabled devices peaking at 400,000 total. Now dubbed the “Mirai botnet”, these devices scanned the internet for devices running telnet and SSH with default credentials, infecting them and further propagating. The source code for the botnet has since leaked to GitHub, where further analysis is underway by security researchers.

During the infection time period, I happened to be running a honeypot and captured some infection attempts on my own system. Using Suricata and /var/log/secure.log I can correlate invalid login attempts associated with Mirai with malicious …

» Continue reading

Congratulations to the 2016-17 SplunkTrust MVPs!!!

splunktrust_square_logoWelcome back from .conf2016, everyone! It’s been a tremendous good time for all of us at Splunk, and we’re hoping those of you who were able to join us got as much out of it as we did. Among the other opportunities we took to recognize our outstanding customers and partners this year was the announcement of this year’s SplunkTrust Community MVPs.

We created the SplunkTrust Community MVP program to recognize our community’s top contributors, and to involve them in planning and policy decisions as our community grows. These community members have shown the very highest level of commitment to helping others succeed with Splunk, and are the second year’s SplunkTrust member roster:


2016-17 SplunkTrust inductees with Doug Merritt and Rachel Perkins

2016-17 SplunkTrust inductees with CEO Doug

» Continue reading

Introducing Splunkbase Curated Experience

There are about 1,200 apps in Splunkbase today. Up until now, the typical ways to look for an app on Splunkbase have been to either search for the app, or filter through multiple apps based on several filter criteria. We have not recommended apps to our user community in the past. With the launch of curated experience at Splunk .conf2016 we are changing this by bringing the notion of “curation” to Splunkbase.

We believe this will improve the app browsing and discovery experience for our users by highlighting apps that provide the most value. The main emphasis here is on “curation of content” by a team at Splunk – sifting through all the apps on Splunkbase, and highlighting these …

» Continue reading

Buttercup Games – Level 2: Buttercup Go data

Buttercup Go is thriving 4,234 people have played the game and lots of data is being generated. In this post I’ll walk through some of the data we are generating.

Screen Shot 2016-09-28 at 6.08.32 PM

The data includes web, OS, load balancer, network, firewall, other AWS data, etc. There are a few other data sources I want to point out specifically.

Authentication Data

We wanted to allow users to play right away, without the need to sign up. Auth0 was a perfect choice. It was quite easy to use and gave us everything we needed. Not only did it allow many authentication options (think Google, Facebook, Twitter, LinkedIn, etc) but Auth0 also generated great data and could send directly into Splunk. Here was the breakdown of how people …

» Continue reading