Last year, I created an app template to detect whether your users went to a phishing web site where you would supply the app the sourcetype name of your proxy logs and the URL destination field where they went. You can still download this Phishing app template from Splunkbase. In the same manner, I have created an app template called SQL Injection Search that you can download from Splunkbase.

Install the app and provide either of the two form search dashboards the name of your sourcetype representing your web logs (e.g., access_combined) and the name of the field in the sourcetype that represents the URI query string (e.g., uri_query). One form search uses patterns to detect if possible…

It’s my most favorite time of the month – Patch Tuesday! Ok, I might be slightly exaggerating there. Let’s face it. It’s a pain in the neck. I have to go around to every server in my development environment and ensure that all the critical patches have been taken care of. Usually, this means a trip to Windows Update, or checking the logs of the Windows Server Update Services (WSUS) server. Today, I woke up and decided Splunk was going to assist with this.

No one writes letters anymore. It’s been such a long time since I’ve written a letter, it got me thinking what I would even write about… which then got me thinking what would a Splunk Admin write a letter about? If your awesome Splunk Admin were to write a letter, I might go something like this…

For over five years, I have been working with co-host Jonathan Walz on the PowerScripting Podcast, a weekly Internet radio show. The primary topic of the show is the Windows PowerShell scripting language. We like to talk about news, tips, and resources related to the PowerShell community, but the biggest part of most shows is the interview. We’ve had a wide variety of guests on the show, ranging from prolific scripters who enjoy sharing their work, to PM’s, architects, and engineers from largest software and hardware vendors in the world, including Microsoft, IBM, Intel, NetApp, and more.

Recently, we caught up with Joel Bennett, a Windows PowerShell MVP awardee, who also happens to be my teammate on…

One of the cool new features of Splunk 5.0 is modular inputs, and we’ve already seen some great examples of this, such as the built-in perfmon gathering modular input and the Splunk Addon for PowerShell. However, the examples that are provided in the documentation are in Python. When I started writing my own modular input, I saw that much of the process of writing a modular input is scaffolding and repeatable. Thus I set out to write an SDK that would alleviate much of the scaffolding and provide a good framework for writing modular inputs. This multi-part series will cover the same process by writing a C# version of the Twitter example from the documentation.

When architecting a Splunk deployment, there is almost always a requirement to support syslog event streams from many devices. While Splunk can easily accept syslog data directly from these external devices, you may be wondering if there are best practices around this.  For you long time Splunk users, this should be old news and possibly a refresher.  For you new Splunk users, read on…

So what do the experts do with Network Inputs?

First, I’ll defer you to another post about deciding when to use a Forwarder to route the data into Splunk: http://blogs.splunk.com/2011/10/24/choosing-a-forwarder-or-not/.  There are important concepts in that blog that will help decide your best setup with respect to forwarders.  So let’s think about the layers outside…

I recently got asked a question – how can I tell if all my Microsoft servers are being Splunked? Interesting question and one without a good solid answer. But we have all the bits, so let’s take a look at what it would take to answer that question. First off, let’s assume that by “Is a Server being Splunked?”, then we mean that the server in question has a universal forwarder on it, is hooked into a deployment server, and is sending events to an indexer. All these bits need to have the events land within the same environment.

Option #1: CSV Export

…

In the previous article “Mobile Analytics with Storm“, we discussed how to configure the logging library for mobile apps to send stacktrace messages to Storm via REST API. To make this logging library more usable and robust, mobile app developers are now able to send invaluable stacktrace messages via TCP (through the Network Inputs option). The configuration steps are incredibly simple and are summarized using the diagram shown below:

1. Click at “Network data” to enable Storm to receive data via TCP
2. Click at “Authorize your IP address” so that Storm is receiving data from authorized IP address(es). Please take note of the “IP/Port combination” in “Send data to” – we are going

…

Hadoop’s rise to fame is based on a fundamental optimization principle in computer science: data locality. Which translated to Hadoop speak would be: Move computation to data, not the other way around

In this post I will rant about one core Hadoop area where this principle is broken (or at least not implemented yet). But, before that I will highlight the submission process of a MapReduce job that processes data residing in HDFS:

On the client:
1. gather all the correct confs, user input etc ...
2. contact NameNode to get a list of files that need to be processed
3. generate a lists of splits that need to run Map tasks on, by:
3.1 for each file returned in

…