Smart AnSwerS #71

Hey there community and welcome to the 71st installment of Smart AnSwerS.

There’s a lot of hustle and bustle going on as Splunkers, partners, and customers are preparing and reviewing presentations for .conf2016 just two months away. As we all wait in anticipation for the annual worldwide user conference, come join the community in a sneak peek of one of the sessions at next week’s July SplunkTrust Virtual .conf session. On Friday, July 29th @ 3:00PM Pacific time, SplunkTrustee Mason Morales will be giving a preview of his .conf2016 talk: Architecting Splunk for Epic Performance. Visit the meetup page to RSVP and access the WebEx link for the event.

Check out this week’s featured Splunk Answers posts:…

» Continue reading

If your plants could speak to you, what would they say?


I’m pretty sure mine would say “Hey Bozo, thanks for drowning me to death” or “Must… have… water… What is this, the Sahara?” Oh, and also “I hate it here, what’s it take to get some morning sun?”

I decided it was time to apply my inner nerd to reduce my plants suffering. That and happier plants mean a happier fiancé. Enter Splunk! The goal was:

  1. Keep track of moisture level in the soil.
  2. Determine best location for light intake.
  3. Combine current weather data, future forecasts and 1 and 2 above to create some machine learning models that predict when is best to water. (I’m still working on this part)

I shall call it… Operational Plantelligence! When first said aloud, …

» Continue reading

Smart AnSwerS #70

Hey there community and welcome to the 70th installment of Smart AnSwerS.

Since expanding Splunk HQ with the addition of the new building next door, things have been eerily quiet as you walk through each floor since everyone has been spread out, leaving many Splunkers feeling distant and empty. People have been missing the energy and lively vibe when everyone was all together under one roof. It was finally decided that everyone in the old building would be consolidated into the new building. So in true Splunk fashion, we’ll be celebrating with a party tomorrow for one last hurrah in our 250 Brannan courtyard before the move to bid our farewell to the old building until it undergoes its new makeover!

Check …

» Continue reading

Docker? Amazon ECS? Splunk? How they now all seamlessly work together

Today the Amazon EC2 Container Service (ECS) team announced they have added the Splunk native logging driver to the newest version of the ECS agent. This means it’s now easier to implement a comprehensive monitoring solution for running your containers at scale. At Splunk, we’re incredibly excited about this integration because customers running containers in ECS can now receive all the benefits of the logging driver, like better data classification & searching, support for flexible RBAC, and easy and scalable data collection built on top of the Splunk HTTP Event Collector (HEC).

The following is a guest blog post by David Potes, AWS Solutions Architect:

Monitoring containers has been somewhat of a challenge in the past, but the …

» Continue reading

How to Pick a Threat Intelligence Provider (kind of…)

Over my last two years-ish at Spunk I’ve been asked the question “Which threat intelligence feed should I purchase?” and “whats the deal with the viking helmet?” and “whats up with the Star Wars theme at Threatconnect”  (ಠ_ಠ at you @wadebaker) on a more than regular occurrence. And like anyone who is trying to get out of a binary question I would respond with “it depends…” and then I’d mumble something about “threat data”. Finally I’d sigh and say, “All joking aside… it depends”. I just didn’t have a great answer. Don’t get me wrong, I have personal preferences based on my experiences, but I tend to know threat intelligence providers who focus on nation-state adversaries. If you work for an …

» Continue reading

Best Practices in Protecting Splunk Enterprise

Splunk EnterpriseSplunk Enterprise helps companies collect, analyze, and act upon the data generated by their technology infrastructure, security systems and business applications. Customers use Splunk software to achieve operational visibility into critical information technology assets and drive operational performance and business results.

Splunk Apps enhance and extend the Splunk platform and deliver a user experience tailored to typical tasks and roles. Most customers make use of one or more of the 1000+ Apps available in Splunkbase.

While end-users are the main consumers of Apps, App installation requires full administrator access. We strongly discourage customers from granting this access to any user other than designated administrators.

Beyond restricting admin privileges, we recommend adopting the standard deployment and operation practices described briefly …

» Continue reading

Gaining clarity: adding a visual line break between events

splunktrust(Hi all–welcome to the latest installment in the series of technical blog posts from members of the SplunkTrust, our Community MVP program. We’re very proud to have such a fantastic group of community MVPs, and are excited to see what you’ll do with what you learn from them over the coming months and years.
–rachel perkins, Sr. Director, Splunk Community)


Hi, I’m Mark Runals, Lead Security Engineer at The Ohio State University, and member of the SplunkTrust.

If your experience is anything like mine, there have been times when you’ve put together a query that has found events of interest to you–only to have to spend extra time scanning back and forth within the results to make sure …

» Continue reading

Smart AnSwerS #69

Hey there community and welcome to the 69th installment of Smart AnSwerS.

Time has been flying by with Splunkers working incredibly hard and adapting to new changes in our office space. It’s hard to believe that we’re halfway through 2016 already, but that’s what happens when you’re constantly focused and pushing through the daily grind. Luckily, HQ and other Splunkers in the US are getting a nice 5 day Summer break starting tomorrow for the 4th of July weekend. This is our chance in the middle of the year to refresh and recharge before finishing off strong with the next couple quarters ahead. Cheers!

Check out this week’s featured Splunk Answers posts:

How to add upper and

» Continue reading

Splunking a Microsoft Word document for metadata and content analysis

The Big Data ecosystem is nowadays often abbreviated with ‘V’s. The 3Vs of Big Data, or the 4Vs of Big Data, even the 5Vs of Big Data! However many ‘V’s are used, two are always dedicated to Volume and Variety.

Recent news provides particularly rich examples with one being the Panama Papers. As explained by Wikipedia:

The Panama Papers are a leaked set of 11.5 million confidential documents that provide detailed information about more than 214,000 offshore companies listed by the Panamanian corporate service provider Mossack Fonseca. The documents […] totaled 2.6 terabytes of data.

This leak illustrates the following pretty well:

  • The need to process huge volume of data (2.6 TB of data in that particular case)
  • The need to
» Continue reading

Eureka! Extracting key-value pairs from JSON fields

With the rise of HEC (and with our new Splunk logging driver), we’re seeing more and more of you, our  beloved Splunk customers, pushing JSON over the wire to your Splunk instances. One common question we’re hearing you ask, how can key-value pairs be extracted from fields within the JSON? For example imagine you send an event like this:

{"event":{"name":"test", "payload":"foo=bar\r\nbar=\"bar bar\"\tboo.baz=boo.baz.baz"}}

This event has two fields, name and payload. Looking at the payload field however you can see that it has additional fields that are within as key-value pairs. Splunk will automatically extract name and payload, but it will not further look at payload to extract fields that are within. That is, not unless we tell it to.


» Continue reading