Adhering to least privilege in Splunk

Least privilege is a common security practice where systems allow users the minimum permissions necessary to operate. It prevents users from harming things they ought not harm. It is a great rule of thumb. However, policies for enforcing this practice grow complicated in large organizations where people move about and move on frequently.

Removing privileges from former employees is the most basic use case. An employee resigns, turns in her badge and waves good-bye. Yet, the employee...


Growing your Splunk Deployment

Intro

Growth.  It's important in so many aspects of our lives; from our careers, health, and relationships.  The famed motivational, self-help guru Tony Robbins says that beyond our basic needs, we need growth and giving back in order to truly be fulfilled.  In addition to adding to ourselves, sometimes growth requires us to rebuild a portion of ourselves.  Well, Splunk is no different.  In order for it to keep it's self-esteem high, it also needs to grow. In this blog post I wanted to cover a process to expand the number of indexers in an existing Splunk deployment while also...


Splunk 6.5 Under the Hood: Clustering Enhancements

Intro

By now I’m sure you’ve heard about the release of Splunk Enterprise 6.5. Those of you who were at .conf 2016 got to see many of the new features during the keynotes, in sessions, and at the various booths.

Splunk Enterprise 6.5 brings lots of great enhancements related to user experience such as table datasets, conditional table formatting, dashboard editing, and enhanced search/SPL assistance. For those of you who have not had a chance to see some of the new features yet, I encourage you to check out this short video: ...


Splunk: Modular Inputs

I often blog about Drupal, but recently I worked on a Splunk App, so thought about sharing my experience because it was an interesting one.  For that Splunk App, I was on the Function1 Slack channel posting an endless stream of Splunk related questions and my colleagues provided tremendous support, patiently responding to my non-stop inquiries. It is great working among such a great pool of talented individuals.

The gist of the Splunk App is to dynamically post a JSON request to a RESTful API (the client developed the API) that returns a JSON response, and then send the response to...


Creating a Custom D3 Application with Visualizations in Splunk

This is a slightly lengthy tutorial on creating your own D3 (or any other open source JavaScript library) visualization and app for use in Splunk. It assumes familiarity with creating Splunk Apps, as well as with JavaScript, and as such is at a more intermediate level: before creating this app, you might want to work on both your JavaScript skills and work on creating some Splunk visualizations with Splunk JS or Simple XML. You...


Creating and Using New Custom Visualizations in Splunk 6.4

Visualizations are not new to Splunk, whether XML or (D3) JavaScript, but the visualizations offered in Splunk 6.4 are the easiest and most powerful yet!

Splunk has four large improvements to visualizations:

  1. 12 New D3 Visualizations
  2. The ability to add and extend your own visualizations to the library
  3. Developer APIs...

Trimming Down your Splunk Indexer Storage with TSIDX Retention Settings

Hi everyone.  Today I wanted to cover the tsidx retention feature that was released in Splunk version 6.4.  This feature helps you reduce the storage costs for your indexer while maintaining actively searchable data.  Also in this blog, I wanted to try a new format and convey the information in an FAQ style.  Please leave a comment if you found the new format helpful for learning about tsidx retention.

Tsidx File Fundamentals

First let's cover some fundamentals about tsidx files.

Q. What is a tsidx file?
A. Tsidx stands for "time-series index" file.  It's...


Event Sampling - Splunk 6.4 Feature

There have been countless instances when I was on a client site and tasked with building custom dashboards on large data sets, with a requirement to search over the past 3 months or greater. Each minor tweak or adjustment to the search would require me to run the entire search again, which on development systems would be a huge time sink. My life would have been so much easier, and I would have saved loads of time, if there was a way to run my searches against a smaller data set. Obviously, I could achieve this by, for example, running my searches against a shorter time frame but I would...

Splunk Knowledge... Share it Through Documentation

Anyone who has worked in professional services knows that technical documentation is always requested for any type of content delivery. Of course the importance of documentation extends far beyond the consulting realm, as it is always a good practice for organizations to document their technical content. In today's blog I will attempt to write a non-technical blog about documenting technical Splunk content.

So what should be included in Splunk content documentation? Here is a breakdown, by heading, of the information that I have found to be very key in any Splunk content and use...


REST Easy with the Splunk REST API

The REST API in Splunk is something that we can use in so many different ways. In this blog, I am going to go through some commands that I made to create a dashboard that could be useful for a team.

 

There are so many useful searches you can use within the REST API, from configurations, configurations, inputs, lookup, searches.

 

For my client, we wanted to be able to see permission users had, active users, top all users, and what authentication system was being used. The REST API was perfect for this!

 

So we wanted when the user logged on to...


Stay In Touch