Splunk ES - Lets Correlate

Splunk ES – Creating Custom Correlation Searches


In today's blog I will be discussing one of the very valuable features of the Splunk App for Enterprise Security. Correlation searches provide a very highly customizable level of security based detection and alerting within Splunk and ES.


What is a Correlation Search?

A correlations search is a type of saved search used to detect suspicious events or patterns in your data. If a suspicious event is detected, a notable event is created. The notable event...

Ninjas on a Mission: Things to Know When Migrating Your Splunk Deployment

Splunk is a journey. Whether you are a newbie playing around with Splunk on your local machine or have a multi-instance distributed Splunk deployment, your knowledge of Splunk is always evolving. Typically, the more you know about Splunk, the more you want to do with Splunk. Often, proof of concepts (POCs) turn into production environments and soon enough you’re increasing your license and looking into new architecture. Congratulations, you have become a full on Splunk ninja! Now, how do we migrate your current Splunk deployment to ‘beefier’ hardware,...

Clustering: It's Not Just For Indexers

The release of Splunk Enterprise 6.2 introduced several great new features and enhancements. The new capabilities center around a new faster interface designed to assist with data onboarding, easier analytics and event pattern detection, and improved scalability and centralized management. While I would definitely recommend exploring the first two topics, this blog will focus on the latter. Core to the improvements in scalability and centralized management within Splunk Enterprise 6.2 is the introduction of Search Head Clustering. Search Head Clustering (SHC) is a direct replacement for...

Generating Splunk Buckets


Recently, we worked with a client that was using a multi-tiered storage configuration for their Splunk deployment.  One tier was used for hot/warm data and the other tier for cold storage.  We wanted to test the cold storage tier specifically.  We used the Splunk event generator to produce data and tweaked some index settings to generate buckets (if you haven’t used the event generator before, here's a previous blog post for reference). 

Index Configuration

In the...

Jazzing Up Your Dashboards: Dynamic Drilldown 101

Time and time again, our customers find the most value in Splunk when they can visualize their data. By using the tokenization of certain fields, customers have the ability to drilldown into certain elements of their data. Drilling down into maps, charts, and graphs within the same dashboard, gives customers the ability to pinpoint problems and solutions quickly and efficiently. Now that Splunk utilizes simple XML for dashboard design, jazzing up your dashboards is easier than ever before!

Using sample data, I will walk you through some of these dynamic features below.


Extending the Power of Pivot

Data models were introduced with the release of Splunk 6 back in Oct of 2013. By now, Splunk users are aware of the pivot feature that allows them to build various types of reports that are fueled by data models without having to know the Splunk Search Processing Language (SPL). The Pivot Editor is a great way to build these reports, it allows users to simply point and click their way to creating reports/charts/graphs that provide great insight. This feature is great for users that only want to use the Pivot Editor to create their reports. However, you cannot add the Pivot Editor to a...

Join Function1 at .conf2014!

It’s the most wonderful time of the year (for Splunk aficionados)! Function1 is proud to announce our Level 2 sponsorship of .conf2014: The Fifth Annual Splunk Worldwide Users’ Conference at the MGM Grand in Las Vegas. With 150 sessions and more than 70 customer presentations, it’s no surprise that .conf2014 organizers are anticipating a record attendance of more than 4,000 IT and business professionals. Introduce yourself at the Function1 booth or join us during our two breakout sessions where our Splunk-certified consultants will be offering attendees powerful insight into dynamic new...

Introducing the Red Hat Storage App for Splunk Enterprise

Welcome Splunkers! Today, we are proud to announce the release of the Red Hat Storage™ App for Splunk Enterprise™ on the Splunk Apps site.  This app is the result of collaboration between the Operational Intelligence Team at Function1 and the Red Hat Storage Server team.  The app provides operational insight for your Red Hat Storage Server (RHSS) deployment.

For those that aren’t familiar, Red Hat Storage Server

“…is an open software-defined...

Splunk and Symantec Intelligence, Better Together

Over the past few months, we have been working closely with Symantec™ to debut an exciting new Splunk App. Today, we are proud to announce the 1.0 release of the Symantec DeepSight™ Security Intelligence App for Splunk Enterprise on Splunkbase. Download it today! This app is the result of a collaborative effort between the Operational Intelligence Team at Function1 and Symantec’s Cyber Security Group.

This app works in tandem with...

Splunk Multisite Clustering

Splunk 6.1 – Introducing Multisite Clustering


With the release of Splunk Enterprise 6.1 have come many new features and enhancements. The initial reaction may be to question if upgrading to the new version is truly worth the effort. In this post I will describe one of the great new features in Splunk 6.1 that may turn your answer to that question into an unequivocal “yes”.

Introducing multisite clustering

First, allow me to propose a conundrum that many Splunk administrators within multi-site organizations may...

Stay In Touch