Splunk and Symantec Intelligence, Better Together

Over the past few months, we have been working closely with Symantec™ to debut an exciting new Splunk App. Today, we are proud to announce the 1.0 release of the Symantec DeepSight™ Security Intelligence App for Splunk Enterprise on Splunkbase. Download it today! This app is the result of a collaborative effort between the Operational Intelligence Team at Function1 and Symantec’s Cyber Security Group.

This app works in tandem with...

Splunk Multisite Clustering

Splunk 6.1 – Introducing Multisite Clustering


With the release of Splunk Enterprise 6.1 have come many new features and enhancements. The initial reaction may be to question if upgrading to the new version is truly worth the effort. In this post I will describe one of the great new features in Splunk 6.1 that may turn your answer to that question into an unequivocal “yes”.

Introducing multisite clustering

First, allow me to propose a conundrum that many Splunk administrators within multi-site organizations may...

MS Windows, Splunk App for Enterprise Security 3.0 and the Case of the Disappearing Assets and Identities

Are you wondering where your Assets are?  Why you can't find your identities, perhaps? Are you on Windows? With the recent release of version 3.0, there has been huge improvements in the power of the ES app, and the ease of its use. The Assets and Identities are one of the cornerstones of the ES app, and there is a major change in the way these files operate in ES 3.0 compared to ES 2.4.

Asset management provides additional information about the source and targets of events. This information can be used to correlate multiple events to a single host, identify the location of the host...

Charting Time over Time in Splunk


In the business world, people are looking at ways to constantly improve processes and systems. The only way to determine if progress is being made is to compare performance over a period of time to that same period of time a day ago, a week ago, a month ago, or even longer.

Since Splunk gives companies the ability to store and search data over a variety of time periods, this should be an easy task to do, right?

Not so fast…

While Splunk is driven by time, the answer is a little more complex than that.

Let’s say for example that you would like to chart...

Accelerated Data Models in a Distributed Splunk Environment

Splunk v6.0.1 is packed with new features that enhance the user experience and can provide useful, lightning fast reports. For a full overview of the new features check out this link: Splunk 6!

One of the new features that provide users the ability to build exceptionally fast reports is data models. Users can use the structure provided by the data models to create pivot tables, all without knowing Splunk’s search language. Pivot users select the data model they are interested in, then point and click their...

Measuring Splunk Indexer Performance with IOMeter

Welcome! In this post I'd like to cover testing the I/O performance of your indexer to its storage sub-system.

'After the party, it's the hotel lobby'

You can think of your indexer as the lobby of a busy hotel with the hotel guests being your data. In this hotel, guests are constantly streaming into the lobby (raw event data). At the same time, guests are frequently leaving the hotel (search queries) to go on around the city, either periodically in buses (scheduled saved searches) or in an ad-hoc manner by taxi (user searches). To prevent the lobby from filling up from the...

Using HTTP with a HTTPS Proxy Forwarder in Splunk

I recently ran into an issue  with the Splunk Forwarder and found that we can solve it with a simple python script udpate.  This is applicable to the Salesforce app for Splunk, but could be applicable to other use cases as well.

Here, the requirement was to install the Salesforce TA into Splunk and configure the TA to pull data from Salesforce into Splunk. After downloading the TA and enabling the necessary inputs from Salesforce, I checked Splunk for data…nothing.

Why isn’t the Salesforce data coming into Splunk??

Next, I went to the internal logs in Splunk by...

Off the beaten path - Splunk search head pooling without search head pooling?? Its possible...

Recently I was working with a client that was Splunk savvy and they wanted to try to implement something that was, what I would consider, off the beaten path.

Here is the challenge:  

This client was looking for a way to be able to take advantage of having multiple search heads for high resource availability and resiliency, without taking a hit on performance. One approach to go about providing high availability and resiliency of search heads is to use a Splunk feature called...

Think small, search faster

Compared to a few years ago, it is almost unbelievable that we are able to sift the amount of data we can, and the speed with which we can do it. But like the fast cars we drive today that are much faster than similar cars of yesteryear, we get used to the speed we have, and soon wonder: “can it go faster?”

Yes, but with some conditions.

Like Turbocharging, Supercharging, and enlarging the displacement in cars-- all valid ways to make a fast car go faster, --in Splunk there is Report Acceleration, Summary Indexing, and searching tsidx files.  Each has its own benefits and...

Stay In Touch