MS Windows, Splunk App for Enterprise Security 3.0 and the Case of the Disappearing Assets and Identities

Are you wondering where your Assets are?  Why you can't find your identities, perhaps? Are you on Windows? With the recent release of version 3.0, there has been huge improvements in the power of the ES app, and the ease of its use. The Assets and Identities are one of the cornerstones of the ES app, and there is a major change in the way these files operate in ES 3.0 compared to ES 2.4.

Asset management provides additional information about the source and targets of events. This information can be used to correlate multiple events to a single host, identify the location of the host...


Charting Time over Time in Splunk

 

In the business world, people are looking at ways to constantly improve processes and systems. The only way to determine if progress is being made is to compare performance over a period of time to that same period of time a day ago, a week ago, a month ago, or even longer.

Since Splunk gives companies the ability to store and search data over a variety of time periods, this should be an easy task to do, right?

Not so fast…

While Splunk is driven by time, the answer is a little more complex than that.

Let’s say for example that you would like to chart...


Accelerated Data Models in a Distributed Splunk Environment

Splunk v6.0.1 is packed with new features that enhance the user experience and can provide useful, lightning fast reports. For a full overview of the new features check out this link: Splunk 6!

One of the new features that provide users the ability to build exceptionally fast reports is data models. Users can use the structure provided by the data models to create pivot tables, all without knowing Splunk’s search language. Pivot users select the data model they are interested in, then point and click their...


Measuring Splunk Indexer Performance with IOMeter

Welcome! In this post I'd like to cover testing the I/O performance of your indexer to its storage sub-system.

'After the party, it's the hotel lobby'

You can think of your indexer as the lobby of a busy hotel with the hotel guests being your data. In this hotel, guests are constantly streaming into the lobby (raw event data). At the same time, guests are frequently leaving the hotel (search queries) to go on around the city, either periodically in buses (scheduled saved searches) or in an ad-hoc manner by taxi (user searches). To prevent the lobby from filling up from the...


Using HTTP with a HTTPS Proxy Forwarder in Splunk

I recently ran into an issue  with the Splunk Forwarder and found that we can solve it with a simple python script udpate.  This is applicable to the Salesforce app for Splunk, but could be applicable to other use cases as well.

Here, the requirement was to install the Salesforce TA into Splunk and configure the TA to pull data from Salesforce into Splunk. After downloading the TA and enabling the necessary inputs from Salesforce, I checked Splunk for data…nothing.

Why isn’t the Salesforce data coming into Splunk??

Next, I went to the internal logs in Splunk by...


Off the beaten path - Splunk search head pooling without search head pooling?? Its possible...

Recently I was working with a client that was Splunk savvy and they wanted to try to implement something that was, what I would consider, off the beaten path.

Here is the challenge:  

This client was looking for a way to be able to take advantage of having multiple search heads for high resource availability and resiliency, without taking a hit on performance. One approach to go about providing high availability and resiliency of search heads is to use a Splunk feature called...


Think small, search faster

Compared to a few years ago, it is almost unbelievable that we are able to sift the amount of data we can, and the speed with which we can do it. But like the fast cars we drive today that are much faster than similar cars of yesteryear, we get used to the speed we have, and soon wonder: “can it go faster?”

Yes, but with some conditions.

Like Turbocharging, Supercharging, and enlarging the displacement in cars-- all valid ways to make a fast car go faster, --in Splunk there is Report Acceleration, Summary Indexing, and searching tsidx files.  Each has its own benefits and...


Splunk lost its keys

You have a working Splunk environment, and decide to utilize the deployment server functionality to make the deployment of apps and management of configuration files easier.

You start by setting up the serverclass.conf file for the forwarder as the following:

[global]
continueMatching = true
whitelist.0 = *
restartSplunkd = false
[serverClass:forwarder_serverclass]
whitelist.0 = *spkfwd*
[serverClass:forwarder_serverclass:app:forwarder_inputs]
[serverClass:forwarder_serverclass:app:forwarder_outputs]

 

Next, you set up the deploymentclient.conf on the...


Splunk App for Enterprise Security and PCI Compliance Correlation Search Drill-downs

Introduction

Welcome! In this post we'll talk about time ranges in correlation search drill-downs in two apps, the Splunk App for Enterprise Security (ES) and The Splunk App for PCI Compliance (PCI).

Correlation Searches and Drilling Down

Okay, so what exactly are we talking about regarding correlation searches and drilling-down? ...


Stay In Touch