Be Nice To Your Users ... And Your Lookups!


In today's blog I will describe a method that we recently used at a customer site in order to solve a problem for a portion of their Splunk user base. This group does consist of frequent and avid users of Splunk, however they have a fairly low permission level and for the most part, are not the most tech-savvy. Their use of Splunk is limited to only one app and the pre-built dashboards within it. 

The requirement for this user group was as follows: They wanted a lookup table where they could enter some notes for specific product ids. They also wanted this...

Macros and Tokens: Getting the Best Use of Them

While at a client recently, I had the task of creating a dashboard with the ability to look at Linux and Windows data's highest points and averages. The Windows and Linux data needed to be viewed separately, but still have the ability to view the data in total. To accomplish this, I created a base search using six macros: two to encompass both operating systems with each calculation mode, and two per operating system for each calculation mode.My first step was to create the macros. This is done by Settings > Advanced Search > Search Macros. Once at this page, click “New”. You will be...

Integrating External Asset Databases with the Splunk App for Enterprise Security


In this post I'd like to cover an approach for integrating an external asset database with the Splunk App for Enterprise Security (ES).  This post is relevant for people just starting out with ES or who have used it for a while and want to improve the integration of their assets information with the application. 

For those wondering what an assets list is in the context of ES, it's a list containing information (such as...

Splunk, Now You See Me, Now you Don't!

Splunk allows customers the flexibility to create their own visualizations. While at a customer we created a cool way to hide and have panels pop up when you click on a single panel. All of these searches are internal so you can test on your Splunk Instance, and then change it to your desired results!


The Simple XML will look something like this: 


<dashboard script="example_single_panel_inline_drilldown.js">

<label>Single panel inline drilldown</label>


Storing Terabytes to Petabytes of Data? A Formidable Solution: NetApp's E-Series

Organizations around the world and throughout many industries are continuously producing massive amounts of data that need to be analyzed, tracked, and safely stored. 

As we know, Splunk enables us to produce an insight through an analysis and through dashboards of 'Big Data’ applications and workloads. Splunk provides us with the most accurate results, yet an appropriate storage system is needed for those organizations that are managing and storing terabytes to petabytes of critical data. NetApp’s E-Series storage systems were designed to handle the high performance and reliability...

Normalizing Data Fields using Eval and Case


Lately I’ve been working with a lot of Windows Security logs with different Event Codes. I wanted to set the field “src_user” but Splunk was auto-extracting field value pairs to other field names. This was particularly frustrating because I wanted to map events with different Event Codes to the same data model. In order to map different fields to “src_user,” I would need to normalize the different field names to “src_user.” Below, I go though an example using a case statement that worked perfectly and may be useful to others who come across a similar issue.


Splunk SDK for Python: Getting Data In

Splunk SDK for Python: Getting Data In

Data is a pivotal part of a Splunk Enterprise deployment.  Every configuration and enhancement we make is centered on a particular dataset. As a result, Splunk provides different options for getting data into Splunk Enterprise in order to turn that data into decision-making information. The most common ways of getting data into Splunk are via UF forwarders, syslog, scripted inputs, and modular inputs.  For this post, I’m going to focus on getting data from a remote interface into Splunk via HTTP utilizing Splunk SDK for Python...

Function1 Announces Sponsorship of .conf2015

Function1 today announced it is a Giga sponsor of .conf2015: The 6th Annual Splunk Worldwide Users' Conference. .conf2015 will feature more than 165 sessions, including more than 80 customer presentations, and is expected to attract thousands of IT, security and business professionals who know the value of their data. The conference will be held September 21 – 24, at the MGM Grand Las Vegas, with three days of optional education classes through Splunk University®, September 19 – 21, 2015.

Longtime Splunk partner and one of...

Being Unique is All About Being Different

Unique: (adjective) Existing as the only one.

Being unique is something we strive for, to be the only one of “us”. Wouldn’t you like for your Splunk app to be the same? For customers to use your app and see your color, your logo, your complete customization.


Here is my app, F1 Demo, as “bare bones” or basic.

Stay In Touch