Think small, search faster

Compared to a few years ago, it is almost unbelievable that we are able to sift the amount of data we can, and the speed with which we can do it. But like the fast cars we drive today that are much faster than similar cars of yesteryear, we get used to the speed we have, and soon wonder: “can it go faster?”

Yes, but with some conditions.

Like Turbocharging, Supercharging, and enlarging the displacement in cars-- all valid ways to make a fast car go faster, --in Splunk there is Report Acceleration, Summary Indexing, and searching tsidx files.  Each has its own benefits and...


Splunk lost its keys

You have a working Splunk environment, and decide to utilize the deployment server functionality to make the deployment of apps and management of configuration files easier.

You start by setting up the serverclass.conf file for the forwarder as the following:

[global]
continueMatching = true
whitelist.0 = *
restartSplunkd = false
[serverClass:forwarder_serverclass]
whitelist.0 = *spkfwd*
[serverClass:forwarder_serverclass:app:forwarder_inputs]
[serverClass:forwarder_serverclass:app:forwarder_outputs]

 

Next, you set up the deploymentclient.conf on the...


Splunk App for Enterprise Security and PCI Compliance Correlation Search Drill-downs

Introduction

Welcome! In this post we'll talk about time ranges in correlation search drill-downs in two apps, the Splunk App for Enterprise Security (ES) and The Splunk App for PCI Compliance (PCI).

Correlation Searches and Drilling Down

Okay, so what exactly are we talking about regarding correlation searches and drilling-down? ...


Splunk, Where's my Props?!

Here’s the scenario. You find the perfect app for your data. You onboard the data, configure all your files, look through all your dashboards to finally see the views you have been waiting for. Then your greatest fear is realized, your dashboards are not working! You trouble shoot the searches in your dashboards and the fields that are needed for this search do not exist. Where are your field extractions?

Once you see that everything seems to be configured right on your app, you go through the TA apps you installed to make sure everything is working together. Everything seems to be...


Troubleshooting the Splunk App for Enterprise Security

Intro

Welcome Splunkers! In this post, I'd like to talk about an issue I encountered recently when working on a Splunk App for Enterprise Security v2.2.1 (ES app) deployment and the approach I took in troubleshooting it. But before getting started, I'd like to congratulate Splunk and their Security Products team for winning the SC Magazine Award for "Best Security Information/Event Management (SIEM) Solution." Cheers to a job well done!

Initial Installation

As per...


Taking a closer look

Ever have a well-formed search on Splunk that is running too slowly?  Of course, they can always go faster, but there are times when it really just seems like something is holding back your search speed. That leaves you wondering where in the chain of information transfer is the problem, really? And just when you're about to throw your arms up in despair: don't worry, job inspector is here!

The job inspector is one of those tools that Splunk provides which are often overlooked because of the plethora of other better-known tools. A quick glance at so many details in one...

Passing Time

System monitoring dashboards are something we are often asked to provide for our clients. Normally, this is a pretty straight forward task, but on a recent client engagement, I was presented with one requirement that was a bit out of the ordinary. This client was looking to monitor a set of ten desktops with a real-time dashboard that would display in their office. They wanted to see all of the standard metrics like cpu, memory, and disk. If there was a spike in a time chart for say % CPU Usage, they wanted to be able to click on the spike and drill down into another view. They wanted the...


Simulating Data with the Splunk Event Generator

While installing a new app to your Splunk search head can usually be considered a rather benign action, sometimes the introduction of a TA on your forwarders and indexers requires more attention.  This is commonly the case, especially if your production environment is guarded by change control.   The problem is that without the data generated by those inputs your newly installed app may not display properly, and without seeing your new app’s dashboards populated with data, you may not be able to conclude how useful it really is.  I suppose deploying a fully mirrored “dev” environment to...


Getting a Pulse on Your System: How to Build a System Health Indicator in Splunk

Welcome Splunkers!  I hope everyone is having a great New Year.  We certainly are, here at Function1.  We just publicly released a beta version of our Splunk for Oracle WebLogic Server app to Splunkbase  as mentioned in a recent post.  As part of the Splunk products team at Function1, I'm always looking at new ideas and approaches in Splunk app development.  As Splunk apps become more robust, they will...


Stay In Touch