Splunk: One Search or Two?

Categories:

One of the most common scenarios I experience in Splunk is where I need to use data from two different indexes at once—typically in order to build management and reporting dashboards. With my background in developing applications on relational databases, my first attempts at this solution used the "join" command in Splunk. Once I realized that a combination of the "append" and "stats" commands can be a better choice, I started using those more. But today I will show an even better, faster approach!

How to delete duplicate events in Splunk

Categories:

I use Splunk to report on business objects moreso than typical security operation data. For instance, helpdesk tickets rather than firewall logs. I have created various Python scripts to import these business objects from various REST and SQL sources, and I want these import scripts to be idempotent. That is, I want to import helpdesk tickets every day, but no more than once per day, regardless of how many times the import script is called.

How to Run Jobs or Commands in Parallel using PowerShell

Categories:

Well I don't care much for PowerShell, but sometimes it is a necessary evil. I needed to run some PowerShell scripts in parallel, so I wrote a wrapper to do this. Maybe it will help you also.

Features:

  • You specify how many jobs to run in parallel
  • When one job finishes, another will be started

Note: the Start-Job commandlet takes a few seconds to do its thing.


The repo lives here: https://github.com/northben/PowerShell-Parallel-Job-Runner

Tips for parsing XML log files in Splunk

Categories:

Normally, I prefer to send CSV or JSON data to Splunk. But sometimes XML can't be avoided. I recently needed to ingest an XML file, and through judicious use of 'MUST_BREAK_AFTER' and 'BREAK_ONLY_BEFORE' in props.conf, I was able to extract the events from the XML file that looked like this:

How to: Dynamic Fields in Splunk Dashboards

Categories:

In this short tutorial I will show you how to create a dashboard table with dynamic columns. When the user selects the radio button toggles, the search does NOT run again -- only the display is updated. Demo: https://youtu.be/l-p83je4RgQ


I am including the full source code to the dashboard with this post for your review. But here's the secret sauce:

Dr. Splunk-love or: How I learned to start indexing and love the CSV

Categories:

I've been having trouble indexing CSV files. In particular, CSV files from Tripwire. I'll show you the format and how I was able to index the files in Splunk

 

Node Name,Node Type,Policy,Parent Test Group,Test Name,Description,Element,Result Time,Result State,Actual Value
"192.168.1.1",Linux Server,"My Policy Name","My Test Group","My Test Name","My Test Description","Some Element",10/25/15 2:02 AM,passed,"ELEMENT=foo"

Here's my Props.conf stanza:

How to prevent a webpage from closing

Categories:

I needed to prevent a webpage from closing automatically. Turns out this is very easy to do with JavaScript!

Month-over-Month data in Splunk

Categories:

I've been working with Splunk Enterprise a lot lately (and it's very powerful and easy to use!). In many situations, it is useful to show some metric compared to the same metric a month ago (or some other time period).

One way to accomplish this is with the community-supported Splunk app, Timewrap. I couldn't get Timewrap to output the data as I wanted, so instead here's the approach that I used.

How to send ICAP request with Python

I needed to send an ICAP request to a Symantec Antivirus server. Because ICAP is HTTP-like, but not quite HTTP, I could not use the wonderful requests library. So, here's what I did instead:

Working with Amazon S3 using boto: Multithreaded Edition!

Categories:

Let's say you need to update lots of keys in Amazon S3. If you have many objects in your S3 bucket, this can be quite slow. Of course, as a Python developer, you're using the nifty boto library. We can make update all of your keys much, much faster using multiple threads!

Pages

Subscribe to Pixelchef.net RSS