Consider this a draft. I’ll update it as I have time, but I’m posting now because it may help someone. Splunk 7.2.2 brought along new features (which previously didn’t happen in a “maintenance release” – but that’s another topic for another time). One of the new features is “systemd support”. It didn’t take long before […]
Splunk pass4SymmKey for deployment client -> deployment server
Introduction So you want to secure your Splunk deployment server? There’s a couple of different angles to consider: Are all clients connecting to a given deployment server permitted to do so? Is the client certain that the deployment server they are talking to is the real one and not an impostor? Let’s start at the […]
RHEL 7 UDP metrics into splunk metrics index
We were discussing this on splunk-usergroups slack, and I said I should post it here and vraptor and dawnrise urged me to do so quickly — so here I am. (Thanks vraptor and dawnrise!) First up, a script to use the nstat tool to grab some kernel UDP metrics and write them out in a […]
Back from the brink?
I really gave up on blogging for a long time. “So busy” and all that. I’m trying to get back, lets just call all of that ‘excuses’. So in support of that, a whole bunch of housekeeping on the site. Latest and greatest remote exploits .. err I mean wordpress 😉 SSL by default thanks […]
Nullqueue Sampling
One of the first things the average Splunk administrator has to learn about the hard way is how to send traffic to the Splunk nullQueue. It’s almost a rite of passage — you configure a new data source, somewhat unaware of the tens of thousands of mostly-useless events it produces. It blows out your license […]
Splunking bash history
The history tools built into the bash shell are rather powerful and a great source of information about what has been done to a system. One thing we can do to make these even more useful is add them as a data source in Splunk. While imperfect (see caveats below), this can be helpful in […]
Quick Hit – disabling SSLv3 in Splunk
Update 20141015 – Splunk’s official advisory has been released. Update 20141016 – Changed from a specific TLS1.2 cipher to the generic “TLSv1.2” suite. Hat tip to @techxicologist. If you’ve not seen that SSLv3 is irreparably broken, go read about it, then grab a strong drink and come back. Splunk (as of release 6.1) does not […]
Splunk .conf 2014 slides and notes
This week I had the pleasure of speaking at Splunk .conf 2014. George Starcher and I spoke on configuring Splunk’s various SSL options, with the goal of providing a cookbook with SSL configurations appropriate for moving from a POC/trial install into production. Other that some audio problems (sorry!), I thought the session went very well. […]
Splunk – bucket lexicons and segmentation
About Segmentation Event segmentation is an operation key to how Splunk processes your data as it is being both indexed and searched. At index time, the segmentation configuration determines what rules Splunk uses to extract segments (or tokens) from the raw event and store them as entries in the lexicon. Understanding the relationship between what’s […]
Effect of kernel filesystem caching on Splunk performance
Unlike a traditional relational DBMS, Splunk does not use an in-process buffering or caching mechanism. That is to say, there is not such thing as an SGA for your Oracle types, and the DB/2 DBAs may be disappointed to find there’s no bufferpool. Instead, Splunk counts on the operating system’s native caching for files in […]