Effect of kernel filesystem caching on Splunk performance
Unlike a traditional relational DBMS, Splunk does not use an in-process buffering or caching mechanism. That is to say, there is not such thing as an SGA for your Oracle types, and the DB/2 DBAs may...
View ArticleSplunk – bucket lexicons and segmentation
About Segmentation Event segmentation is an operation key to how Splunk processes your data as it is being both indexed and searched. At index time, the segmentation configuration determines what...
View ArticleSplunk .conf 2014 slides and notes
This week I had the pleasure of speaking at Splunk .conf 2014. George Starcher and I spoke on configuring Splunk’s various SSL options, with the goal of providing a cookbook with SSL configurations...
View ArticleQuick Hit – disabling SSLv3 in Splunk
Update 20141015 – Splunk’s official advisory has been released. Update 20141016 – Changed from a specific TLS1.2 cipher to the generic “TLSv1.2″ suite. Hat tip to @techxicologist. If you’ve not seen...
View ArticleSplunking bash history
The history tools built into the bash shell are rather powerful and a great source of information about what has been done to a system. One thing we can do to make these even more useful is add them...
View ArticleNullqueue Sampling
One of the first things the average Splunk administrator has to learn about the hard way is how to send traffic to the Splunk nullQueue. It’s almost a rite of passage — you configure a new data...
View ArticleBack from the brink?
I really gave up on blogging for a long time. “So busy” and all that. I’m trying to get back, lets just call all of that ‘excuses’. So in support of that, a whole bunch of housekeeping on the site....
View ArticleClik here to view.
RHEL 7 UDP metrics into splunk metrics index
We were discussing this on splunk-usergroups slack, and I said I should post it here and vraptor and dawnrise urged me to do so quickly — so here I am. (Thanks vraptor and dawnrise!) First up, a...
View ArticleClik here to view.
Splunk pass4SymmKey for deployment client -> deployment server
Introduction So you want to secure your Splunk deployment server? There’s a couple of different angles to consider: Are all clients connecting to a given deployment server permitted to do so? Is the...
View ArticleSplunk 7.2.2 and systemd
Consider this a draft. I’ll update it as I have time, but I’m posting now because it may help someone. Splunk 7.2.2 brought along new features (which previously didn’t happen in a “maintenance...
View ArticleSplunk and POSIX capabilities
I seem to catch myself talking about this a lot in Slack, so I’m just going to write it all down here and refer people to it. A common issue for Splunk deployments is how to securely deploy the...
View ArticleClik here to view.
Proving a Negative
I’ve got this Foo Fighters lyric stuck in my head … All my life I’ve been searching for something. Something never comes, never leads to nothing. This seems, relevant, given my focus on search...
View ArticleSearching date-time values in Splunk
If you’ve worked with Splunk for a little while then you are probably familiar with the existence of the field _time. With Splunk being a time series data store, it makes sense that every event will...
View ArticleNew Host, lost some comments
I moved the blog to a new host. The old one was getting pretty old. In the process I got rid of Disqus and went to native WP comments, and cannot get the comment sync to work properly. So I’ve lost...
View ArticleClik here to view.
Splunk UF 9.0 and POSIX Capabilities
Sorry this has taken so long to post. I caught a (thankfully very mild) case of covid at .cough2022 and between then and now life has not found a way (sorry Jurassic Park). Hopefully this is just the...
View ArticleClik here to view.
An evening with SVD-2022-0607
Back in June, along with the release of Splunk 9.0, Splunk dropped several security advisories. I’m spending a little time digging in on SVD-2022-0607. Come along with me as we learn together. The...
View Article