Splunk, profile picture
Uploaded bySplunk
6,688 views

Getting Data into Splunk

This document provides an overview of getting data into Splunk through various input methods. It discusses setting up a Universal Forwarder to send data to Splunk Enterprise indexes. It also covers configuring the inputs.conf file to monitor files, blacklist/whitelist files, and collect Windows events. Additional input methods described include network inputs via TCP/UDP, scripted inputs, and the HTTP Event Collector. The document also touches on best practices for line breaking, timestamp recognition, and using modular and Splunk Stream inputs.

Technology
In this document
Powered by AI

Introduction to getting data into Splunk by Nimish Doshi, offering a foundational overview.

Assumes Splunk Enterprise is installed; emphasizes access to data for effective use.

Outline of key topics including Files, Network Inputs, Scripted Inputs, HTTP Event Collector, and Advanced topics.

Instructions on installing the Universal Forwarder, configuring outputs.conf to route data to Splunk.

Sample configuration to direct data flow, showcasing TCP output settings with default and server designations.

Steps to configure an indexer for data reception through Splunk's interface.

Overview of inputs.conf, which monitors data collection; emphasizes the importance of data selection.

Sample configurations for inputs.conf to monitor files, highlight sourcetypes, and indexing.

Demonstration of blacklisting and whitelisting files in inputs.conf for refined data collection.

Specifics for inputs.conf settings on Windows for monitoring application, security, and system events.

Instructions on configuring props.conf to manage line breaks for multi-line events effectively.

Presenting a practical example of props.conf for managing channel entry event data.

Details on configuring custom timestamp recognition in props.conf for accurate event timing.

Example configuration of props.conf to ensure timestamps are recognized correctly in event data.

Reiteration of the agenda covering data input topics.

Description of setting up inputs.conf for TCP/UDP to allow Splunk to receive data.

Sample inputs.conf configuration for monitoring data via UDP with different sourcetypes.

Explains the dynamic assignment of sourcetypes for UDP traffic using props.conf.

Guidelines to use transforms.conf for assigning sourcetypes based on data characteristics.

Sample configurations for TCP inputs.conf, illustrating connection-oriented data gathering.

Advises on best practices for collecting network data through intermediaries.

Recap of agenda topics to guide the presentation structure.

Explains how scripted inputs capture output from scripts for indexing by Splunk.

Configuration example for inputs.conf to monitor a script output periodically.

Example configuration for the inputs.conf to execute a Java program as a scripted input.

Shows how to set up inputs.conf for a user-defined script listener on Unix/Linux.

Example under inputs.conf for collecting CPU performance metrics from Windows systems.

Brief repeat of agenda to ensure clarity on upcoming topics.

Outline of setting up the HTTP Event Collector (HEC) for developers to send events.

Instructions on navigating to configure the HEC token in Splunk.

Details on the steps to enable HEC global settings in Splunk.

Instructions for naming and setting up a new HEC token.

Configuring essential settings for the HEC token including default index and sourcetype.

Summary of settings before finalizing the HEC token configuration.

Final step to submit the HEC token configuration to Splunk.

Using curl to send data to test the HEC token and receive success confirmation.

Instructions on searching within Splunk for data sent via the HEC.

Sample Java code to send data via HEC, demonstrating setup and logging.

Last reiteration of the agenda reflecting on discussed topics.

Definition and importance of modular inputs for reusable structured scripts.

Example of a modular input configured for GitHub via Splunk Web.

Description of Splunk Stream for capturing network TAP/SPAN data effectively.

Example configuration of Splunk Stream for specific protocol data handling.

Closing remarks and gratitude from the presenter.

Embed presentation

Copyright © 2016 Splunk Inc. Getting Data In by Example Nimish Doshi Principal Systems Engineer
Assumption Install Splunk Enterprise ● This presentation assumes that you have installed Splunk somewhere, have access to Splunk Enterprise, and have access to the data that is being sent. 2
Agenda Files and Directories Network Inputs Scripted Inputs HTTP Event Collector Advance Input Topics 3
Universal Forwarder ● Download the Splunk UF for your platform and install it where your files reside. In directory or folder $SPLUNK_HOME/etc/system/local/, create or modify a file called outputs.conf (Create local, if not present) outputs.conf will send data to the place where Splunk Enterprise resides. Know your Splunk Enterprise’s IP or Domain Name and listening port. Restart the forwarder after changing outputs.conf 4 Software to Send Data
Example Outputs.conf File that controls where data is sent #Default Place Where Data is sent. It’s just a name used in the next stanza [tcpout] defaultGroup=my_indexers # Notice (commas for more) name of the server and listening port [tcpout:my_indexers] server=mysplunk_indexer1:9997 # Any optional properties for the indexer. Leave blank for now. [tcpout-server://mysplunk_indexer1:9997] 5
Set up Indexer to Receive Data Under Settings->Forwarding and Receiving->Receive Data --Add New 6
Inputs.conf Place file in same place as outputs.conf ● This file controls what data is monitored or collected by the forwarder ● Opt In: Only data that is monitored will be sent to Splunk Indexers. ● If you make changes to the file manually, restart the forwarder 7
Sample Inputs.conf to monitor files Always put in a sourcetype (and optional index)!!!!! [monitor:///opt/logs/webfiles*] # files starting with webfiles sourcetype=access_combined [monitor:///apache/*.log] # files ending with.log in apache sourcetype=access_combined [monitor://var/.../log(a|b).log] # files loga.log or logb.log sourcetype=syslog index=IT 8
Sample Inputs.conf to blacklist whitelist files Always put in a sourcetype!!!!! [monitor:///mnt/logs] # ignore files ending with .txt or .gz blacklist = .(?:txt|gz)$ # blacklist blocks sourcetype=my_app [monitor:///apache] # files stdout.log and web.log in apache whitelist = stdout.log$|web.log$ # whitelist allows sourcetype=access_combined # For better performance, use … or * followed by regex over whitelist and blacklist 9
Sample Inputs.conf for Windows Events inputs.conf on a Windows Machine # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 # disabled=false and disabled=0 are the same instruction: Enable [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 10
Line breaking Default line breaker for events is a newline (r|n) ● How do you tell Splunk to break multi-line events correctly? ● Create or modify a props.conf file on the machine indexing the data in either the app’s local directory or $SPLUNK_HOME/etc/system/local. ● Contents of props.conf [name of your sourcetype] # Use either of the two below BREAK_ONLY_BEFORE = regular expression indicating end of your event LINE_BREAKER=(matching group regex indicting end of event) ● LINE_BREAKER performs better than BREAK_ONLY_BEFORE 11
Line Breaking Example Example props.conf and channel event data [channel_entry] BREAK_ONLY_BEFORE = ^channel Sample Events channel=documentaryfilm <video> <id> 120206922 </id> <video> channel=Indiefilm <video> <id> 120206923 </id> <video> 12
Timestamp Recognizion Normally, Splunk recognizes timestamps automatically, but… ● How do you tell Splunk to recognize custom timestamps? ● Create or modify a props.conf file on the machine indexing the data in either the app’s local directory or $SPLUNK_HOME/etc/system/local. ● Contents of props.conf [name of your sourcetype] TIME_PREFEX= regular expression indicating where to find timestamp TIME_FORMAT=*NIX <strptime-style format. See Docs online for format> MAX_TIMESTAMP_LOOKAHEAD= number of characters to look ahead for TS 13
Timestamp Example Example props.conf and some event data [journal] TIME_PREFIX = Valid_Until= TIME_FORMAT = %b %d %H:%M:%S %Z%z %Y Sample Events …Valid_Until=Thu Dec 31 17:59:59 GMT-06:00 2020 14
Agenda Files and Directories Network Inputs Scripted Inputs HTTP Event Collector Advance Input Topics 15
Network Inputs Splunk Indexer or forwarder can listen for TCP on UDP data ● Configure your inputs.conf to listen on a port for TCP or UDP data. ● You can use Splunk Web itself to configure this on an indexer machine. ● Restart the indexer or forwarder if you modified inputs.conf directly. 16
Example UDP inputs.conf Connectionless and prone to data loss [udp://514] sourcetype=cisco_asa [udp://515] sourcetype=pan_threat 17
Assign UDP sourcetype dynamically All data goes through the same port inputs.conf [udp://514] props.conf [source::udp:514] TRANSFORMS-ASA=assign_ASA TRANSFORMS-PAN=assign_PAN 18
Use transforms.conf to assign sourcetype Transforms.conf is in the same place as props.conf Transforms.conf [assign_ASA] REGEX = ASA FORMAT = sourcetype::cisco_ASA DEST_KEY = MetaData:Sourcetype [assign_PAN] REGEX = pand+ FORMAT = sourcetype::pan_threat DEST_KEY = MetaData:Sourcetype 19
Example TCP inputs.conf Connection Oriented [tcp://remote_server:9998] sourcetype=cisco_asa [tcp://9999] # any server can connect to send data sourcetype=pan_threat 20
Best Practice to collect from Network Use intermediary to collect data to files and forward the data 21
Agenda Files and Directories Network Inputs Scripted Inputs HTTP Event Collector Advance Input Topics 22
Using Scripted Input • Splunk’s inputs.conf file can monitor the output of any script • Script can be written in any language executable by OS’s shell. • Wrap the executable language in top level script, if necessary • Each script is executed on a number of seconds interval basis • Output of script is captured by Splunk’s indexer • Output should be considered an Event to be be indexed
Example Inputs.conf [script:///opt/splunk/etc/apps/scripts/bin/top.sh] interval = 5 # run every 5 seconds sourcetype = top # set sourcetype to top source = top_output
Inputs.conf for calling Java program # For Windows. Unix is the 2nd entry. weather.bat|sh are wrappers. [script://.binweather.bat] interval = 120 sourcetype = weather_entry source = weather_xml disabled = false [script://./bin/weather.sh] interval = 120 sourcetype = weather_entry source = weather_xml disabled = false
Example Inputs.conf for listener # Unix/Linux called from Splunk App [script://./bin/JMSReceive.sh] interval=-1 # -1 means start once and only once sourcetype=JMS_event source=JMS_entry host=virtual_linux disabled=false
Example Inputs.conf for Windows Perf # Collect CPU processor usage metrics on a windows machine. # Splunk provides perfmon input. [perfmon://Processor] object = Processor instances = _Total counters = % Processor Time;% User Time index = Perf interval = 30 disabled = 0
Agenda Files and Directories Network Inputs Scripted Inputs HTTP Event Collector Advance Input Topics 28
29
HEC Set Up Set up via Splunk Web to get a Token used by developers ● Get an unique token for your developers to send events via HTTP/S ● Give token to developers. Enable the token. ● Developers log events via HTTP using a language that supports HTTP/S ● Data can go directly to an indexer machine or intermediary forwarder ● Logic should be built-in the code to handle exceptions and retries 30
Set up HEC Token Go to Settings->Data Inputs->HTTP Event Collector and click on it. 31
Enable HEC Via Global Settings 32 Do this once
Add a new HEC Token Name your token 33
Configure HEC Token Give it a default index and sourcetype 34
Review Token Configuration 35
Submit Token Configuration 36
Test your token Curl can be used to send HTTP data ● > curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk 65123E77-86B1-4136- B955-E8CDD6A7D3B1" -d '{"event": "my log entry via HEC"}’ ● {"text":"Success","code":0} ● Notice the token in the Authorization:Splunk ● This event is can be sent as JSON or raw data and returns success ● http://dev.splunk.com/view/event-collector/SP-CAAAE6P 37
Search Splunk for Sample HEC Sent Data 38
Sample Java Code to send via HEC ● Run with -Djava.util.logging.config.file=/path/to/jdklogging.properties import java.util.logging.*; import com.splunk.logging.*; %user_logger_name%.level = INFO %user_logger_name%.handlers = com.splunk.logging.HttpEventCollectorLoggingHandler # Configure the com.splunk.logging.HttpEventCollectorLoggingHandler com.splunk.logging.HttpEventCollectorLoggingHandler.url = “https://mydomain:8088” com.splunk.logging.HttpEventCollectorLoggingHandler.level = INFO com.splunk.logging.HttpEventCollectorLoggingHandler.token = “65123E77-86B1-4136-B955- E8CDD6A7D3B1” com.splunk.logging.HttpEventCollectorLoggingHandler.disableCertificateValidation=true logger.info("This is a test event for Logback test"); 39
Agenda Files and Directories Network Inputs Scripted Inputs HTTP Event Collector Advance Input Topics 40
Modular Input Wrap your scripted Input into a Modular Input ● Modular input allows you to package your input as a reusable framework ● Modular Input provides validation of input and REST API access for administration such as permission granting ● Modular inputs can be configured by your user via Splunk Web on an indexer or new custom entries for inputs.conf ● See Splunk docs for more details http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsIntro 41
Sample Modular Input Github Input via Splunk Web 42
Splunk Stream Splunk supported app to listen to network TAP or SPAN for data ● Captures wire data without the need for a forwarder on very end point – Network must allow promiscuous read or provide certificates to decrypt – Splunk Stream can still be placed on a machine to capture its network output ● Ingestion of payload can be controlled and filtered ● Works with a variety of protocols out of the box ● Ingests wired data into human readable JSON format automatically ● See Splunk docs for more details and download from Splunkbase. 43
Configured Stream Sample protocol configuration 44
Thank You

More Related Content

PDF
Splunk Architecture | Splunk Tutorial For Beginners | Splunk Training | Splun...
byEdureka!
 
PPTX
SplunkLive 2011 Beginners Session
bySplunk
 
PPTX
Splunk Architecture
byKishore Chaganti
 
PDF
Splunk 101
bySplunk
 
PPTX
Splunk overview
byDaniel Hernandez
 
PPTX
Splunk Architecture overview
byAlex Fok
 
PPTX
Getting Started with Splunk (Hands-On)
bySplunk
 
PPTX
Splunk for IT Operations
bySplunk
 
Splunk Architecture | Splunk Tutorial For Beginners | Splunk Training | Splun...
byEdureka!
 
SplunkLive 2011 Beginners Session
bySplunk
 
Splunk Architecture
byKishore Chaganti
 
Splunk 101
bySplunk
 
Splunk overview
byDaniel Hernandez
 
Splunk Architecture overview
byAlex Fok
 
Getting Started with Splunk (Hands-On)
bySplunk
 
Splunk for IT Operations
bySplunk
 

What's hot

PPTX
Splunk Overview
bySplunk
 
PDF
Splunk-Presentation
byPrasadThorat23
 
PPTX
Splunk Overview
bySplunk
 
PPTX
.conf Go 2022 - Observability Session
bySplunk
 
PPTX
Threat Hunting with Splunk
bySplunk
 
PPTX
SplunkLive 2011 Advanced Session
bySplunk
 
PPTX
Splunk for Enterprise Security and User Behavior Analytics
bySplunk
 
PPTX
Maltego Information Gathering
bySreekanth Narendran
 
PPTX
Splunk Tutorial for Beginners - What is Splunk | Edureka
byEdureka!
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PPTX
Splunk Enterprise Security
bySplunk
 
PPTX
Splunk Dashboarding & Universal Vs. Heavy Forwarders
byHarry McLaren
 
PPTX
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
bySplunk
 
PDF
Empower Your Security Practitioners with Elastic SIEM
byElasticsearch
 
PDF
Container Security Using Microsoft Defender
byRahul Khengare
 
PPTX
Threat hunting on the wire
byInfoSec Addicts
 
PDF
Nessus Software
byMegha Sahu
 
PPTX
Getting started with Splunk
bySplunk
 
PPTX
Getting started with Splunk - Break out Session
byGeorg Knon
 
PPTX
PPT-Splunk-LegacySIEM-101_FINAL
byRisi Avila
 
Splunk Overview
bySplunk
 
Splunk-Presentation
byPrasadThorat23
 
Splunk Overview
bySplunk
 
.conf Go 2022 - Observability Session
bySplunk
 
Threat Hunting with Splunk
bySplunk
 
SplunkLive 2011 Advanced Session
bySplunk
 
Splunk for Enterprise Security and User Behavior Analytics
bySplunk
 
Maltego Information Gathering
bySreekanth Narendran
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
byEdureka!
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
Splunk Enterprise Security
bySplunk
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
byHarry McLaren
 
How to Move from Monitoring to Observability, On-Premises and in a Multi-Clou...
bySplunk
 
Empower Your Security Practitioners with Elastic SIEM
byElasticsearch
 
Container Security Using Microsoft Defender
byRahul Khengare
 
Threat hunting on the wire
byInfoSec Addicts
 
Nessus Software
byMegha Sahu
 
Getting started with Splunk
bySplunk
 
Getting started with Splunk - Break out Session
byGeorg Knon
 
PPT-Splunk-LegacySIEM-101_FINAL
byRisi Avila
 

Viewers also liked

PDF
Splunk conf2014 - Onboarding Data Into Splunk
bySplunk
 
PPTX
SplunkLive! Presentation - Data Onboarding with Splunk
bySplunk
 
PPTX
SplunkLive! Milano 2016 - customer presentation - Unicredit
bySplunk
 
PPTX
Taking Splunk to the Next Level - Management
bySplunk
 
PPTX
Art of the Possible - Innovating with Splunk
bySplunk
 
PDF
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
bySplunk
 
PDF
아토큐브 동요
byattocube
 
PDF
Brand It MIT Launch Club
bySteve Sue
 
PDF
Kubernetes intro public - kubernetes user group 4-21-2015
byreallavalamp
 
PPTX
Getting Started with Splunk Breakout Session
bySplunk
 
PDF
Building Business Service Intelligence
bySplunk
 
PPTX
SplunkLive! Milano 2016 - customer presentation - Yoox - Net a porter
bySplunk
 
PPTX
Decorating The World With Inkjet - IMI European Inkjet Conference November 20...
byXennia Technology
 
PDF
Machine Learning + Analytics
bySplunk
 
PDF
Communication Day Presentation: Kapow! #MyWay!
byBloomsburg University
 
PDF
Arc 60305 project 3 measured drawings
byArvindhan Balasingam
 
PDF
ADMISS
byIngenero
 
PPTX
Who am I?
byLeenette Fincham
 
PPS
PROFISSÕES........
byLucio Borges
 
PPTX
Bullying y aceptación en la homosexualidad
byDaniela Guachetá
 
Splunk conf2014 - Onboarding Data Into Splunk
bySplunk
 
SplunkLive! Presentation - Data Onboarding with Splunk
bySplunk
 
SplunkLive! Milano 2016 - customer presentation - Unicredit
bySplunk
 
Taking Splunk to the Next Level - Management
bySplunk
 
Art of the Possible - Innovating with Splunk
bySplunk
 
SplunkSummit 2015 - HTTP Event Collector, Simplified Developer Logging
bySplunk
 
아토큐브 동요
byattocube
 
Brand It MIT Launch Club
bySteve Sue
 
Kubernetes intro public - kubernetes user group 4-21-2015
byreallavalamp
 
Getting Started with Splunk Breakout Session
bySplunk
 
Building Business Service Intelligence
bySplunk
 
SplunkLive! Milano 2016 - customer presentation - Yoox - Net a porter
bySplunk
 
Decorating The World With Inkjet - IMI European Inkjet Conference November 20...
byXennia Technology
 
Machine Learning + Analytics
bySplunk
 
Communication Day Presentation: Kapow! #MyWay!
byBloomsburg University
 
Arc 60305 project 3 measured drawings
byArvindhan Balasingam
 
ADMISS
byIngenero
 
Who am I?
byLeenette Fincham
 
PROFISSÕES........
byLucio Borges
 
Bullying y aceptación en la homosexualidad
byDaniela Guachetá
 

Similar to Getting Data into Splunk

PDF
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
bySplunk
 
PPTX
Splunk
byMegha Sahu
 
PDF
Splunk workshop-Machine Data 101
bySplunk
 
PPTX
Workshop splunk 6.5-saint-louis-mo
byMohamad Hassan
 
PPTX
Data Onboarding Breakout Session
bySplunk
 
PPTX
SplunkLive! Getting Started with Splunk Enterprise
bySplunk
 
PPTX
Machine Data 101: Turning Data Into Insight
bySplunk
 
PPTX
SplunkLive! - Getting started with Splunk
bySplunk
 
PPTX
Getting Started with Splunk Break out Session
byGeorg Knon
 
PPTX
Machine Data 101: Turning Data Into Insight
bySplunk
 
PPTX
SplunkLive! Beginner Session
bySplunk
 
PPTX
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
bySplunk
 
PPTX
SplunkLive! Munich 2018: Data Onboarding Overview
bySplunk
 
PPTX
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
byGeorg Knon
 
PDF
Machine Data 101
bySplunk
 
PPTX
Machine Data 101: Turning Data Into Insight
bySplunk
 
PPTX
Splunk Discovery: Warsaw 2018 - Getting Data In
bySplunk
 
PPTX
SplunkLive Oslo/Stockholm Beginner Workshop
byjenny_splunk
 
PPTX
Machine Data 101
bySplunk
 
PPTX
Splunk live beginner training nyc
byDimitri McKay - CISSP
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
bySplunk
 
Splunk
byMegha Sahu
 
Splunk workshop-Machine Data 101
bySplunk
 
Workshop splunk 6.5-saint-louis-mo
byMohamad Hassan
 
Data Onboarding Breakout Session
bySplunk
 
SplunkLive! Getting Started with Splunk Enterprise
bySplunk
 
Machine Data 101: Turning Data Into Insight
bySplunk
 
SplunkLive! - Getting started with Splunk
bySplunk
 
Getting Started with Splunk Break out Session
byGeorg Knon
 
Machine Data 101: Turning Data Into Insight
bySplunk
 
SplunkLive! Beginner Session
bySplunk
 
SplunkLive! Frankfurt 2018 - Data Onboarding Overview
bySplunk
 
SplunkLive! Munich 2018: Data Onboarding Overview
bySplunk
 
SplunkLive! Zürich 2014 Beginner Workshop: Getting started with Splunk
byGeorg Knon
 
Machine Data 101
bySplunk
 
Machine Data 101: Turning Data Into Insight
bySplunk
 
Splunk Discovery: Warsaw 2018 - Getting Data In
bySplunk
 
SplunkLive Oslo/Stockholm Beginner Workshop
byjenny_splunk
 
Machine Data 101
bySplunk
 
Splunk live beginner training nyc
byDimitri McKay - CISSP
 

More from Splunk

PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
PDF
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
PDF
Building Resilience with Energy Management for the Public Sector
bySplunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
PDF
.conf Go 2023 - Data analysis as a routine
bySplunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
bySplunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
bySplunk
 
Splunk Leadership Forum Wien - 20.05.2025
bySplunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
bySplunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
bySplunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
bySplunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
bySplunk
 
IT-Lagebild: Observability for Resilience (SVA)
bySplunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
bySplunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
bySplunk
 
Splunk Security Update | Public Sector Summit Germany 2025
bySplunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
bySplunk
 
Building Resilience with Energy Management for the Public Sector
bySplunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
bySplunk
 
.conf Go 2023 - Raiffeisen Bank International
bySplunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
bySplunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
bySplunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
bySplunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
bySplunk
 
.conf Go 2023 - Data analysis as a routine
bySplunk
 

Recently uploaded

PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
Think global, run local: when self-hosted LLMs actually win
byFrancesco Corti
 
PPTX
Penetration Testing: Enhancing Cyber Defenses Through Realistic Attack Simula...
bySentry Cyber
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):富士通株式会社 テーマ2「AI Computing Broker: Make your GPUs ...
byPC Cluster Consortium
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PPTX
Formulation and Evaluation of herbal peel off mask gel
byRanikonde
 
PPTX
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
Think global, run local: when self-hosted LLMs actually win
byFrancesco Corti
 
Penetration Testing: Enhancing Cyber Defenses Through Realistic Attack Simula...
bySentry Cyber
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PCCC25(設立25年記念PCクラスタシンポジウム):富士通株式会社 テーマ2「AI Computing Broker: Make your GPUs ...
byPC Cluster Consortium
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
Formulation and Evaluation of herbal peel off mask gel
byRanikonde
 
kernel PPT (Explanation of Windows Kernal).pptx
byINFOBYTES1
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 

Getting Data into Splunk

  • 1.
    Copyright © 2016Splunk Inc. Getting Data In by Example Nimish Doshi Principal Systems Engineer
  • 2.
    Assumption Install Splunk Enterprise ●This presentation assumes that you have installed Splunk somewhere, have access to Splunk Enterprise, and have access to the data that is being sent. 2
  • 3.
    Agenda Files and Directories NetworkInputs Scripted Inputs HTTP Event Collector Advance Input Topics 3
  • 4.
    Universal Forwarder ● Downloadthe Splunk UF for your platform and install it where your files reside. In directory or folder $SPLUNK_HOME/etc/system/local/, create or modify a file called outputs.conf (Create local, if not present) outputs.conf will send data to the place where Splunk Enterprise resides. Know your Splunk Enterprise’s IP or Domain Name and listening port. Restart the forwarder after changing outputs.conf 4 Software to Send Data
  • 5.
    Example Outputs.conf File thatcontrols where data is sent #Default Place Where Data is sent. It’s just a name used in the next stanza [tcpout] defaultGroup=my_indexers # Notice (commas for more) name of the server and listening port [tcpout:my_indexers] server=mysplunk_indexer1:9997 # Any optional properties for the indexer. Leave blank for now. [tcpout-server://mysplunk_indexer1:9997] 5
  • 6.
    Set up Indexerto Receive Data Under Settings->Forwarding and Receiving->Receive Data --Add New 6
  • 7.
    Inputs.conf Place file insame place as outputs.conf ● This file controls what data is monitored or collected by the forwarder ● Opt In: Only data that is monitored will be sent to Splunk Indexers. ● If you make changes to the file manually, restart the forwarder 7
  • 8.
    Sample Inputs.conf tomonitor files Always put in a sourcetype (and optional index)!!!!! [monitor:///opt/logs/webfiles*] # files starting with webfiles sourcetype=access_combined [monitor:///apache/*.log] # files ending with.log in apache sourcetype=access_combined [monitor://var/.../log(a|b).log] # files loga.log or logb.log sourcetype=syslog index=IT 8
  • 9.
    Sample Inputs.conf toblacklist whitelist files Always put in a sourcetype!!!!! [monitor:///mnt/logs] # ignore files ending with .txt or .gz blacklist = .(?:txt|gz)$ # blacklist blocks sourcetype=my_app [monitor:///apache] # files stdout.log and web.log in apache whitelist = stdout.log$|web.log$ # whitelist allows sourcetype=access_combined # For better performance, use … or * followed by regex over whitelist and blacklist 9
  • 10.
    Sample Inputs.conf forWindows Events inputs.conf on a Windows Machine # Windows platform specific input processor. [WinEventLog://Application] disabled = 0 # disabled=false and disabled=0 are the same instruction: Enable [WinEventLog://Security] disabled = 0 [WinEventLog://System] disabled = 0 10
  • 11.
    Line breaking Default linebreaker for events is a newline (r|n) ● How do you tell Splunk to break multi-line events correctly? ● Create or modify a props.conf file on the machine indexing the data in either the app’s local directory or $SPLUNK_HOME/etc/system/local. ● Contents of props.conf [name of your sourcetype] # Use either of the two below BREAK_ONLY_BEFORE = regular expression indicating end of your event LINE_BREAKER=(matching group regex indicting end of event) ● LINE_BREAKER performs better than BREAK_ONLY_BEFORE 11
  • 12.
    Line Breaking Example Exampleprops.conf and channel event data [channel_entry] BREAK_ONLY_BEFORE = ^channel Sample Events channel=documentaryfilm <video> <id> 120206922 </id> <video> channel=Indiefilm <video> <id> 120206923 </id> <video> 12
  • 13.
    Timestamp Recognizion Normally, Splunkrecognizes timestamps automatically, but… ● How do you tell Splunk to recognize custom timestamps? ● Create or modify a props.conf file on the machine indexing the data in either the app’s local directory or $SPLUNK_HOME/etc/system/local. ● Contents of props.conf [name of your sourcetype] TIME_PREFEX= regular expression indicating where to find timestamp TIME_FORMAT=*NIX <strptime-style format. See Docs online for format> MAX_TIMESTAMP_LOOKAHEAD= number of characters to look ahead for TS 13
  • 14.
    Timestamp Example Example props.confand some event data [journal] TIME_PREFIX = Valid_Until= TIME_FORMAT = %b %d %H:%M:%S %Z%z %Y Sample Events …Valid_Until=Thu Dec 31 17:59:59 GMT-06:00 2020 14
  • 15.
    Agenda Files and Directories NetworkInputs Scripted Inputs HTTP Event Collector Advance Input Topics 15
  • 16.
    Network Inputs Splunk Indexeror forwarder can listen for TCP on UDP data ● Configure your inputs.conf to listen on a port for TCP or UDP data. ● You can use Splunk Web itself to configure this on an indexer machine. ● Restart the indexer or forwarder if you modified inputs.conf directly. 16
  • 17.
    Example UDP inputs.conf Connectionlessand prone to data loss [udp://514] sourcetype=cisco_asa [udp://515] sourcetype=pan_threat 17
  • 18.
    Assign UDP sourcetypedynamically All data goes through the same port inputs.conf [udp://514] props.conf [source::udp:514] TRANSFORMS-ASA=assign_ASA TRANSFORMS-PAN=assign_PAN 18
  • 19.
    Use transforms.conf toassign sourcetype Transforms.conf is in the same place as props.conf Transforms.conf [assign_ASA] REGEX = ASA FORMAT = sourcetype::cisco_ASA DEST_KEY = MetaData:Sourcetype [assign_PAN] REGEX = pand+ FORMAT = sourcetype::pan_threat DEST_KEY = MetaData:Sourcetype 19
  • 20.
    Example TCP inputs.conf ConnectionOriented [tcp://remote_server:9998] sourcetype=cisco_asa [tcp://9999] # any server can connect to send data sourcetype=pan_threat 20
  • 21.
    Best Practice tocollect from Network Use intermediary to collect data to files and forward the data 21
  • 22.
    Agenda Files and Directories NetworkInputs Scripted Inputs HTTP Event Collector Advance Input Topics 22
  • 23.
    Using Scripted Input •Splunk’s inputs.conf file can monitor the output of any script • Script can be written in any language executable by OS’s shell. • Wrap the executable language in top level script, if necessary • Each script is executed on a number of seconds interval basis • Output of script is captured by Splunk’s indexer • Output should be considered an Event to be be indexed
  • 24.
    Example Inputs.conf [script:///opt/splunk/etc/apps/scripts/bin/top.sh] interval =5 # run every 5 seconds sourcetype = top # set sourcetype to top source = top_output
  • 25.
    Inputs.conf for callingJava program # For Windows. Unix is the 2nd entry. weather.bat|sh are wrappers. [script://.binweather.bat] interval = 120 sourcetype = weather_entry source = weather_xml disabled = false [script://./bin/weather.sh] interval = 120 sourcetype = weather_entry source = weather_xml disabled = false
  • 26.
    Example Inputs.conf forlistener # Unix/Linux called from Splunk App [script://./bin/JMSReceive.sh] interval=-1 # -1 means start once and only once sourcetype=JMS_event source=JMS_entry host=virtual_linux disabled=false
  • 27.
    Example Inputs.conf forWindows Perf # Collect CPU processor usage metrics on a windows machine. # Splunk provides perfmon input. [perfmon://Processor] object = Processor instances = _Total counters = % Processor Time;% User Time index = Perf interval = 30 disabled = 0
  • 28.
    Agenda Files and Directories NetworkInputs Scripted Inputs HTTP Event Collector Advance Input Topics 28
  • 29.
  • 30.
    HEC Set Up Setup via Splunk Web to get a Token used by developers ● Get an unique token for your developers to send events via HTTP/S ● Give token to developers. Enable the token. ● Developers log events via HTTP using a language that supports HTTP/S ● Data can go directly to an indexer machine or intermediary forwarder ● Logic should be built-in the code to handle exceptions and retries 30
  • 31.
    Set up HECToken Go to Settings->Data Inputs->HTTP Event Collector and click on it. 31
  • 32.
    Enable HEC ViaGlobal Settings 32 Do this once
  • 33.
    Add a newHEC Token Name your token 33
  • 34.
    Configure HEC Token Giveit a default index and sourcetype 34
  • 35.
  • 36.
  • 37.
    Test your token Curlcan be used to send HTTP data ● > curl -k https://localhost:8088/services/collector/event -H "Authorization: Splunk 65123E77-86B1-4136- B955-E8CDD6A7D3B1" -d '{"event": "my log entry via HEC"}’ ● {"text":"Success","code":0} ● Notice the token in the Authorization:Splunk ● This event is can be sent as JSON or raw data and returns success ● http://dev.splunk.com/view/event-collector/SP-CAAAE6P 37
  • 38.
    Search Splunk forSample HEC Sent Data 38
  • 39.
    Sample Java Codeto send via HEC ● Run with -Djava.util.logging.config.file=/path/to/jdklogging.properties import java.util.logging.*; import com.splunk.logging.*; %user_logger_name%.level = INFO %user_logger_name%.handlers = com.splunk.logging.HttpEventCollectorLoggingHandler # Configure the com.splunk.logging.HttpEventCollectorLoggingHandler com.splunk.logging.HttpEventCollectorLoggingHandler.url = “https://mydomain:8088” com.splunk.logging.HttpEventCollectorLoggingHandler.level = INFO com.splunk.logging.HttpEventCollectorLoggingHandler.token = “65123E77-86B1-4136-B955- E8CDD6A7D3B1” com.splunk.logging.HttpEventCollectorLoggingHandler.disableCertificateValidation=true logger.info("This is a test event for Logback test"); 39
  • 40.
    Agenda Files and Directories NetworkInputs Scripted Inputs HTTP Event Collector Advance Input Topics 40
  • 41.
    Modular Input Wrap yourscripted Input into a Modular Input ● Modular input allows you to package your input as a reusable framework ● Modular Input provides validation of input and REST API access for administration such as permission granting ● Modular inputs can be configured by your user via Splunk Web on an indexer or new custom entries for inputs.conf ● See Splunk docs for more details http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsIntro 41
  • 42.
    Sample Modular Input GithubInput via Splunk Web 42
  • 43.
    Splunk Stream Splunk supportedapp to listen to network TAP or SPAN for data ● Captures wire data without the need for a forwarder on very end point – Network must allow promiscuous read or provide certificates to decrypt – Splunk Stream can still be placed on a machine to capture its network output ● Ingestion of payload can be controlled and filtered ● Works with a variety of protocols out of the box ● Ingests wired data into human readable JSON format automatically ● See Splunk docs for more details and download from Splunkbase. 43
  • 44.
  • 45.