Splunk Enterprise Security Demo

Watch this demonstration of Splunk Enterprise Security to learn the key capabilities of Splunk Enterprise Security and how to use it to solve key security challenges. Splunk Enterprise Security helps security practitioners detect, investigate and respond to internal and external attacks by simplifying threat management while minimizing risk to safeguard your business.

SPLing Bee – Update

Hello Everyone,

After posting about the SPLing Bee back in November, I have got around to trying it out myself.  After working out a few bugs, shout out to Charlie Huggard for the help, I have the SPLing Bee ready for download.

SPLing Bee Server App

In the app, there is the dashboards, inputs, indexes, props, and macros configuration files.

inputs.conf

[tcp://9997]
connection_host = ip
index = spl_bee
sourcetype = spl_bee_json
source = spl_bee_input

indexes.conf

[spl_bee]
coldPath = $SPLUNK_DB/spl_bee/colddb
homePath = $SPLUNK_DB/spl_bee/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/spl_bee/thaweddb

props.conf

[spl_bee_results_csv]
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = LatestSubmissionTime
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
DATETIME_CONFIG =
[spl_bee_json]
KV_MODE=json
NO_BINARY_CHECK = true
category = Structured
disabled = false
pulldown_type = true

macros.conf

[retrieve_results]
definition = inputlookup round1.csv | append [| inputlookup round2.csv] | append [| inputlookup round3.csv] | append [| inputlookup round4.csv] | append [| inputlookup round5.csv] | append [| inputlookup round6.csv] | append [| inputlookup round7.csv] | append [| inputlookup round8.csv] | append [| inputlookup round9.csv]
iseval = 0

If the Splunk indexer you are using to play/judge is publicly available, you can have the contestants use Splunk Cloud trial to spin up machines to play.  If your indexer is on a private network, you will need to spin up a Splunk indexer/heavy forwarder to be able to play.  The contestant will need a full instance of Splunk and not a universal forwarder as they will need to index data, run searches against the data, and add a Splunk application to the indexer.

Things to do when setting up the game.

  1. Make sure that the indexer isn’t setup to use port 9997.  The SPLing Bee app will setup a TCP input to listen to port 9997.
  2. Update the text Round 1 of the dashboard with the correct instructions for the contest and where to send the data.
  3. Make sure there are machines available for the contestants or have the main indexer publicly facing so they can use a Splunk Cloud trial.

For running the contest, Splunk wrote the SPLing_Bee_Directions for .conf2015.

SPLing Bee

If you were not able to attend the Splunk’s conference, you missed out on a great game.  The SPLing Bee is a game that helped you to develop your searching skills.

Here are the SPLing_Bee_Directions that were wrote for .conf2015.

Here is the SPLing_Bee_Application.  You’ll also need the sendjobmeta custom search command, this is used for have your contestant instances send their search results / answers to a master instance of your choice – https://splunkbase.splunk.com/app/2839/

It’s best to have everyone use cloud trial instances and install the app + index the sample dataset you want to use. The IP address will be different using the cloud instances whereas if people are using their local instances you may see the same IP come in when trying to judge.

October 2015 Meeting

Here is the PowerPoint from the October 2015 meeting:
http://splunk402.com/wp-content/uploads/2015/10/Oct2015.pptx

Thank you to the Nonprofit Hub in Lincoln for allowing us to take over the area. Thank you to Tony Reinke from National Research Corporation, John Foss of Splunk, and Bret Brasfield of Continuum for your presentations. There was a lot of good discussion on Enterprise Security and we were very happy that Kanad Sharma from Splunk Professional Services was there and able to share his experiences.

Take the survey on this meeting and the over all group.
http://splunk402.com/poll/

March 2015 Meeting Recap

Thank You!

Thank you to everyone that joined us for our developer focused meeting.  Thank you to Nimble Storage for providing the food.  Thank you to Continuum for providing the drinks.  And thank you to National Research for hosting the event.  It was great to learn more about writing code for Splunk.  Below you will find the PDF of both Tony Reinke of National Research and Brian Knopp of Nimble Storage’s presentations.

Splunk402 March 2015 Meeting


Survey

Please take a moment and answer a quick 5 question survey.  Let us know if you could or could not make the event, rate our speakers, and help us to decide the topics of upcoming meetings.

https://www.surveymonkey.com/s/DHVGVCZ


 Splunk .conf2015

Recently a call for papers has gone out for the 2015 Splunk Conference.  Got a great success story?  Made a killer app?  They will accept submissions via the Call for Papers until April 28th, and begin announcing accepted sessions on May 28, 2015.

Submit here: http://conf2015cfp.hubb.me/


Meeting Video

If you missed the meeting, you can watch the meeting below.  We noticed the audio cut out in a few places in the recordings.  We will try to catch this quicker in future meetings.

January 2015 Meeting

The January 2015 user group meeting will be at the First Data offices in Omaha, NE.  We will be meeting at 6pm on January 28th.

Register for in person tickets and online viewing tickets at:
http://splunk402.com/events/january-2015/

Watch Live on YouTube:
https://www.youtube.com/watch?v=Jzh643rFfMA

Schedule of Events:

6:00pm – Start Meeting, Introductions and Welcomes

6:15pm – How First Data using Splunk – Patrick Swartz of First Data will show us how First Data is currently using Splunk.

6:45pm – Getting your data in to Splunk – Mike Mizener of Continuum Security Solutions will teach us about getting our data in to Splunk.  Learn just what all the .conf files do and why they are there.

7:30pm – Violin Memory – Philip Wieczorek will be joining us to talk about Violin Memory and how their products can help you with your Splunk instances.

8:30pm – Networking

Splunk .conf2014 Downloads

With Splunk’s .conf2014 wrapped up, they have release the content of the conference.  Below is the recorded keynote address from Godfrey Sullivan, Chairman and CEO of Splunk.  Godfrey is joined by  Snehal Antani, CIO of GE Capital, Michael Connor, Senior Platform Architect of The Coca-Cola Company, and Lee Congdon, Vice President and CIO of Red Hat.

Splunk also makes most of the sessions available for downloading/viewing.  You can download PDFs and videos from most sessions at:
http://conf.splunk.com/sessions/2014?r=conf_topnav_keynotessessions_2014sessions

November Meeting – Conference Wrap Up

Hello Splunkers!

I am so excited to a announce that Clint Sharp (@clintsharp) will be virtually attending our meeting. Clint is the Director of Product Management, Big Data, and Operational Intelligence at Splunk. He has been at Splunk for almost 3 years. Clint will be going over the new features in Splunk 6.2.

The meeting is still on the University of Nebraska – Lincoln City Campus. We have been upgraded to Brace Hall. Brace Hall is in the Brace Laboratory which is south of Memorial Stadium.

Register for the event at:
http://splunk402.com/events/conf2014_recap/

New Location:

Brace Laboratory
Rm. 308 in Brace Hall
510 Stadium Drive
Lincoln, NE 68508

Google Map of Brace Laboratory:
https://www.google.com/maps/place/Brace+Laboratory,+University+of+Nebraska+-+Lincoln:+City+Campus,+University+of+Nebraska-Lincoln,+Lincoln,+NE+68508/@40.8180658,-96.7062385,17z/data=!3m1!4b1!4m2!3m1!1s0x8796bee273a32037:0xd5bb65697a5dd9ca

Best parking option would be the Stadium Parking Garage near the SW corner of the stadium (Stadium Drive and T Street) . There are also meters along the parking garage, and on the street south of the stadium. Meters are enforced until 7:30 PM.

Please join us for the Lincoln/Omaha Local Splunk User Group in Lincoln, NE and learn how more than 7,000 companies, government agencies and service providers are currently using Splunk. Whether you are getting started, creating intelligent searches/alerts or building complex dashboards, this group is for you. Meet other Splunk users and get tips to make you more successful.

If you have ideas or questions, please let us know. We can be contacted through the website (http://www.splunk402.com/contact-us/), through email (contact@splunk402.com), or you can call Tony Reinke at 402-323-4124.

Meeting Info

University of Nebraska – Lincoln
Our meeting this month will be hosted at the University of Nebraska Lincoln in Brace Laboratory. Make sure to register so we know the size of the room we need.

Date and Time:
November 5th, 2014 at 6pm

Location:
Brace Laboratory
Rm. 308 in Brace hall
510 Stadium Drive
Lincoln, NE 68508

Register for the event at:
http://splunk402.com/events/conf2014_recap/

Topics

Splunk 6.2
Splunk released Splunk 6.2 on October 28. This update is focused on helping make the experience easier. Clint Sharp from Splunk will be talking about this during our meeting. You can read about the release at http://www.splunk.com/view/SP-CAAANNC.

University of Nebraska – Lincoln
Dan Buser from University of Nebraska – Lincoln will be showing how the UNL is using Splunk in their environment.

User Experiences at .conf2014
Splunk’s annual .conf2014 was October 6th to October 9th. Listen as members of Splunk402 recount their .conf2014 experiences.