In this chapter, we will learn how to augment and enrich the data within Splunk. You will learn about:
In the previous chapter, you continued to improve your Splunk search and analytic skills by creating more advanced searches that leveraged more of the deep analytical commands to gain more operational intelligence from the data contained within logs. In this chapter, you will leverage Splunk's lookup functionality to enrich these results with the data found outside of logs. You will also use Splunk's workflow functionality to perform some simple actions on the data that you discovered.
Lookups are used to enrich log data with additional data not found in the log events themselves. They allow you to key off one or more fields in the event data and add additional fields to this data. These additional...
Log data can be filled with identification numbers, short codes, error numbers, or other values that don't always make the information easy to read or understand quickly.
This recipe will show you how to add a lookup table to your Operational Intelligence application so that when a product code field is present in an event, a description field can automatically be added and populated with the full description of that product.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time - Getting Data In. You should be familiar with navigating the Splunk user interface.
Any server that receives requests from clients will always be a potential target for someone to try and exploit by initiating an attack. Attacks can come in many different forms, and over time it is important to keep a history of the originating source of the attack, so we can monitor the behavior and patterns more closely and potentially use this data to block access as needed.
In the next recipe, you will learn how to store the source IP addresses of clients making erroneous web access requests as a lookup and flag them for suspect behavior. This new lookup will then be leveraged to filter a subsequent search.
To step through this recipe, you will need a running Splunk Enterprise...
In this recipe, you will learn how to leverage lookups to maintain a state table that will capture the first time a session was seen and continually update the existing session's information accordingly. You can use this to determine if a session has gone stale and has been abandoned or if someone is trying to hijack an old session.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time - Getting Data In. You should be familiar with navigating the Splunk user interface.
In this recipe, you will learn how to add hostnames to IP addresses in the log data by leveraging external lookups. There are many times where a hostname value can be more valuable than an IP address, and it can provide an easier identifier around what clients are connecting to your application. Many ISP-based connections can be identified by the format of their hostnames, which can help you identify potential malicious activity.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time - Getting Data In. You should be familiar with navigating the Splunk user interface.
IP addresses on their own can only give a tiny glimpse into their association, where they are from, or what they are for. You might be able to determine if an IP is from a private range, what asset it belongs to, or if it is from a well-known server, but in many cases, you might not know much about the IPs in question.
In this recipe, you will learn how to leverage Splunk's workflow functionality to search an IP address in your events against the ARIN (American Registry for Internet Numbers) database to look up more useful information about the IP in question, such as who the IP address is assigned to.
To step through this recipe, you will need a running Splunk Enterprise...
Many times, you will run across data in your events that you might not fully understand. For example, logs typically contain error codes that can be cryptic to figure out. You can use a lookup table to translate these error codes into something meaningful, if this makes sense. However, you can also create a workflow action to search the internet for codes that, perhaps, you do not need to look up that often. Looking at what the greater web community has posted has certainly saved many an administrator a sleepless night.
This recipe will show you how to build a workflow action that will allow you to take the status code from a search in Splunk and have it initiate a search in Google with the Google search terms already populated.
When errors or other notable events are detected in your application events, you might wish to carry out some further investigation or remediation measures. Often, this involves generating a notification in a system to alert different teams to the issue.
This recipe will show you how you can take error code data from your search results in Splunk and have it generate a notification in your team chat application, using a Splunk workflow action. Of course, there are tons of different chat systems in use out there, and there isn't a one-size-fits-all approach. So, while the principles of this recipe are sound, you might need to configure things slightly differently to work with the ticketing system in use within your own business. For the purposes of this recipe, we will be sending the notification to Slack.
...In this recipe, you will leverage DB Connect to search an external database's product inventory table. You will then pull this data back into Splunk and turn it into a local lookup that harvests the data once per day. This product inventory table will be used in the next chapter.
To step through this recipe, you will need a running Splunk Enterprise server, with Splunk DB Connect installed and the sample data loaded. The Splunk DB Connect installation and the sample data onboarding are covered in Chapter 1, Play Time - Getting Data In. You...
© 2018 Packt Publishing Limited All Rights Reserved
