Welcome to Splunkbase
Splunkbase is home to the apps and add-ons that run on top of Splunk. Browse the latest apps below, or share your own with the rest of the Splunk community. To learn more about Splunk and download a free Enterprise Trial of our software, visit Splunk.com.
Splunk for Windows
Splunk for Windows provides pre-built data inputs, searches, reports, alerts, and dashboards for Windows server and desktop management. Now you can monitor, manage, and troubleshoot Windows operating systems from one place with Splunk for Windows. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration, and user data. And you're really going to love the new WMI Web user interface for setting up and managing your Windows Event Logs. The app makes getting started with Splunk a breeze.
Splunk for Unix and Linux
Splunk for *nix provides pre-built data inputs, searches, reports, alerts and dashboards for Linux and Unix management. Now you can monitor, manage and troubleshoot *nix operating systems from one place with Splunk for *nix. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration and user data. The app makes getting started with Splunk a breeze.
Splunk License Usage
This app provides a new dashboard which has several widgets that query to help you determine your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.
Splunk for F5
Splunk and F5 are working together to provide real time reporting and intelligence for the ASM and PSM product lines. You rely on F5 Networks solutions like BigIP Global Traffic Manager, Local Traffic Manager, ASM, Firepass, WANOPT and ARX to keep your mission critical applications running and achieve IT agility. Your way. Now you can rely on Splunk for F5 to search, alert, report and make decisions in real time. Pre-defined searches, reports and dashboards make it quick to get started and with the power of Splunk you can customize Splunk for F5 to meet the specific needs of your agile IT environment. **Please note the current application includes support for ASM and PSM products only**
Splunk for IMAP
This application will continually download mail from an imap account where it is indexed by a Splunk server. You can do cool things like see how often you get mail from someone, graph by size, time, etc.
Splunk for Blue Coat
Splunk for Blue Coat provides search, alerting and reporting for large-scale Blue Coat environments. Pre-defined searches, reports and dashboards for Traffic Analysis, Bandwidth Reporting, Security Investigations and User Behavior combined with the power of Splunk search gives you the visibility and intelligence you need. If you use Blue Coat for Secure Web Gateway, WAN Optimization or Application Performance Monitoring, you'll find Splunk for Blue Coat indispensable.
Splunk for Cisco Security
Splunk for Cisco is an application that provides a consolidated view of specific Cisco product events. The apps and their saved searches and dashboards, can be used separately or can be used together to provide a unique-to-Splunk single-pane-of-glass for host, network, and email security events.Cisco applications covered are: - Cisco CSA - Cisco Email Security Appliance (formerly Ironport) - Cisco Web Security Appliance (formerly Ironport) - Cisco ASA (firewall and IPS logs) This combination of log data provides: - A correlated view of infected hosts with data loss information from WSA/ESA - The ability to follow the connection between related data acrossdifferent hosts - The ability to trace threats in real time utilizing reputation from Cisco Global Correlation IPS events
AfterGlow Graphing
This App enables Splunk 4 to generate link graphs by using AfterGlow. The link graph is a click-able image map. When a node is selected, it will be used to generate a new search in Splunk.
Geo Location Lookup Script
Splunk for Use with MAXMIND is an application that provides geo_ip information on any public IP in your Splunk DB in a scalable fashion. The GeoIPCityLite DB is apart of the app so no internet connection is required and lookups are performed locally on your search head. The use is simple, pipe any search to ' lookup geoip clientip as <some_ip_field> ' If you do not have an IP field in your data you can use the rex command to extract one and perform a lookup Example Searches: eventtype=firewall_event | lookup geoip clientip as src_ip sourcetype=syslog | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip This product includes GeoLite data created by: MaxMind available from: http://www.maxmind.com/
Cisco Firewalls
Field extractions, sample reports and dashboards for Cisco ASA, PIX and FWSM Firewalls Configuration instructions and comments can also be found here: http://answers.splunk.com/questions/3366/how-do-i-install-the-cisco-firewall-add-on
Ocean
This is a theme packaged as an app that you can use to change the look and feel of any app. Simply move the contents of the "appserver > static" directory to the app you would like to change.
Log POST or GET Request Parameters
This application consists of a servlet that captures the POST and/or GET parameters for any HTTP request and sends to standard output a set of <tag>=<value> terms seen as an event in Splunk. Because tag=value are the terms in the events, automatic field extraction for search and reports will occur for these terms. The purpose of this boiler plate Java Servlet is to serve as a parameter collector for HTTP POST and GET requests that can be customized for deployment. The servlet developed here was tested on Apache Tomcat 6.x, although it should work in any servlet container. To further solidify it's usage, the user may want to investigate using log4j as the framework for log collection. In the Tomcat implementation, the output is captured in a configurable log rotated file to be monitored by Splunk. *** OPTIONAL *** This version also includes a servlet that uses the log4j framework. tar -zxvf the distribution and read the README for installation notes.
PDF Report Server (install on Linux only)
The PDF Report Server add-on enables your Linux-based Splunk instance to generate emailed reports in PDF format. IMPORTANT: it is only compatible with Intel-based Linux systems and requires the Xvfb and xauth operating system packages to be installed. See the documentation for further details. Instances of Splunk running on non-Linux OS's (Solaris, Windows, etc.) cannot run the PDF Report Server, but they can be configured to use a remote Linux-based Splunk server with this add-on installed to generate PDFs. This add-on requires an Enterprise license and will not work with a Free license. For more information, see: http://www.splunk.com/base/Documentation/4.1/Installation/ConfigurePDFprintingforSplunkWeb
Search
Search is the Splunk interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. Splunk 4.0 includes a brand new search and reporting interface, and pre-built useful dashboards for monitoring your Splunk installation. The Search App can be used across many areas of IT including infrastructure management, application management, security and compliance.
Desert
This is a theme packaged as an app that you can use to change the look and feel of any app. Simply move the contents of the "appserver > static" directory to the app you would like to change.
Getting Started
Get started with Splunk. This App introduces you to many of Splunk's features. You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor, alert, report and analyze all your IT data in one place.
Splunk Monitoring
The Splunk Monitoring application can be used to monitor your Splunk forwarding nodes from your indexing node using an nmap query script. It creates a new "splunk_monitoring" index and has a single dashboard that displays the overall number of servers that are UP or DOWN as well as the status of each individual server. To use the Splunk Monitoring application, extract the files into your $SPLUNK_HOME/etc/apps directory. The actual monitoring script uses nmap so make sure you have it installed on your indexing node. Edit the $SPLUNK_HOME/etc/apps/splunk_monitoring/local/tags.conf file to include a list of your servers (the actual tag doesn't matter) or edit the $SPLUNK_HOME/etc/apps/splunk_monitoring/bin/splunk_port_monitor.sh script to point to a different location for the tag_file variable. You will also want to edit that file if you run Splunk on a port other than 8089 or if your nmap executable is located in a location other than /usr/bin/nmap.
UI Examples
This app is a collection of example views created by Nick, Nate and other members of the UI development team here at Splunk. Download this app to follow along at home with the examples described in the Developer manual.
Splunk for use with amMap Flash Maps
This app uses the amMap geo mapping capabilities to create flash maps of activity by IP in your Splunk index.
Example lookup using a Database
This is example of using the Splunk lookup search command to correlate a field that is in within Splunk with external field(s) that are in a database. The example is in the bin directory and is called countrylookup.py. After gunzip and tar extracting (tar zxvf dblookup.spl) the distribution, read the README.txt for instructions on usage. The purpose of this example to show how Splunk can be used to correlate events with fields that reside in an external database.
Cisco IronPort Web Security Application
Splunk for Ironport Web Security (WSA) is a collection of field extractions, saved searches and dashboards that represent blocked sites by category or client IP, number of events per host, actions by host over time, and other security relevant events that can be reported for adherence to corporate compliance policies.' For instructions on how to configure the Cisco IronPort Web app please visit: http://answers.splunk.com/questions/3362/how-do-i-install-and-configure-the-splunk-for-ironport-web-app-on-splunkbase
Web Services Weather as Scripted Input
This distribution calls a weather web service periodically with a list of cities as input which is output to Splunk's indexer. The code makes use of the Apache Axis client library to call a web service as a scripted input to retrieve weather reports for major cities and use each response as an event stored in XML format. It is used as a demonstration for using web services as a scripted input. You can choose your own cities to build your time series weather data store. The work to call the web service for each city country pair is done in the GatherWeather.java program. To install, unzip and un tar the distribution in SPLUNK_HOME/etc/apps and read the README_WS.txt file for further configuration.
Use Python Mail for Scripted Alerts
This script runs as a scripted alert in Splunk to send mail to recipients whenever the alert conditions are met. It is similar in concept to the Javamail application available on Splunkbase. It uses Python to send the message. The intent is to provide a framework to control when email should be sent. Currently, the script uses Daily, Weekday, and Weekend to control what days the email alert should be sent. With this in mind the included Python program can be modified to also include what hours of the day email should be sent. Installation: Use tar zxvf to uncompress and untar the distribution and read the README.txt.
Splunk for OSSEC (Splunk v4 version)
This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk. Please read the Installation section - the app WILL NOT WORK without configuration.
Cisco IPS SDEE Data Collector
Security Device Event Exchange (SDEE) is a standard proposed by ICSA that specifies the format of messages and protocol used to communicate events generated by security devices. This protocol is used in the Cisco IPS Sensor 5.0 software to replace Remote Data Exchange Protocol (RDEP), which is used by earlier versions of the Cisco IDS Sensor software. The IPS data format is XML. Splunk for SDEE translates and maps the data into key value pairs Configuration instructions and comments can also be found here: http://answers.splunk.com/questions/3364/how-do-i-install-the-cisco-ips-add-on