Custom Processing Apps
Splunkbase is home to the apps and add-ons that run on top of Splunk. Browse the latest apps below, or share your own with the rest of the Splunk community. To learn more about Splunk and download a free Enterprise Trial of our software, visit Splunk.com.
Want to tweak the way Splunk indexes particular types of data?
Custom Processor apps allow you to change how Splunk handles particular data sources. Create your own, or download scripts created by other members of the Splunk community! Even better, since apps can have more than one type of content, you can include other features as well!
Splunk for use with amMap Flash Maps
This app uses the amMap geo mapping capabilities to create flash maps of activity by IP in your Splunk index.
Splunk for VMware ESX Management
Splunk indexes all IT data across every tier - the physical servers, hypervisor, VMs, and deployed applications, capturing and persisting 100% of your data in real-time. It includes inputs, indexing, searches, reports and dashboards.
Script for database inputs
This script is designed to be used as a scripted input for data contained in database tables. Plese refer to the Splunk Admin guide for more information on configuring scripted inputs. The script has been successfully used in a number of deployments, and should work with Oracle, MySQL, and sybase databases as-is. Other database types can be added by installing the appropriate perl DBD module, and editing the script to configure for the new dbtype. In this version, all of the SQL code has been abstracted from the script, and all parameters including the query are passed as commandline arguments to the script.
feorlen_twitter_alert
Example of using a 3rd party REST endpoint with a Splunk custom processor. Post a message to Twitter for sourcetype::access_common events containing the string "wikipedia" and add status info to the event so it gets indexed. Includes C++ source and osx-i386 binary.
Ironport field extractions
Provides file classification, date extraction, and extractions for ironport data.
adds support for anonymizing log files at index time
anonymizes ip address as 127.0.0.1 (localhost); email addresses as user@domain.com ; social-security-numbers as 555-00-0000; password/passwd looking values as 'password' ; username/userid/login/user looking values as 'bob'.
Enable SSL in Splunk
A quick and simple add-on that enables SSL for your pre-3.2 Splunk server and Web interface.
EMC Smarts archive log
Line merging rule for EMC Smarts archive log
Sancp/Sguil Add-on
This bundle indexes sancp logs when sancp is patched with the sguil output patch, extracts the fields, then sends to a processor which converts the decimal IP addresses to dotted format.
Splunk Parse
Splunk Parse (splunk_parse.py) is a python script you can set as your alert action on a saved search. It reads in the fields a saved search passing along and parses the corresponding saved search log file which is in CSV format. The parsing spits out the originating host and the full original problem. In this version it's feed to my ticketing system, but the output action can be easily changed.
Splunk Alert
Command line utility to more easily search the splunk database, log specific errors and execute commands on a match. Comes with several predefined searches for cisco networking, and is easily extended. -s search Predefined search to run, use 'list' for options -cs string Custom search string passed in with quotes -l file Log results to file, appends by default -e email_addr Email addresses comma separated -x command Execute a command on a match -t time_restrict Suppress email alerts by time of day, use 'list' for options -d days Search over this many days in the past (default: 1) -m minutes Search over this many minutes in the past -c maxnum Max number of results (default: 100) -r Reverse results, (newest to oldest) -w Raw results, do not strip off timestamps -q Quiet Output, suppress errors -v Verbose output
Splunk Replay
Inspired by glTail.rb and Digg Lab’s Stack, Splunk Replay is a Flash-based, data visualization tool which “replays” your Splunk'd logfile activities in an animated layout. Replay generates animated barchart graphs using two extracted fields from the events it receives from Splunk. For example, if you have Splunk eat wiki data, you can plot the wiki user and wiki page they are editing, and then animate those relationships over a given time range. Events particles are emitted from rows on the y-axis and stack up in columns x-axis. When a new row value is created, a random color is assigned to it for the duration of the session. These colors are then used in stacked bars to illustrate the amount of activity for a given row value. Older values on both axis are cycled out if more room is needed for newer data. More information, and instructions for installing replay can be found on the developer's wiki: http://code.google.com/p/splunk-flash/wiki/SplunkReplay
Consuming Splunk RSS Feeds in Java
This application demonstrates how to consume an RSS alert feed in Java from any saved search from Splunk. It uses Sun's RSS parser (included) to gather the feed and breaks up the fields into a Java Bean. Since the RSS Splunk Alert presents meta information about saved search, the included Link in the RSS entry is then used within the same command line application to retrieve each entry from the saved search using the Splunk provided Java SDK. It is hoped that this code will be used to better serve the Splunk Java community for: - A method to consume RSS feeds from SPlunk with Java - A way to use the feed's link to gather all entries from a saved search - A foundation to pass search entries to higher level Java applications
Sendemail (Custom)
This custom sendemail allows email attributes (e.g. to, from, body, subject) on a per-alert basis.
Log POST or GET Request Parameters
This application consists of a servlet that captures the POST and/or GET parameters for any HTTP request and sends to standard output a set of <tag>=<value> terms seen as an event in Splunk. Because tag=value are the terms in the events, automatic field extraction for search and reports will occur for these terms. The purpose of this boiler plate Java Servlet is to serve as a parameter collector for HTTP POST and GET requests that can be customized for deployment. The servlet developed here was tested on Apache Tomcat 6.x, although it should work in any servlet container. To further solidify it's usage, the user may want to investigate using log4j as the framework for log collection. In the Tomcat implementation, the output is captured in a configurable log rotated file to be monitored by Splunk. *** OPTIONAL *** This version also includes a servlet that uses the log4j framework. tar -zxvf the distribution and read the README for installation notes.
Use Python Mail for Scripted Alerts
This script runs as a scripted alert in Splunk to send mail to recipients whenever the alert conditions are met. It is similar in concept to the Javamail application available on Splunkbase. It uses Python to send the message. The intent is to provide a framework to control when email should be sent. Currently, the script uses Daily, Weekday, and Weekend to control what days the email alert should be sent. With this in mind the included Python program can be modified to also include what hours of the day email should be sent. Installation: Use tar zxvf to uncompress and untar the distribution and read the README.txt.
Splunk Enterprise Security Suite
Splunk Enterprise Security Suite (ESS) brings the power of Splunk to security information and event management (SIEM). Compliance reporting, incident investigation, log management, security posture monitoring and event correlation are now easy to deploy, scale and maintain with Splunk's universal data collection, ad-hoc search, real time alerting and large scale reporting. ESS includes six security domains; Security Posture, Access Control Protection, Endpoint Protection, Network Protection, Incident Response and Audit/Data Protection. ESS uses the Splunk Common Information Model (SCIM) to integrate with other Splunk Solution Suites and external systems like service and help desks. And all of this is backed by Splunk Professional Services delivery. If you've hit the wall with your existing SIEM or are just getting started looking for an enterprise security solution, contact us and we'll show you how Splunk Enterprise Security Suite just works better.
Splunk PCI Compliance Suite
Splunk PCI Compliance Suite covers all twelve PCI DSS requirements and all 228 sub-requirements including live controls monitoring, process workflow, checklists and reporting. Get a broader and deeper view of your compliance posture with Splunk’s universal indexing to handle any data source including complex application logs and configurations. Collect and retain all your log and configuration data even if your PCI domains are generating terabytes every day. Efficient workflows for audit-trail review and built in change monitoring eliminate the need for additional technologies and point product purchases to pass your PCI DSS audit. Eliminate unnecessary developer and IT access to production systems keeping PCI DSS exceptions to a minimum. PCI uses the Splunk Common Information Model (SCIM) to integrate with other Splunk Solution Suites and external systems. And it is backed by Splunk Professional Services delivery. Contact us and we'll show you how Splunk PCI Compliance Suite just works better.
Example lookup using a Database
This is example of using the Splunk lookup search command to correlate a field that is in within Splunk with external field(s) that are in a database. The example is in the bin directory and is called countrylookup.py. After gunzip and tar extracting (tar zxvf dblookup.spl) the distribution, read the README.txt for instructions on usage. The purpose of this example to show how Splunk can be used to correlate events with fields that reside in an external database.
Encrypt and Decrypt data within Events
The purpose of this distribution is to create an easy way to encrypt data within events and decrypt data at search time depending on the role. The distribution uses pyDes available at http://twhiteman.netfirms.com/des.html The basic idea is to first encrypt data within an event and produce a new file with the same content as before, but with the data matching group(1) in a regular expression encrypted and saved on disk using base64. The next thing to do is index the newly required file into Splunk with a sourcetype. At search time, you will then be able to decrypt the data within the event based on your role's ability to run the supplied decrypt command. Read the README.txt for installation and usage.
JMS Receiver for Indexing
This distribution is a working example for indexing messages that are sent to JMS Queues. Although the example heavily relies on WebLogic Server 10.3, it could be modified to work with any JMS provider. Messages are delivered to a JMS Queue and Splunk is configured to run a scripted input once to call a JMS Queue consumer. Every message the consumer receives will be sent to standard output to be indexed. Although the distribution has been built on Windows, it should be able to run on any platform supported by Splunk and the JMS provider. To begin with, gunzip and untar the distribution into SPLUNK_HOME\etc\apps and follow the instructions in the README.txt
SplunkAIM
Integration code between an AIM (AOL Instant Messaging) Chatbot and Splunk 4.X, which allows ad hoc searching, saved seaches, and real-time alerting via instant messaging. You can set up real-time searches and whenever there is a new matching event coming into Splunk, you can be IM'd with the matching event. You could ask to be IM'd, for example, whenever someone logs in, whenever there's an error, whenever someone logs in as root, etc.
split
This is a command that will split an event into multiple events based on a regular expression.
Monitor Radio Stations
Turn SplunkWeb into a gateway for audio entertainment. This app indexes lists of songs currently being played by radio stations. It employs the creative commons licensed REST API served by http://api.yes.com to gather information by radio station call letters. To install, gunzip/untar (tar zxvf) the distribution into $SPLUNK_HOME/etc/apps and read the README.txt. You can monitor your own radio stations. The app comes with 2 dashboards, 8 reports, and 3 drop down form searches. It has workflow actions that can be used to search for a song, artist, lyrics, and also see if the radio station has a site to listen to it live online. This release also has a dashboard panel to play your own list of Internet Radio Stations within the panel. Enjoy. Disclaimer: This app should be used for informational purposes and is delivered as is. The use or misuse of the app is not the responsibility of Splunk or the author.
Splunk World Cup App
'Splunk the World Cup' takes in a feed of all twitter mentions of "#worldcup" and parses the mentions of each national team, creating a nice chart for your viewing pleasure. To see the original version, go to http://splunkd.com/worldcup/ and watch the results change with each match played.