Fields Apps
Splunkbase is home to the apps and add-ons that run on top of Splunk. Browse the latest apps below, or share your own with the rest of the Splunk community. To learn more about Splunk and download a free Enterprise Trial of our software, visit Splunk.com.
Want to custom-define fields in your events?
Field apps let you download field definitions to install in your Splunk server, or share fields you made yourself! Even better, an app can have more than one type of content, so you can add fields to any app.
Splunk for Cisco Security
Splunk for Cisco is an application that provides a consolidated view of specific Cisco product events. The apps and their saved searches and dashboards, can be used separately or can be used together to provide a unique-to-Splunk single-pane-of-glass for host, network, and email security events.Cisco applications covered are: - Cisco CSA - Cisco Email Security Appliance (formerly Ironport) - Cisco Web Security Appliance (formerly Ironport) - Cisco ASA (firewall and IPS logs) This combination of log data provides: - A correlated view of infected hosts with data loss information from WSA/ESA - The ability to follow the connection between related data acrossdifferent hosts - The ability to trace threats in real time utilizing reputation from Cisco Global Correlation IPS events
Splunk for UNIX (Splunk 3 Compatible)
The Splunk for UNIX application is a compilation of a dashboard, saved searches, eventtypes, and field extractions that work for various flavors of UNIX. In addition, the application also ships with a set of scripted inputs that can be used to monitor UNIX machines. Inputs like top, ps, vmstat, iptables, and netstat, are supported.
Splunk reverse DNS lookup for fields
Replaces IP addresses in specified fields with the results of a DNS lookup of the field contents. Pipe results to the "nsresolve" command, specifying the fields to replace, e.g. index=sampledata src=* | head 10 | nsresolve src ip
Geo Location Lookup Script
Splunk for Use with MAXMIND is an application that provides geo_ip information on any public IP in your Splunk DB in a scalable fashion. The GeoIPCityLite DB is apart of the app so no internet connection is required and lookups are performed locally on your search head. The use is simple, pipe any search to ' lookup geoip clientip as <some_ip_field> ' If you do not have an IP field in your data you can use the rex command to extract one and perform a lookup Example Searches: eventtype=firewall_event | lookup geoip clientip as src_ip sourcetype=syslog | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip This product includes GeoLite data created by: MaxMind available from: http://www.maxmind.com/
Splunk for OSSEC
Field extraction for OSSEC HIDS(http://www.ossec.net)
Splunk for Change Management
Splunk for Change Management provides predefined reports and dashboards to facilitate change auditing, change detection, change reporting, change validation and incident response based on change events, change tickets and configuration files.
Splunk for Unix and Linux
Splunk for *nix provides pre-built data inputs, searches, reports, alerts and dashboards for Linux and Unix management. Now you can monitor, manage and troubleshoot *nix operating systems from one place with Splunk for *nix. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration and user data. The app makes getting started with Splunk a breeze.
Web Page Monitor
This bundle will check a set of webpages every interval and index the result, time, size and optionally content and or crc of page(s). It's cool to do searches to see when your pages change, take long to load, or many other cool things.
Cisco Firewalls
Field extractions, sample reports and dashboards for Cisco ASA, PIX and FWSM Firewalls Configuration instructions and comments can also be found here: http://answers.splunk.com/questions/3366/how-do-i-install-the-cisco-firewall-add-on
Splunk for Windows for Splunk 3.x
Splunk for Windows application is a compilation of saved searches, eventtypes, inputs, and field extractions for Windows. The extractions are compatible with the Splunk Common Information Model. The application also contains an integration for Microsoft’s System Center Operations Manager.
Splunk for OSSEC (Splunk v4 version)
This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk. Please read the Installation section - the app WILL NOT WORK without configuration.
Splunk for Network Security
The Splunk Network Security application offers a set of reports, saved searches, and dashboards, as well as corresponding alerts that you can use to monitor your firewalls, intrusion detection and prevention systems, as well as operating systems.
Arkeia
Arkeia Network Backup Bundle used to index the common fields from the backup log file to make searching and reporting easier.
Splunk for CISCO PIX
Cisco PIX firewall log bundle that indexes and extracts common fields, normalizing PIX firewall logs so they are Splunk-compliant and will work with other Splunk applications.
Negative Searching Demo Bundle
This bundle, created jointly by Maverick and Stephen Sorkin, demonstrates a way to perform negative searches by indexing known patterns and catching anomalous patterns into a separate index.
IPFW Firewall
This application contains field extractions and eventtypes for IPFW firewall log files.
OpenBSD Packet Filter
This bundle contains field extractions and eventtypes for OpenBSD firewall events.
Nessus Bundle
This bundle extracts the common fields from a Nessus Vulnerability Scanner log file, such as the hostname, port, script id, and type.
Splunk for Netscreen
This app provides field extraction and event types for Netscreen firewalls. The extractions are compatible with the Splunk common information model.
Ironport field extractions
Provides file classification, date extraction, and extractions for ironport data.
Brian's valgrind bundle
aggregates and extracts information from valgrind logs
Brian's crash report log bundle
Aggregates and extracts useful information from osx crash reporter logs.
adds support for anonymizing log files at index time
anonymizes ip address as 127.0.0.1 (localhost); email addresses as user@domain.com ; social-security-numbers as 555-00-0000; password/passwd looking values as 'password' ; username/userid/login/user looking values as 'bob'.
Snort fields
Extracts snort 2.6 fields which can be used in reporting.
Nmap Scripted Input & Field Extraction
Want to put your Nmap output into Splunk? Check out this add-on, which will parse your grepable Nmap output into a scripted input and then perform some field extraction on the data.