Search Commands Apps
Splunkbase is home to the apps and add-ons that run on top of Splunk. Browse the latest apps below, or share your own with the rest of the Splunk community. To learn more about Splunk and download a free Enterprise Trial of our software, visit Splunk.com.
AfterGlow for Splunk 3.x
This search processor enables the generation of link graphs through Splunk. Make sure you follow the instructions in the README (once installed, located in etc/apps/afterglow) to configure the application!
Geo Location Lookup Script
Splunk for Use with MAXMIND is an application that provides geo_ip information on any public IP in your Splunk DB in a scalable fashion. The GeoIPCityLite DB is apart of the app so no internet connection is required and lookups are performed locally on your search head. The use is simple, pipe any search to ' lookup geoip clientip as <some_ip_field> ' If you do not have an IP field in your data you can use the rex command to extract one and perform a lookup Example Searches: eventtype=firewall_event | lookup geoip clientip as src_ip sourcetype=syslog | rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+)" | lookup geoip clientip as ip This product includes GeoLite data created by: MaxMind available from: http://www.maxmind.com/
Reverse Name Resolution Search Script (DNS)
This search script (nslookup.py) will perform reverse name lookup on every IP from an event at search time.
Splunk reverse DNS lookup for fields
Replaces IP addresses in specified fields with the results of a DNS lookup of the field contents. Pipe results to the "nsresolve" command, specifying the fields to replace, e.g. index=sampledata src=* | head 10 | nsresolve src ip
getdevicetype
This search command will parse a csv file exported by network or systems device management software and match the hostnames/ip addresses in the file to host field values in you Splunk search, returning the new field devicetype for every match. The csv location is specified at the top of the script, and if you wish you can also alter the field matching to something other than "host" by changing the field variable in the script. The csv must be in the format "device_name,device_type". Thus, you can type: login | getdevicetype | where devicetype="cisco6500" to get only logins on cisco6500 devices or login | getdevicetype to get devicetype to display as a field below each event and be filterable and clickable like host and hosttag. or login | getdevicetype | top devicetype to get a report of number of events by devicetype.
Perfgraph
A Splunk performance visualization search processor. See <a href="http://dev.splunk.com/2007/10/11/diagraming-splunk%e2%80%99s-data-flow-part-2-performance-overlays/">my blog</a> for more information.
Perl PDF Report Creator "Search Command"
Create customizable PDF reports using this perl script, which includes the Intersplunk.pm module written by Andrew Hoying. Some knowledge of Perl required to install the Perl PDF modules available via CPAN.
Splunk for Citrix XenServer Management
This Splunk application manages Citrix XenServers. It includes inputs, indexing, searches, reports, dashboards and field actions.
Syslog Priority Decoder
this searchscript converts syslog priority into the appropriate severity and facility.
Tranaction eventbreaker
When doing a CLI search for transactions, it can be hard to know the start and end points of the events. This script adds line breaks (with timestamps) between the events.
Information Adder
This search script will add additional information from a CSV file to your events. Changelog: v1.2 - Now includes basic error checking and additional fixes for malformed CSV files
Splunk for Zope
Identify and analyze log files from the Zope web application server
Multrex
Multirex allows the extraction of multivalued fields in events where a given key may occur one or more times with one or more values.
NetTool
NetTool is a search processor that will filter search results to only show events that match a given CIDR block or IP address range.
Intersplunk for Perl
A perl version of the python Intersplunk module that ships with Splunk.
hexdec
Convert hex values to base10 decimal values OR base10 decimal values to hex values.
Sendemail (Custom)
This custom sendemail allows email attributes (e.g. to, from, body, subject) on a per-alert basis.
IP2Location - GeoIP Lookups
Provide IP-to-location look up support via a free GeoIP API. Please see README for non-trivial installation instructions. Latest changes (See CHANGELOG for full details): * Enhancement: Added a switch ["-nodns"|"nodns"] to disable name resolution. Usage: ....| geoip -nodns dest_ip * Enhancement: Now only real RFC/1918 IPs will have the city populated with "RFC/1918" other IPs with no resolution revert to "Unknown"
Nagios 3.0.6
integration fo a nagios3.0.6 xxxxxxxxxxxxxxxxxxx
Splunk for MySQL
A collection of Splunk scripted inputs, eventtypes, and reports for MySQL monitoring and diagnostics.
Splunk for Double-Take
Splunk for Double-Take, a collaborative platform, brings higher system availability, lower cost of maintaining availability, and simplified monitoring of business critical Microsoft Exchange and SQL Server environments. By adding the power of Splunk IT Search into the Double-Take offering, users can tap into the capabilities of real-time search, alerting, reporting and analysis, to aggressively and proactively ensure successful failover conditions through a broader view of their environment.
Search
Search is the Splunk interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. Splunk 4.0 includes a brand new search and reporting interface, and pre-built useful dashboards for monitoring your Splunk installation. The Search App can be used across many areas of IT including infrastructure management, application management, security and compliance.
Example lookup using a Database
This is example of using the Splunk lookup search command to correlate a field that is in within Splunk with external field(s) that are in a database. The example is in the bin directory and is called countrylookup.py. After gunzip and tar extracting (tar zxvf dblookup.spl) the distribution, read the README.txt for instructions on usage. The purpose of this example to show how Splunk can be used to correlate events with fields that reside in an external database.
Encrypt and Decrypt data within Events
The purpose of this distribution is to create an easy way to encrypt data within events and decrypt data at search time depending on the role. The distribution uses pyDes available at http://twhiteman.netfirms.com/des.html The basic idea is to first encrypt data within an event and produce a new file with the same content as before, but with the data matching group(1) in a regular expression encrypted and saved on disk using base64. The next thing to do is index the newly required file into Splunk with a sourcetype. At search time, you will then be able to decrypt the data within the event based on your role's ability to run the supplied decrypt command. Read the README.txt for installation and usage.
delimitedfields
This command will allow you to create multiple log messages from a single message that has related, dynamic fieldnames, like: foo_abc=1 foo_xyz=2