Searches Apps
Splunkbase is home to the apps and add-ons that run on top of Splunk. Browse the latest apps below, or share your own with the rest of the Splunk community. To learn more about Splunk and download a free Enterprise Trial of our software, visit Splunk.com.
Want to share searches?
Search apps allow you to download Splunk searches other people have created, or to share ones you've made! Even cooler, an app can have more than one type of content, so you can add searches to any app.
Splunk for OSSEC (Splunk v4 version)
This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk. Please read the Installation section - the app WILL NOT WORK without configuration.
PCI App - Creative Commons Version
The PCI application is a collection of modular sub-applications designed to meet the needs of a CISO dealing with a PCI auditor.
Splunk for Snort (Splunk 4.x)
Splunk for Snort provides field extractions for Snort alert logs (fast and full) as well as dashboards, saved searches, event types, tags and event search interfaces.
Web Analytics
Splunk your web server and apps - get all the info on referrers, page hits, and visits from your logs, then turn on the Splunk analytics engine for rich data from your web servers.
Search
Search is the Splunk interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. Splunk 4.0 includes a brand new search and reporting interface, and pre-built useful dashboards for monitoring your Splunk installation. The Search App can be used across many areas of IT including infrastructure management, application management, security and compliance.
Splunk for Unix and Linux
Splunk for *nix provides pre-built data inputs, searches, reports, alerts and dashboards for Linux and Unix management. Now you can monitor, manage and troubleshoot *nix operating systems from one place with Splunk for *nix. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration and user data. The app makes getting started with Splunk a breeze.
Splunk for Windows
Splunk for Windows provides pre-built data inputs, searches, reports, alerts, and dashboards for Windows server and desktop management. You can monitor, manage, and troubleshoot Windows operating systems from one place. Included are scripted inputs for CPU, disk, I/O, memory, log, configuration, and user data, plus a web-based setup UI for indexing Windows Events Logs. The app makes getting started with Splunk a breeze.
Splunk for Nagios
Splunk For Nagios allows you to integrate the Open Source monitoring solution "Nagios" with Splunk. Now you can search Nagios alerts and notifications and trend problems over time. The app also allows you to Schedule Saved Searches in Splunk to send alerts to Nagios. Over 40 field extractions are included, as well as 6 Saved Searches, and an Advanced Dashboard featuring recent Warning and Critical Alerts.
Cisco IronPort E-mail Security Add On
Field extractions and dashboards and a form search for the Cisco IronPort E-mail Security Appliance. Configuration instructions and comments can also be found here: http://answers.splunk.com/questions/3360/how-do-i-install-the-cisco-ironport-e-mail-add-on
Cisco Firewalls
Field extractions, sample reports and dashboards for Cisco ASA, PIX and FWSM Firewalls Configuration instructions and comments can also be found here: http://answers.splunk.com/questions/3366/how-do-i-install-the-cisco-firewall-add-on
Cisco MARS Archive Add-on
Props file for handling MARS raw messages. Reports and dashboard included for xml formatted IPS archives.
Cisco IronPort Web Security Application
Splunk for Ironport Web Security (WSA) is a collection of field extractions, saved searches and dashboards that represent blocked sites by category or client IP, number of events per host, actions by host over time, and other security relevant events that can be reported for adherence to corporate compliance policies.' For instructions on how to configure the Cisco IronPort Web app please visit: http://answers.splunk.com/questions/3362/how-do-i-install-and-configure-the-splunk-for-ironport-web-app-on-splunkbase
Splunk for Cisco Security
Splunk for Cisco is an application that provides a consolidated view of specific Cisco product events. The apps and their saved searches and dashboards, can be used separately or can be used together to provide a unique-to-Splunk single-pane-of-glass for host, network, and email security events.Cisco applications covered are: - Cisco CSA - Cisco Email Security Appliance (formerly Ironport) - Cisco Web Security Appliance (formerly Ironport) - Cisco ASA (firewall and IPS logs) This combination of log data provides: - A correlated view of infected hosts with data loss information from WSA/ESA - The ability to follow the connection between related data acrossdifferent hosts - The ability to trace threats in real time utilizing reputation from Cisco Global Correlation IPS events
Global Threat Landscape/IP Watch list V2
NOTE: You MUST install (gunzip/untar into $SPLUNK_HOME/etc/apps) the amMap and MAXMIND add-ons from Splunkbase.com before installing this app. This app indexes a list of possible bad IP addresses and domain names that have appeared on a daily IP watch list. A default dashboard has been provided to geolocate the addresses by country and city. Further instructions are in the README.txt. To run this on Windows, you will have to turn the scripted input shell script into a bat file and use curl.
Splunk License Usage
This app provides a new dashboard which has several widgets that query to help you determine your Splunk license usage total over the past 24 hours as well as usage by host, source, and sourcetype. It contains timecharts to help you understand usage over time and see usage spikes as well as pie charts to help you to figure out which log files, sourcetypes, and hosts Splunk is indexing the most data from.
Splunk for Blue Coat
Splunk for Blue Coat provides search, alerting and reporting for large-scale Blue Coat environments. Pre-defined searches, reports and dashboards for Traffic Analysis, Bandwidth Reporting, Security Investigations and User Behavior combined with the power of Splunk search gives you the visibility and intelligence you need. If you use Blue Coat for Secure Web Gateway, WAN Optimization or Application Performance Monitoring, you'll find Splunk for Blue Coat indispensable.
SplunkAIM
Integration code between an AIM (AOL Instant Messaging) Chatbot and Splunk 4.X, which allows ad hoc searching, saved seaches, and real-time alerting via instant messaging. You can set up real-time searches and whenever there is a new matching event coming into Splunk, you can be IM'd with the matching event. You could ask to be IM'd, for example, whenever someone logs in, whenever there's an error, whenever someone logs in as root, etc.
Splunk for F5
Splunk and F5 are working together to provide real time reporting and intelligence for the ASM and PSM product lines. You rely on F5 Networks solutions like BigIP Global Traffic Manager, Local Traffic Manager, ASM, Firepass, WANOPT and ARX to keep your mission critical applications running and achieve IT agility. Your way. Now you can rely on Splunk for F5 to search, alert, report and make decisions in real time. Pre-defined searches, reports and dashboards make it quick to get started and with the power of Splunk you can customize Splunk for F5 to meet the specific needs of your agile IT environment. **Please note the current application includes support for ASM and PSM products only**
UI Examples
This app is a collection of example views created by Nick, Nate and other members of the UI development team here at Splunk. Download this app to follow along at home with the examples described in the Developer manual.
Splunk for IMAP
This application will continually download mail from an imap account where it is indexed by a Splunk server. You can do cool things like see how often you get mail from someone, graph by size, time, etc.
Sharepoint MOSS 2007
This application provides a source type for Microsoft Office Sharepoint Services 2007 logs.
Splunk Enterprise Security Suite
Splunk Enterprise Security Suite (ESS) brings the power of Splunk to security information and event management (SIEM). Compliance reporting, incident investigation, log management, security posture monitoring and event correlation are now easy to deploy, scale and maintain with Splunk's universal data collection, ad-hoc search, real time alerting and large scale reporting. ESS includes six security domains; Security Posture, Access Control Protection, Endpoint Protection, Network Protection, Incident Response and Audit/Data Protection. ESS uses the Splunk Common Information Model (SCIM) to integrate with other Splunk Solution Suites and external systems like service and help desks. And all of this is backed by Splunk Professional Services delivery. If you've hit the wall with your existing SIEM or are just getting started looking for an enterprise security solution, contact us and we'll show you how Splunk Enterprise Security Suite just works better.
Splunk PCI Compliance Suite
Splunk PCI Compliance Suite covers all twelve PCI DSS requirements and all 228 sub-requirements including live controls monitoring, process workflow, checklists and reporting. Get a broader and deeper view of your compliance posture with Splunk’s universal indexing to handle any data source including complex application logs and configurations. Collect and retain all your log and configuration data even if your PCI domains are generating terabytes every day. Efficient workflows for audit-trail review and built in change monitoring eliminate the need for additional technologies and point product purchases to pass your PCI DSS audit. Eliminate unnecessary developer and IT access to production systems keeping PCI DSS exceptions to a minimum. PCI uses the Splunk Common Information Model (SCIM) to integrate with other Splunk Solution Suites and external systems. And it is backed by Splunk Professional Services delivery. Contact us and we'll show you how Splunk PCI Compliance Suite just works better.
Splunk for Double-Take
Splunk for Double-Take, a collaborative platform, brings higher system availability, lower cost of maintaining availability, and simplified monitoring of business critical Microsoft Exchange and SQL Server environments. By adding the power of Splunk IT Search into the Double-Take offering, users can tap into the capabilities of real-time search, alerting, reporting and analysis, to aggressively and proactively ensure successful failover conditions through a broader view of their environment.
Splunk for PCI for Splunk 3.x
The Splunk PCI application offers over 57 reports, more than 91 saved searches, a dashboard, and corresponding alerts you can use to satisfy PCI requirements such as secure remote access, file integrity monitoring, secure log collection, daily log review, audit trail retention, and PCI control reporting.