We had our first NY Metro Splunk Users Group meeting of the year this week and it was hosted at Blackrock in NYC with Reed Kelly, one of the leaders of the users group playing host. Thanks Reed.
Our first order of business was to watch a presentation from Splunk Product Manager Jack Coates on the new 3.0 Splunk Common Information Model. Unlike the past CIM that focused heavily on security, the new CIM is general purpose for all of IT and flexible to add more knowledge to it, when needed. As a bonus, the app in the app store has data models to quickly get started and test your data sources.
Next, we had a discussion (or some may call it a debate) on deploying Splunk indexers on a virtual machine. You may read more on this topic in the docs.
Finally, Reed held a contest where each participant had two minutes to describe an interesting tip. There were many good tips presented, but the winner was Mohan Chikkajataka from Moodys. His winning tip included an idea to have scheduled searches for all users that join a group or role, perform an action, and then leave that group or role within a short time period. Having elevated access to do something temporarily is suspicious.
If you would like to join the NY Metro Splunk Users Group, please join the group on LinkedIn and participate with your ideas. Thanks.
P.S. Although this is not quite the actual prize, for Mohan’s winning contribution, he received a screaming monkey from Reed as depicted below.