Command Line Splunk

Petronas Towers, Kuala LumpurAt the recent Hack In The Box Conference in Kuala Lumpur, Malaysia, I was presenting on insider crime visualization. I was also showing how you can use Splunk on the command line (and through the Web interface) in order to retrieve events and process them further with your own scripts. One of the ways to use Splunk on the command line is simply the following:

./splunk search "ipfw | fields + SourceAddress DestinationAddress" -auth admin:changeme | awk ‘{printf"%s,%s",$1,$2}’ | afterglow -t -b 2 | neato -Tgif -o test.gif
What this command does, is running a search in Splunk. The search extracts only two fields from the logs, the SourceAddress and the DestinationAddress. Then you format Splunk’s output as CSV (I think there is also a command in Splunk to do so. I’d have to check) and you pipe the output into AfterGlow to visualize it.

This way of using Splunk on the command line is really powerful and opens a lot of very interesting use-cases.

By Raffael Marty

Posted by