Smart AnSwerS #56

Hey there community and welcome to the 56th installment of Smart AnSwerS.

We just hosted the March SF Bay Area User Group meeting last night at Splunk HQ and had a great conversation about various real and hypothetical security scenarios in spirit of RSA. It was awesome to hear a mix of experiences and lessons from Splunkers, partners, and customers. If you want to learn about all the juicy details from the meeting, visit the #sfba channel in our Splunk User Group Slack Chat where smoir (thank you!) “liveslacked” all the key topics discussed. It will only be available to view for a limited time, so act fast! Otherwise, feel free to hang out in that channel during our next meeting on Tuesday, April 19th @ 6:00PM at Yahoo! HQ in Sunnyvale, CA, hosted by Becky Burwell.

Smart AnSwerS will be taking a break for the next 3 weeks as I’ll be on PTO in a land far far away, but will jump back into action at the end of March. Until I return, enjoy this week’s featured Splunk Answers posts:

As part of a Splunk alert, is it possible to include 100 lines from the log prior to the event that triggered the alert?

cybrainx wanted to set up and trigger an alert when an ERROR string was found, but also include 100 lines from the log prior to the trigger event in the results. SplunkTrust member rich7177, with an assist from fellow member MuS, came up with a search to capture all necessary raw data before using a combination of eval, streamstats with window=100, and transaction to make this alert requirement possible.

What is the recommended compatibility sequence of upgrading instances in my environment from Splunk 6.2.7 to 6.3.2?

rcreddy06 had an environment with a search head cluster, indexer cluster, deployment server, heavy forwarders, and universal forwarders running Splunk 6.2.7, but wanted  to upgrade everything to 6.3.2. To tackle this properly, recreddy06 needed to know in what order and how to upgrade each instance or group of instances for a smooth transition. esix breaks down the upgrade process in phases with things to look out for and references the relevant documentation.

How to make a world map dashboard using logs from an email server with no IP addresses?

emixam3 was looking for a way to use logs from an email server to plot dots on different countries in a world map based on the domain of receiver email addresses, but had trouble figuring out how to do this without associated IP data. yannK points out that map tools rely on longitude and latitude coordinates, and geoip tools rely on IPs to convert them to coordinates, but gives emixam3 another approach. He suggests creating a lookup with domain, country, lat, and long fields to use for searches in combination with the geostats command to create map visualizations.

Thanks for reading!

Missed out on the first fifty-five Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion