Splunk4 + Instant Messaging = SplunkAIM

This small, unofficial project integrates an open-source AIM (AOL Instant Messaging) Chatbot with Splunk 4, allowing ad hoc searching, running of prepared searches, and real-time search alerting via instant messaging.

What’s real-time searching? It’s new in Splunk 4.1, out shortly, and will allow users to search for “real-time” events, within seconds of them reaching Splunk. Most usefully, you can set up real-time searches and be IM’d with the matching events the second they show up. You could ask to be IM’d, for example, whenever someone logs into your system, whenever there’s an error, whenever someone logs in as root, etc.

Above is a screen capture of real-time alerts printing out for each time someone downloads Splunk!

Note: You can use this project with Splunk 4.0, and everything other than real-time searches will work. That means you can do ad hoc searches and run saved searches over historical data.

Example Searches

    ? prints out a help message explaining commands.
    rtsearch login root set up a real-time alert to IM you whenever a user logs in as root.
    rtlist get a list of all your real-time alert jobs.
    rtstop * cancel all your real-time alerts.
    search login | top 5 username run an historical search reporting to top 5 users who logged in the most.
    admin error IM’s not starting with known commands will search existing saved searches (here we search for saved searches about admin errors).

