SlideShare a Scribd company logo

SFBA Splunk Usergroup meeting December 14, 2023

B
Becky Burwell

SFBA Splunk Usergroup meeting December 14, 2023: Writing the Fine (Splunk) Manual

Data & Analytics
1 of 54
Download to read offline
© 2019 SPLUNK INC. Welcome to the December SF Bay Area Splunk User Group Meeting! Glad you could join us! The meeting will start at 11:10 am PST, so we’ll kick things off soon. Notes: ● The meeting will start off with a welcome & announcements before our speakers take the floor.
© 2019 SPLUNK INC. Welcome to the November SF Bay Area Splunk User Group Meeting! SFBA User Group Leaders/Facilitator: Becky Burwell, Sr. Production Engineer, Yahoo burwell@yahooinc.com Manan Grover, Splunk
© 2019 SPLUNK INC. Agenda ● Welcome! ● Announcements ● Writing the Fine (Splunk) Manual ● Questions/Discussion
© 2019 SPLUNK INC. Announcements ● Interested in giving a talk at a future meeting? ○ Becky burwell@yahooinc.com Join the global Splunk Community on Slack @ splk.it/slack ○ Our user group channel is #ug_sfba
© 2019 SPLUNK INC. 2024 SFBA User Group Meeting Schedule Planned meeting dates for 2023: ● January, 2024: skipping ● February, 2024: in-person in San Jose ● March, 2024: virtual
© 2019 SPLUNK INC. Writing the Fine (Splunk) Manual Mark McCullough, Cyber Security Architect, SLAC
Writing The Fine (Splunk>®) Manual
Ground Rules
Ask your questions • Curious? • Don't wait for the landing
Why? SA-5 The right thing So you can take vacation Pitchfork avoidance
SA-5 a. Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security and privacy functions and mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions; b. Obtain or develop user documentation for the system, system component, or system service that describes: 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and d. Distribute documentation to [Assignment: organization-defined personnel or roles].
SA-5 in Plain English Write the Fine Manual!
Do The Right Thing Documenting is good
Vacations are good Interrupted vacation is bad
Pitchfork Avoidance Your successor may know where you live
What to do
The Service Run Book •Enough detail to rebuild •No git details •No credentials The whole Splunk Infra
Overview What is this service? What is the value to the organization?
Usage How do we login? (the URLs) • SHC • ES • DS • MC
Architecture Assumptions Systems Network connectivity IAM Service configuration
Assumptions What are the key assumptions of the service? • SHs are intended to be available to multiple teams for their logs • Users are self-service, but only comfortable using the GUI for editing dashboads or saved searches • Downtime tolerance for a search head is no more than two hours • Data ingestion downtime tolerance for forwarded logs is approximately 30 minutes • Data ingestion downtime for pulled logs (e.g. modular inputs, scripted inputs) is four hours • Content in user private space (not app shared) is non-production and may be safely deleted when a user leaves the organization
Systems Hostname CNAME Role CPU RAM Storage Type Notes sec-splunk-sh01 splunk SH 72 256G /: 116G /boot: 2G /opt: 95G Dell Poweredge R640 Primary SH Asset Tag: PC12345 sec-splunk-test0 1 SH-t est 12 24G /: 20G /boot: 700M VMware VM Cluster baz
Systems in AWS Hostname CNAME Role Storage Type Notes cc01023 splunk SH /: 116G /boot: 2G /opt: 95G c6i.8xl SHC cc01026 IDX /: 20G /opt/splunk: 15T i3en.6xl Storage is ephemeral cc01043 splunk-dev SH /: 20G /opt/splunk: 150G t3.m Dev SH, low CPU
Network Connectivity •Firewall rules? •Key ports? •https://www.aplura.com/cheats heets/splunk_network_ports.ht ml
IAM Key roles in your shop How to request access Any shop specifics on granting access?
Service Configuration Local custom apps • Include pointers to their docs Any Splunkbase apps? • Include the ID number Where's your git repos?
Maintenance Training Support Standard Procedures Known Issues
Training Where to get it
Support Enough detail to file a new ticket
Standard Procedures Anything site local Don't rewrite docs.splunk.com
Known Issues Need more than ten minutes to solve? Document!
Alerts
Audience Those who receive the alert
Content of alert documentation What is it? Why does it matter? What do you do? Validation
What is it? Explain the alert
What to do? Details required
Validation Know it is fixed correctly
Process Tips
Iterate Documentation Add notes Improve notes Add notes Improve notes
Docs First! Write the alert documentation Get signoff - include your SOC! Build alerts
Everyone's an editor No guardian on the edits Make sure everyone who receives the alert can update TFM
Is this still current? Check alerts periodically even if one per month
Now you can Write The Fine Manual
© 2019 SPLUNK INC. Thank You!
© 2019 SPLUNK INC. Title and Content Phasellus et nisi lacus, mauris ultricies arcu faucibus orci sit Donec fermentum sollicitudin neque, nec viverra neque lacinia eu Donec mattis tortor vitae egestas pulvinar • Vivamus eu dignissim turpis Nunc eu cursus est, at ullamcorper dui Optional subtitle

Recommended

Splunk bangalore user group 2020 07-06
Splunk bangalore user group 2020 07-06Splunk bangalore user group 2020 07-06
Splunk bangalore user group 2020 07-06NiketNilay
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024Becky Burwell
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionSplunk
 
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsSplunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsTimur Bagirov
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSISplunk
 
Getting Started with Splunk Enterprises
Getting Started with Splunk EnterprisesGetting Started with Splunk Enterprises
Getting Started with Splunk EnterprisesSplunk
 
CPIN 269 Final Documentation
CPIN 269 Final DocumentationCPIN 269 Final Documentation
CPIN 269 Final DocumentationJennifer Cordes
 

Recommended

Splunk bangalore user group 2020 07-06
Splunk bangalore user group 2020 07-06Splunk bangalore user group 2020 07-06
Splunk bangalore user group 2020 07-06NiketNilay
 
SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024SFBA Splunk Usergroup meeting March 13, 2024
SFBA Splunk Usergroup meeting March 13, 2024Becky Burwell
 
Taking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureTaking Splunk to the Next Level - Architecture
Taking Splunk to the Next Level - ArchitectureSplunk
 
Taking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionTaking Splunk to the Next Level - Architecture Breakout Session
Taking Splunk to the Next Level - Architecture Breakout SessionSplunk
 
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsSplunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT OperationsTimur Bagirov
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSISplunk
 
Getting Started with Splunk Enterprises
Getting Started with Splunk EnterprisesGetting Started with Splunk Enterprises
Getting Started with Splunk EnterprisesSplunk
 
CPIN 269 Final Documentation
CPIN 269 Final DocumentationCPIN 269 Final Documentation
CPIN 269 Final DocumentationJennifer Cordes
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For WorkflowTimothy Spann
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkDocker, Inc.
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSISplunk
 
online blogging system
online blogging systemonline blogging system
online blogging system001vaibhav
 
Architecting a Large Software Project - Lessons Learned
Architecting a Large Software Project - Lessons LearnedArchitecting a Large Software Project - Lessons Learned
Architecting a Large Software Project - Lessons LearnedJoão Pedro Martins
 
Distributed teams
Distributed teamsDistributed teams
Distributed teamsKush Shah
 
Distributed_teams
Distributed_teamsDistributed_teams
Distributed_teamsParthShah587
 
Oracle Management Cloud
Oracle Management Cloud Oracle Management Cloud
Oracle Management Cloud Dheeraj Hiremath
 
Oracle Management Cloud
Oracle Management CloudOracle Management Cloud
Oracle Management CloudDheeraj Hiremath
 
Azure + DataStax Enterprise (DSE) Powers Office365 Per User Store
Azure + DataStax Enterprise (DSE) Powers Office365 Per User StoreAzure + DataStax Enterprise (DSE) Powers Office365 Per User Store
Azure + DataStax Enterprise (DSE) Powers Office365 Per User StoreDataStax Academy
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfdjdhhdddhhd
 
What's New in Grizzly & Deploying OpenStack with Puppet
What's New in Grizzly & Deploying OpenStack with PuppetWhat's New in Grizzly & Deploying OpenStack with Puppet
What's New in Grizzly & Deploying OpenStack with PuppetMark Voelker
 
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent OzarGeek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent OzarIDERA Software
 
Automating secure server baselines with Chef
Automating secure server baselines with ChefAutomating secure server baselines with Chef
Automating secure server baselines with ChefChef Software, Inc.
 
Facilitating Release Planning Event
Facilitating Release Planning EventFacilitating Release Planning Event
Facilitating Release Planning EventRavi Tadwalkar
 
OpenStack Glance Project Update
OpenStack Glance Project UpdateOpenStack Glance Project Update
OpenStack Glance Project UpdateBrian Rosmaita
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3Glenn Block
 
Ebook9
Ebook9Ebook9
Ebook9kaashiv1
 
Sql interview question part 9
Sql interview question part 9Sql interview question part 9
Sql interview question part 9kaashiv1
 
SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 
SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023Becky Burwell
 

More Related Content

Similar to SFBA Splunk Usergroup meeting December 14, 2023

Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For WorkflowTimothy Spann
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkDocker, Inc.
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSISplunk
 
online blogging system
online blogging systemonline blogging system
online blogging system001vaibhav
 
Architecting a Large Software Project - Lessons Learned
Architecting a Large Software Project - Lessons LearnedArchitecting a Large Software Project - Lessons Learned
Architecting a Large Software Project - Lessons LearnedJoão Pedro Martins
 
Distributed teams
Distributed teamsDistributed teams
Distributed teamsKush Shah
 
Azure + DataStax Enterprise (DSE) Powers Office365 Per User Store
Azure + DataStax Enterprise (DSE) Powers Office365 Per User StoreAzure + DataStax Enterprise (DSE) Powers Office365 Per User Store
Azure + DataStax Enterprise (DSE) Powers Office365 Per User StoreDataStax Academy
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfdjdhhdddhhd
 
What's New in Grizzly & Deploying OpenStack with Puppet
What's New in Grizzly & Deploying OpenStack with PuppetWhat's New in Grizzly & Deploying OpenStack with Puppet
What's New in Grizzly & Deploying OpenStack with PuppetMark Voelker
 
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent OzarGeek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent OzarIDERA Software
 
Automating secure server baselines with Chef
Automating secure server baselines with ChefAutomating secure server baselines with Chef
Automating secure server baselines with ChefChef Software, Inc.
 
Facilitating Release Planning Event
Facilitating Release Planning EventFacilitating Release Planning Event
Facilitating Release Planning EventRavi Tadwalkar
 
OpenStack Glance Project Update
OpenStack Glance Project UpdateOpenStack Glance Project Update
OpenStack Glance Project UpdateBrian Rosmaita
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3Glenn Block
 
Sql interview question part 9
Sql interview question part 9Sql interview question part 9
Sql interview question part 9kaashiv1
 

Similar to SFBA Splunk Usergroup meeting December 14, 2023 (20)

Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For Workflow
 
Using Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at SplunkUsing Docker EE to Scale Operational Intelligence at Splunk
Using Docker EE to Scale Operational Intelligence at Splunk
 
Building Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSIBuilding Business Service Intelligence with ITSI
Building Business Service Intelligence with ITSI
 
online blogging system
online blogging systemonline blogging system
online blogging system
 
Architecting a Large Software Project - Lessons Learned
Architecting a Large Software Project - Lessons LearnedArchitecting a Large Software Project - Lessons Learned
Architecting a Large Software Project - Lessons Learned
 
Distributed teams
Distributed teamsDistributed teams
Distributed teams
 
Distributed_teams
Distributed_teamsDistributed_teams
Distributed_teams
 
Oracle Management Cloud
Oracle Management Cloud Oracle Management Cloud
Oracle Management Cloud
 
Oracle Management Cloud
Oracle Management CloudOracle Management Cloud
Oracle Management Cloud
 
Azure + DataStax Enterprise (DSE) Powers Office365 Per User Store
Azure + DataStax Enterprise (DSE) Powers Office365 Per User StoreAzure + DataStax Enterprise (DSE) Powers Office365 Per User Store
Azure + DataStax Enterprise (DSE) Powers Office365 Per User Store
 
Splunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdfSplunk4Rookies - Attendee - May 2023.pdf
Splunk4Rookies - Attendee - May 2023.pdf
 
What's New in Grizzly & Deploying OpenStack with Puppet
What's New in Grizzly & Deploying OpenStack with PuppetWhat's New in Grizzly & Deploying OpenStack with Puppet
What's New in Grizzly & Deploying OpenStack with Puppet
 
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent OzarGeek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
Geek Sync | Planning a SQL Server to Azure Migration in 2021 - Brent Ozar
 
Automating secure server baselines with Chef
Automating secure server baselines with ChefAutomating secure server baselines with Chef
Automating secure server baselines with Chef
 
Facilitating Release Planning Event
Facilitating Release Planning EventFacilitating Release Planning Event
Facilitating Release Planning Event
 
OpenStack Glance Project Update
OpenStack Glance Project UpdateOpenStack Glance Project Update
OpenStack Glance Project Update
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3
 
Ebook9
Ebook9Ebook9
Ebook9
 
Sql interview question part 9
Sql interview question part 9Sql interview question part 9
Sql interview question part 9
 

More from Becky Burwell

SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfBecky Burwell
 
SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023Becky Burwell
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023Becky Burwell
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022Becky Burwell
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022Becky Burwell
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022Becky Burwell
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022Becky Burwell
 
SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022Becky Burwell
 
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdfdesigning-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdfBecky Burwell
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021Becky Burwell
 
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Becky Burwell
 

More from Becky Burwell (12)

SFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdfSFBA_SUG_2023-08-02.pdf
SFBA_SUG_2023-08-02.pdf
 
SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023SFBA Splunk Usergroup meeting May 3, 2023
SFBA Splunk Usergroup meeting May 3, 2023
 
SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023SFBA Splunk User Group Meeting February 2023
SFBA Splunk User Group Meeting February 2023
 
SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022SFBA Splunk Usergroup meeting December 2022
SFBA Splunk Usergroup meeting December 2022
 
SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022SFBA Usergroup meeting November 2, 2022
SFBA Usergroup meeting November 2, 2022
 
SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022SF Bay Area Splunk User Group Meeting October 5, 2022
SF Bay Area Splunk User Group Meeting October 5, 2022
 
SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022SFBA Splunk User Group Meeting August 10, 2022
SFBA Splunk User Group Meeting August 10, 2022
 
SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022SFBA Splunk Usergroup meeting July 13, 2022
SFBA Splunk Usergroup meeting July 13, 2022
 
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdfdesigning-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
designing-resilient-cloud-native-splunk-arch-in-aws-austin-rose.pdf
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilson
 
Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021Getting Started with Splunk Observability September 8, 2021
Getting Started with Splunk Observability September 8, 2021
 
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
Advanced Outlier Detection and Noise Reduction with Splunk & MLTK August 11, ...
 

Recently uploaded

VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationshipsccctableauusergroup
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
Data Warehouse , Data Cube Computation
Data Warehouse , Data Cube ComputationData Warehouse , Data Cube Computation
Data Warehouse , Data Cube Computationsit20ad004
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts ServiceCall Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Servicejennyeacort
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 

Recently uploaded (20)

VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
Data Warehouse , Data Cube Computation
Data Warehouse , Data Cube ComputationData Warehouse , Data Cube Computation
Data Warehouse , Data Cube Computation
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts ServiceCall Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 

SFBA Splunk Usergroup meeting December 14, 2023

  • 1. © 2019 SPLUNK INC. Welcome to the December SF Bay Area Splunk User Group Meeting! Glad you could join us! The meeting will start at 11:10 am PST, so we’ll kick things off soon. Notes: ● The meeting will start off with a welcome & announcements before our speakers take the floor.
  • 2. © 2019 SPLUNK INC. Welcome to the November SF Bay Area Splunk User Group Meeting! SFBA User Group Leaders/Facilitator: Becky Burwell, Sr. Production Engineer, Yahoo burwell@yahooinc.com Manan Grover, Splunk
  • 3. © 2019 SPLUNK INC. Agenda ● Welcome! ● Announcements ● Writing the Fine (Splunk) Manual ● Questions/Discussion
  • 4. © 2019 SPLUNK INC. Announcements ● Interested in giving a talk at a future meeting? ○ Becky burwell@yahooinc.com Join the global Splunk Community on Slack @ splk.it/slack ○ Our user group channel is #ug_sfba
  • 5. © 2019 SPLUNK INC. 2024 SFBA User Group Meeting Schedule Planned meeting dates for 2023: ● January, 2024: skipping ● February, 2024: in-person in San Jose ● March, 2024: virtual
  • 6. © 2019 SPLUNK INC. Writing the Fine (Splunk) Manual Mark McCullough, Cyber Security Architect, SLAC
  • 7. Writing The Fine (Splunk>®) Manual
  • 9. Ask your questions • Curious? • Don't wait for the landing
  • 10. Why? SA-5 The right thing So you can take vacation Pitchfork avoidance
  • 11. SA-5 a. Obtain or develop administrator documentation for the system, system component, or system service that describes: 1. Secure configuration, installation, and operation of the system, component, or service; 2. Effective use and maintenance of security and privacy functions and mechanisms; and 3. Known vulnerabilities regarding configuration and use of administrative or privileged functions; b. Obtain or develop user documentation for the system, system component, or system service that describes: 1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms; 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and 3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals; c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take [Assignment: organization-defined actions] in response; and d. Distribute documentation to [Assignment: organization-defined personnel or roles].
  • 12. SA-5 in Plain English Write the Fine Manual!
  • 13. Do The Right Thing Documenting is good
  • 17. The Service Run Book •Enough detail to rebuild •No git details •No credentials The whole Splunk Infra
  • 18. Overview What is this service? What is the value to the organization?
  • 19. Usage How do we login? (the URLs) • SHC • ES • DS • MC
  • 21. Assumptions What are the key assumptions of the service? • SHs are intended to be available to multiple teams for their logs • Users are self-service, but only comfortable using the GUI for editing dashboads or saved searches • Downtime tolerance for a search head is no more than two hours • Data ingestion downtime tolerance for forwarded logs is approximately 30 minutes • Data ingestion downtime for pulled logs (e.g. modular inputs, scripted inputs) is four hours • Content in user private space (not app shared) is non-production and may be safely deleted when a user leaves the organization
  • 22. Systems Hostname CNAME Role CPU RAM Storage Type Notes sec-splunk-sh01 splunk SH 72 256G /: 116G /boot: 2G /opt: 95G Dell Poweredge R640 Primary SH Asset Tag: PC12345 sec-splunk-test0 1 SH-t est 12 24G /: 20G /boot: 700M VMware VM Cluster baz
  • 23. Systems in AWS Hostname CNAME Role Storage Type Notes cc01023 splunk SH /: 116G /boot: 2G /opt: 95G c6i.8xl SHC cc01026 IDX /: 20G /opt/splunk: 15T i3en.6xl Storage is ephemeral cc01043 splunk-dev SH /: 20G /opt/splunk: 150G t3.m Dev SH, low CPU
  • 24. Network Connectivity •Firewall rules? •Key ports? •https://www.aplura.com/cheats heets/splunk_network_ports.ht ml
  • 25. IAM Key roles in your shop How to request access Any shop specifics on granting access?
  • 26. Service Configuration Local custom apps • Include pointers to their docs Any Splunkbase apps? • Include the ID number Where's your git repos?
  • 29. Support Enough detail to file a new ticket
  • 31.
  • 32.
  • 33. Known Issues Need more than ten minutes to solve? Document!
  • 34.
  • 35.
  • 38. Content of alert documentation What is it? Why does it matter? What do you do? Validation
  • 39. What is it? Explain the alert
  • 40.
  • 41.
  • 43.
  • 44. Validation Know it is fixed correctly
  • 45.
  • 46.
  • 49. Docs First! Write the alert documentation Get signoff - include your SOC! Build alerts
  • 50. Everyone's an editor No guardian on the edits Make sure everyone who receives the alert can update TFM
  • 51. Is this still current? Check alerts periodically even if one per month
  • 52. Now you can Write The Fine Manual
  • 53. © 2019 SPLUNK INC. Thank You!
  • 54. © 2019 SPLUNK INC. Title and Content Phasellus et nisi lacus, mauris ultricies arcu faucibus orci sit Donec fermentum sollicitudin neque, nec viverra neque lacinia eu Donec mattis tortor vitae egestas pulvinar • Vivamus eu dignissim turpis Nunc eu cursus est, at ullamcorper dui Optional subtitle