The very first in-person PNW Splunk user group in Seattle since before the pandemic! REI's Michael Bunner brought us a constellation of automation patterns, and Splunk's Rob de Luna walked us through Edge Processor. It was so great to see folks out and about and getting into deep discussion! Next in-person meeting in PDX. Sponsored by Arcus Data.

1. © 2022 SPLUNK INC.
Splunk PNW
User Group
28 June, 2023

2. © 2022 SPLUNK INC.
Agenda
Topic Speaker Organization Time
Welcome
Grab a seat, get comfy
Intros and announcements
Josh Hritz
CEO & Co-Founder
Arcus Data 15m
Splunk Enterprise Security and SOAR Michael Bunner
Sr Cybersecurity Analyst
REI 20m
Splunk Edge Processor
Introduction and demo
Rob de Luna
Sr. Sales Engineer
Splunk 30m
Open Discussion and Networking Time!
Food delivery from qdoba at 11AM
User Community All 45m
Wrap up
Closing remarks, topic ideas
Travis Volker
Consulting Sales Engineer
Splunk 15m

3. © 2022 SPLUNK INC.
Stargazing with Splunk
Mike Bunner (he/him/his)
Sr. Security Automation Engineer, REI
https://www.linkedin.com/in/mikedba
A Constellation of Automation Patterns

4. © 2022 SPLUNK INC.
"Not speaking on behalf
of my employer, past or
present; any opinions
expressed are my own."

5. © 2022 SPLUNK INC.
Automation is High-Value Data
I
K
D
W
I
K
D
W
I
K
D
W
I
K
D
W
( Data, Information, Knowledge, Wisdom )

6. © 2022 SPLUNK INC.
Moving Beyond Regex
LLM

7. © 2022 SPLUNK INC.
Data Routing as Code
Policy as Code:
•SIEM
•Compliance
Concepts:
•Security
•Collaboration
•Data structure
•Existing data locations and relationships
•Analytics Capabilities
•Response actions
•Operations
•Tiering and Availability Requirements

8. © 2022 SPLUNK INC.
Weighted scoring by grouped question sets
{
'time': True,
'user': True,
'host': True,
'action': True,
'result': False,
'source’: True,
'destination': False
}
Existence of security specific fields?
math.log()
math.sqrt()
Use log or sqrt transforms to give weighted
preference to sums of a related answers or
number input.

9. © 2022 SPLUNK INC.
Automate & Integrate Where Possible
Data Routing
Definition
Data Routing
Function
Data Dictionary
Data Routing
Definition Builder
BC / DR
CMDB / Service Cat.
Enterprise Policies
Outputs
Used by
Asks Scoring
output

10. © 2022 SPLUNK INC.
Utility Scripts
Before After
1. Download/clone
2. Runs locally
3. Output to
console or file
/
CI/CD
- Manage in a container
- Protect tokens/secrets
- Scan and run “local” repo
- Format / structured output
- Schedule or run on-demand
Data Routing
Policy/Decision

11. © 2022 SPLUNK INC.
Automation Observability
- Add observability to existing utility
scripts and pipelines
- Build custom modules and packages
- Front with a custom API relay

12. © 2022 SPLUNK INC.
Additional Common Patterns
Trending is required
Strict RBAC and Auditing
Tool consolidation efforts
Technology value realization & maturity deficits – Can Splunk do the
basics of a point-solution first?
Can existing Splunk infrastructure be utilized?

13. © 2022 SPLUNK INC.
Edge
Processor
Introduction and demonstration
Rob de Luna
Sr Sales Engineer

14. This presentation may contain forward-looking statements regarding future events, plans or the
expected financial performance of our company, including our expectations regarding our products,
technology, strategy, customers, markets, acquisitions and investments. These statements reflect
management’s current expectations, estimates and assumptions based on the information currently
available to us. These forward-looking statements are not guarantees of future performance and
involve significant risks, uncertainties and other factors that may cause our actual results,
performance or achievements to be materially different from results, performance or achievements
expressed or implied by the forward-looking statements contained in this presentation.
For additional information about factors that could cause actual results to differ materially from those
described in the forward-looking statements made in this presentation, please refer to our periodic
reports and other filings with the SEC, including the risk factors identified in our most recent quarterly
reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting
the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at
www.sec.gov. The forward-looking statements made in this presentation are made as of the time and
date of this presentation. If reviewed after the initial presentation, even if made available by us, on our
website or otherwise, it may not contain current or accurate information. We disclaim any obligation to
update or revise any forward-looking statement based on new information, future events or otherwise,
except as required by applicable law.
In addition, any information about our roadmap outlines our general product direction and is subject to
change at any time without notice. It is for informational purposes only and shall not be incorporated
into any contract or other commitment. We undertake no obligation either to develop the features or
functionalities described, in beta or in preview (used interchangeably), or to include any such feature
or functionality in a future release.
Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other
brand names, product names or trademarks belong to their respective owners. © 2022 Splunk Inc. All rights reserved.
Forward-
Looking
Statements
2.18.22-19:04

15. © 2022 SPLUNK INC.
Rob de Luna

16. © 2022 SPLUNK INC.
Filter, Mask, Transform, Route
Edge Processor is the latest innovation in data preprocessing with Splunk
Powerful and performant
edge processing using
Props and Transforms
New UI leveraging Props and
Transforms to author and
deploy ingest or edge
transformations and routing
Edge processing with new,
intuitive UI and SPL2-based
pipeline authoring to author,
deploy and manage
transformations and routing
Heavyweight
Forwarders
Ingest
Actions
Edge
Processor
`

17. © 2022 SPLUNK INC.
Introducing Edge Processor
Service offering delivered
through cloud control
plane, available on Splunk
Cloud Platform
Customer supplies hosts on which
edge processors are deployed, with
flexibility to scale
New pipeline authoring
experience - SPL2 -
delivers efficient, flexible
data transformation
Use cases include filter, mask, and
route to Splunk platform or S3
Customers enjoy real-time
visibility into and control
over their data in motion
Customers can derive more value
from and generate new insights into
their data
Simplified data processing within the customers’ network boundaries
How’s it work?
What’s this? So what?

18. © 2022 SPLUNK INC.
● Filter verbose or
low-value sources,
like DEBUG logs or
other noisy data
● Extract just the critical
data
● Mask PII
● Route different
“slices” of data to
desired destinations
Amazon S3
Forwarders
(UF or HWF)
`
`
`
`
Edge Processor
Filter & Mask
Route
Pre-process
Transform
Customer Environment
Splunk Cloud
Index
Splunk
Index
Control Plane
(on Splunk Cloud
Services)
What is Edge Processing?

19. © 2022 SPLUNK INC.
Splunk
Cloud
Platform
Customer Host Server
Customer Agents Customer Destinations
Edge Processor Overview
● Central pipeline
management
● Global visibility
`
Enterprise
Cloud
` `
Cloud Managed
((HTTPS out)
Audit logs
Processor logs
Pipeline metrics
Data
Edge Processor Service
UI
Pipelines Service
S3
Data
Edge Processor Node
User

20. © 2022 SPLUNK INC.
● Use SPL2 for data transformations like field extraction,
filtering, and masking
○ Act on entire events or parts of events
○ e.g. retain only a subset of fields within an event
● Supports Infrastructure as Code. All pipelines are just SPL2
● Splunk-provided SPL2 Templates and (future) Bundles
Everything is SPL2

21. © 2022 SPLUNK INC.
SPL2 Concepts
Dataset Variables - represent datasets of varying kinds from which data
can be read from, or written into.
$source and $destination are specific dataset variables overwritten with
an actual dataset passed as a param (such as s3_bucket_A) in a
pipeline.
This is an SPL2 statement, assigned to the dataset variable $pipeline.
Commands - actions that can be taken on data in an Edge Processor
pipeline; acted on sequentially, respecting pipes.
● SPL2 is built around the concept of Datasets. A dataset is anything that contains data which can be read from and/or written into.
● Each dataset may have a different Kind. Relevant Edge Processor Kinds:
○ Forwarder
○ Indexer
○ S3 buckets
● Datasets can be referenced literally in the SPL2, or passed as parameter to a variable.

22. © 2021 SPLUNK INC.
Edge Processor
Demo

23. © 2023 SPLUNK INC.
Leaders
● User leaders
needed!
Next meeting
● In person in
Portland
Wrap up
Topic ideas
● Drop
suggestions
or offers to
speak to the
#pnw
channel in
the UG slack
.conf23
● July 17-20
● Las Vegas

24. © 2022 SPLUNK INC.
Thank You