Importing NetSuite data in Splunk

Splunk provides tools to create custom dashboards and visualizations. By visualizing NetSuite data in Splunk, stakeholders can get a clearer understanding of their operations and make data-driven decisions. Organizations maintain compliance by tracking and analyzing changes and activities within NetSuite so it makes sense to have the data available in Splunk in order to perform analysis and detection on it.

Filtering prometheus metrics based on a label combination in open-telemetry

Some applications charge per ingested metric time series so you may need to filter metrics you're not actively using. For example in case of metrics ingested into Splunk using otel-collector from Prometheus endpoints you can exclude metrics having a particular label combination.

The solution involves using  to drop the metrics. Metric relabeling is applied to samples as the last step before ingestion.

Drop DEBUG entries when indexing a log file in Splunk

Sometimes due to licensing constrains and large volumes of events you may need to resort to indexing only the relevant entries from a logfile. For example cases when the DEBUG mode has been enabled and it cannot be turned off or you'd like to discard a repeated log entry from indexing. 

Filtering can be achieved through an app on the indexer. Filtering works based on the sourcetype defined in inputs.conf on the universal forwarder.

Tags

Send Slack alerts when large AWS EC2 instances are launched

Once you begin collecting AWS data in Splunk using AWS Addon for AWS, there are a lot of detection capabilities that open up. We will cover the use case of detecting when large EC2 instances are launched, such as instance types 2xlarge, 4xlarge or 8xlarge with or without GPU.

Due to their high CPU and memory specs they are prime targets for bitcoin miners and capturing the launch of such instances can indicate a compromised AWS Access Key. 

Generate configuration files for Splunk Add-on for AWS using Ansible

The Splunk Add-on for AWS is an addon supporting data collection from AWS services. At the time of writing, it can seamlessly collect AWS config, AWS config rules, AWS Cloudtrail, CloudWatch, Cloudwatch logs and AWS inspector, Kinesis, S3 via SQS and billing data.

This article touches the method of collecting data using IAM roles. This involves setting up an IAM role for EC2, assigning it to the Splunk instance where the AWS Add-on is installed, then configure that role for collection jobs.

Tags