top of page
Geeking out on Splunk and IT Security
GABRIEL VASSEUR
Geeking out on Splunk & IT Security
Home: Welcome
What's new (ish)
Advent of code in SPL - 2025 day 4
Day 4 is here . Part 1 Let's start with the example data: For each position, we need to count the number of neighbours. That's ok for left and right neighbours, but for the ones above and below, we need the previous and next row. That means using streamstats with current=f! But we need to use it twice now: It kind of works, but you can see we have two problems: we have a useless record at the top. We can simply add | search row=* we're missing one at the bottom. All we need f
Shrink your windows event logs license costs with ingest actions!
Windows events are a large part of the volume of logs ingested in a lot of splunk deployments. Wouldn't be cool if we could shrink them so they don't eat up so much precious precious license? In this post I'll walk through how I rebuilt Windows Event Logs (WELs) into a compact, Splunk-friendly format, cuting size by up to 60% without breaking field extractions. Key takeaways With a few targeted ingest actions and props/transforms tweaks, you can shrink Windows logs dramatical
ES8 findings, intermediate findings, etc confusion!
The key thing I did not appreciate when I wrote the previous version of this post is that the Risk data model is now fed from...
My SplunkBase Apps
Conf Manager
This is the documentation for the Conf Manager app on splunkbase. This app allows you to search your knowledge objects and track their...
ES-Choreographer
This is the documentation for the ES-Choreographer app on splunkbase. This app offers various frameworks to help manage and improve...
GV-Utils
This is the documentation for the GV-Utils app on splunkbase. This app offers various utilities to solve a number of problems in Splunk:...
Articles
Shrink your windows event logs license costs with ingest actions!
Windows events are a large part of the volume of logs ingested in a lot of splunk deployments. Wouldn't be cool if we could shrink them so they don't eat up so much precious precious license? In this post I'll walk through how I rebuilt Windows Event Logs (WELs) into a compact, Splunk-friendly format, cuting size by up to 60% without breaking field extractions. Key takeaways With a few targeted ingest actions and props/transforms tweaks, you can shrink Windows logs dramatical
ES8 findings, intermediate findings, etc confusion!
The key thing I did not appreciate when I wrote the previous version of this post is that the Risk data model is now fed from...
RBA: Aggregate user & system risks!
Since RBA is all about aggregating security events that are related to the same entity, Assets & Identities normalisation is crucial to...
Risk Based Alerting
RBA: Aggregate user & system risks!
Since RBA is all about aggregating security events that are related to the same entity, Assets & Identities normalisation is crucial to...
RBA: a better way to dedup risk events
In this post we’re discussing an advanced way to dedup risk events in your risk alerts (RIRs) and at the same time have the RIR results...
TaTalks
Use Ingest Actions to shrink your ingest and make the most of your license!
On the 18th of September 2024 I gave a talk on this topic at the London Splunk User Group meetup. Ingest Actions are a simple feature of...
Maintaining your correlation searches with ES Choreographer
I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . If you’re looking for the source code for the...
Change Tracking in Splunk
Are you tracking changes in your Splunk deployment? Most people don't, unless they can justify having a custom (heavy!) process using...
ABOUT ME
My name is Gabriel.
I'm French.
I'm based in England.
I've got a PhD in theoretical physics.
I've been in the IT security industry since 2006.
I've been working with the Splunk big data platform and their SIEM Enterprise Security since 2016.
I made this website so I could share some of my knowledge.
Home: About
Home: Contact
bottom of page