Windows events are a large part of the volume of logs ingested in a lot of splunk deployments. Wouldn't be cool if we could shrink them so they don't eat up so much precious precious license? In this post I'll walk through how I rebuilt Windows Event Logs (WELs) into a compact, Splunk-friendly format, cuting size by up to 60% without breaking field extractions. Key takeaways With a few targeted ingest actions and props/transforms tweaks, you can shrink Windows logs dramatical

The key thing I did not appreciate when I wrote the previous version of this post is that the Risk data model is now fed from...

Since RBA is all about aggregating security events that are related to the same entity, Assets & Identities normalisation is crucial to...

These 3 table-manipulating commands are occasionally very useful but they are also quite confusing. For years, I've relied on the...

On the 18th of September 2024 I gave a talk on this topic at the London Splunk User Group meetup. Ingest Actions are a simple feature of...

I have been nominated for a 2023 Splunkie Award and I am delighted to be a finalist for the Inventor Award! https://conf.splunk.com/the-s...

In this post we’re discussing an advanced way to dedup risk events in your risk alerts (RIRs) and at the same time have the RIR results...

Use this page as a quick way to find which areas of this website have value for you. My apps ES Choreographer : manage ES correlation...

This is the documentation for the Conf Manager app on splunkbase. This app allows you to search your knowledge objects and track their...

This for the most part isn't splunk-specific, but if you do any amount of administration on the linux command line, you might find it...

Assess your search workload with this simple dashboard. Here's a very quick dashboard to identify what uses your splunk platform...

This is the documentation for the ES-Choreographer app on splunkbase. This app offers various frameworks to help manage and improve...

This is the documentation for the GV-Utils app on splunkbase. This app offers various utilities to solve a number of problems in Splunk:...

Splunk’s “simple XML” dashboards are reasonably simple and straightforward to create, yet they are incredibly versatile and powerful. You...

I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . If you’re looking for the source code for the...

I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is Correlation Searches Best...

I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is morning checks. Basically you...

I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is having a simple peer review...

I did a talk at Splunk .conf21 about how to maintain correlation searches: pdf / mp4 . One of the topics is having a simple task...

There are a number of issues with Splunk’s simple XML forms submit button: you can't have more than one you can't move it you can't hide...