Day 8 is here . Part 1 So the first challenge is to enumerate all possible pairs. Let's play with very simple data to start with: I guess eventstats is a good way to bring all of the events into each of the events: Now we just have to mvexpand item2. But there are a couple of problems: we can't have pairs made of twice the same event, that's not possible. the order doesn't matter in pairs, so we need to dedup them somehow. Cool, so now we know how to enumerate pairs. Let's ap

Day 7 is here . Part 1 - visual solution One thing I've learned about myself with these challenges, is that I always want to make the solution as splunky as possible. For me that means starting with a stream of events, i.e. treating the challenge data as one event per line, and pretending they are indexed events in splunk. That's also why I wanted to use timed lookups in day 5. Of course, that kind of approach is not always ideal for this type of programming challenges, and i

Day 6 is here . As always we save the challenge data as a csv file, add a column header (just one column called "math"), and upload it to splunk: Part 1 Cephalopod math is organised in columns, which is going against of the grain in splunk. So a good first step would be to transpose it. Before we can do that, we need to give a name to each field: Then we can use the transpose command: Then we need to split each field on spaces: Note: sadly split does not take a regular expres

Note: I brought up these challenges to the puzzle channel on the Splunk Community slack a few weeks ago, and I'm delighted to see that ITWhisperer has now started his own series about it! His day 1 is here . I encourage you to check out his solutions as it's great to see different ways of thinking! Day 5 is here . For this one, my thoughts went to lookups. The idea would be to create a lookup of fresh ingredients. Then for each ingredient all we have to do is check if it's i

Day 4 is here . Part 1 Let's start with the example data: For each position, we need to count the number of neighbours. That's ok for left and right neighbours, but for the ones above and below, we need the previous and next row. That means using streamstats with current=f! But we need to use it twice now: It kind of works, but you can see we have two problems: we have a useless record at the top. We can simply add | search row=* we're missing one at the bottom. All we need f

Day 3 is here . Part 1   This one isn't too difficult. Given a series of digits such as 818181911112111, we need to pick two digits (conserving the order) to make the highest 2-digit number possible, so in this example 92. The first digit is obviously the most important, so we always want the highest one available, but we need to reserve at least one digit at the end of the bank for the second digit.   So take the bank, remove the last digit, and find the highest digit: Now f

(Edited to use mvrange) Day 2 of the 2025 advent of code challenges is here: https://adventofcode.com/2025/day/2 You won't be able to do it if you haven't done day 1 first . We can break down this challenge in several steps: given a range (e.g. 11-22), enumerate all the IDs within the range (e.g. 11,12,13,...,22) given a number, assess whether it's made of 2 repeated halves somehow do this for all the ranges all together to get the solution Step 1 For this challenge, we'll s

Advent of code is a series of Christmas-themed programming challenges that's been running for more than 10 years now. While SPL is not exactly a fully-fledged programming language, I had heard in the past of at least one person (thank you Paul Dean for the idea!) attempting to do the challenges in SPL and this year I thought I would give it a go. I know it's more than a month too late, but this is the first of a series of articles tackling 2025's challenges in SPL. We won't

Windows events are a large part of the volume of logs ingested in a lot of splunk deployments. Wouldn't be cool if we could shrink them so they don't eat up so much precious precious license? In this post I'll walk through how I rebuilt Windows Event Logs (WELs) into a compact, Splunk-friendly format, cuting size by up to 60% without breaking field extractions. Key takeaways With a few targeted ingest actions and props/transforms tweaks, you can shrink Windows logs dramatical

The key thing I did not appreciate when I wrote the previous version of this post is that the Risk data model is now fed from...

Since RBA is all about aggregating security events that are related to the same entity, Assets & Identities normalisation is crucial to...

These 3 table-manipulating commands are occasionally very useful but they are also quite confusing. For years, I've relied on the...

On the 18th of September 2024 I gave a talk on this topic at the London Splunk User Group meetup. Ingest Actions are a simple feature of...

I have been nominated for a 2023 Splunkie Award and I am delighted to be a finalist for the Inventor Award! https://conf.splunk.com/the-s...

In this post we’re discussing an advanced way to dedup risk events in your risk alerts (RIRs) and at the same time have the RIR results...

Use this page as a quick way to find which areas of this website have value for you. My apps ES Choreographer : manage ES correlation...

This is the documentation for the Conf Manager app on splunkbase. This app allows you to search your knowledge objects and track their...

This for the most part isn't splunk-specific, but if you do any amount of administration on the linux command line, you might find it...

Assess your search workload with this simple dashboard. Here's a very quick dashboard to identify what uses your splunk platform...

This is the documentation for the ES-Choreographer app on splunkbase. This app offers various frameworks to help manage and improve...