splunk_apps
splunk developer site
create Splunk App
- Quick Start Tutorial for the Splunk Developer Program for Splunk Enterprise
- Quick Start tutorial: Create Your First App
- Share Your Splunk Apps, Templates, Plugins
- Develop Splunk apps for Splunk Cloud or Splunk Enterprise ** 重要
Splunkbase
- Splunkbase for the hundreds of apps and add-ons
Splunk app & add-on
- Lifecycle of a Splunk app for Splunk Cloud or Splunk Enterprise
- Quick Start Tutorial for the Splunk Developer Program for Splunk Enterprise ** 必讀
- Tutorial: Create a Custom Splunk View Tutorial for the Splunk Developer Program for Splunk Enterprise * 有關 custom visualizations 的教學
- Apps and add-ons
- Developing Views and Apps for Splunk Web 官方文件
- 說明何者為 Splunk app & Splunk add-on
- What is a Splunk app?
- What is a Splunk add-on?
Splunk AppInspect
- Validate quality of apps or add-ons for Splunk Cloud or Splunk Enterprise with Splunk AppInspect
- Install Splunk AppInspect
- 在 Mac 上安裝時,會發現有些 dev library 沒有安裝,將需要的 library list 如下
$export CPATH=xcrun –show-sdk-path/usr/include$brew install libjpeg$brew install libmagic
- 在 Mac 上安裝時,會發現有些 dev library 沒有安裝,將需要的 library list 如下
- Use the Splunk AppInspect CLI tool
Splunk Develop
- Splunk Developer Program
- splunk dev 官網
- App deployment overview
跟 syslog 相關的
- Best Practice For Configuring Syslog Input
- Splunk Success with Syslog
- Trend Micro Deep Security for Splunk * 可以由這個來看看
- Splunk for Deep Security - github page
pack Splunk App uisng Packing Toolkit
App Design Patterns
Splunk Syntax Highlight
- yorokobi/vim-splunk - Syntax highlighting for Splunk .conf files
可以在進階看有關 Splunk App 的部分
- Quick Start Tutorial for the Splunk Developer Program for Splunk Enterprise 看過這份後,可以針對下列的文章再來讀讀
- Use macros to avoid index dependency
- Searches power dashboards and forms in the Dashboards and Visualizations manual.
- Use drilldown for dashboard interactivity in the Dashboards and Visualizations manual.
- Visualization reference in the Dashboards and Visualizations manual.
Restart Splunk Enterprise & refresh Splunk Web UI 的方式
- Restart Splunk Enterprise:
- In Splunk Web, click Settings, then Server Controls, then Restart Splunk.
- When you log back in, navigate to your app. The navigation will be updated and your dashboard will be open by default.
- Force a refresh of Splunk Web UI:
- Navigate to
http://localhost:8000/en-US/_bump, click Bump version to flush the client cache. If you make changes to client-side JavaScript, CSS, or static resources, this command forces those assets to be updated. - Navigate to
http://localhost:8000/en-US/debug/refresh, click Refresh to refresh almost all Splunk Enterprise knowledge objects. To refresh only views, navigation, or saved searches, you could append?entity=data/ui/views,?entity=data/ui/nav, or?entity=saved/searchesto the end of the URL.
- Navigate to
- Understand asset caching and state changes in Splunk Enterprise
有關 splunk conf
- Configuration file structure
- Get started with Search 在 splunk 中,應該是所有的 report/chart 都是透過 search 來執行的
- app.conf
Run using docker
- Deploy and run Splunk Enterprise inside a Docker container
docker run -d -p 8000:8000 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' splunk/splunk:latest
- docker-splunk github.io
parsing CEF format
Call to external Restful API
- Webtools Add-on
- source code - https://github.com/bentleymi/ta-webtools/
Document
相關的 conference
自動產生 event 的程式
可參考的 app install & 設定文件
刪除 index data 的方式
Reference Link
- Module 1
- Module 3
- Module 4
- Module 5
- Module 10
- Module 11
- Module 12
- Module 13
Reference Term
- SIEM(Security Information Event Management)資安事件管理平台解決方案