Anyone using splunk and willing to share useful searches

[Nathan Ward]

> On 21/10/2015, at 06:38, Walter Reynolds <waltr at umich.edu> wrote:
> 
> ​We use splunk here at the university and I am just starting to get into
> it.  Is there anyone out there that has some stuff set up and would be
> willing to share the searches and stuff you use?​

I use splunk extensively, though not over detail files.

We write Auth, Acct start, and Acct stop to files with line log, and ingest that. This way we limit the storage (and licensing!) requirements, and we make it easier to process without writing splunk filters and things. For our use case, interim updates are not valuable in Splunk.
We use transactions, starting with an acct stop and ending with an acct start, keyed on the username to see how long a user is down for. We have geocoding information available for all our users so can plot users who are offline on a map, etc. etc.

We also capture accounting on and accounting off and mix that in so we don’t have transactions open forever if a NAS blows up, etc. etc.

I wouldn’t use it for accounting, but it’s great for bulk analysis and generating alerts and so on.


Of course, splunk also looks at our radius.log and normal syslog stuff, though this isn’t anything special.

--
Nathan Ward