Setting Up a Splunk Testing Environment Using Terraform & GCP

Overview

Have you ever wished you had a fresh ephemeral Splunk instance that you could quickly spin up, run
some tests and then kill it, with maximum speed and minimum cloud costs?

I was working on a customer engagement recently that required me to test a custom developed
Splunk app on a large list of Splunk Universal Forwarder versions and OS distributions (75 distinct host
types in total) that if spun up manually on a cloud provider, would take a long time to set up and tear
down, would be subject to potentially costly “fat-fingering” user errors and would be costly if left up
longer than necessary.

Enter Hashi Terraform to the rescue. The industry-leading infrastructure-as-code tool makes the
standup, setup and teardown of cloud compute nodes simple, speedy and repeatable so that an
environment can be built, a complete set of tests can be run, results received and the test nodes
destroyed in minutes rather than hours.

In this whitepaper, I show how I set up my computer and built the Search Head and Deployment
server, as well as how I set up the many Splunk Universal Forwarders to satisfy the test plan.

Download Whitepaper

Get access to this exciting whitepaper now, by completing the form below.


Looking to expedite your success with Terraform? Click here for more information about our Terraform Professional Service offerings, including:

  • Terraform Implementation
  • Infrastructure Migration using Terraform
  • Implementing Zero Trust Architectures
  • Terraform Operational Assessment

Enhancing Security Operations: The Native Integration of Splunk ES and SOAR

Integrating Splunk Enterprise Security (ES) with Splunk Security Orchestration, Automation and Response (SOAR) can significantly enhance your organization’s security operations. By automating alert handling and response processes, this integration streamlines security incident management and enables faster, more effective threat mitigation. Splunk SOAR empowers security teams to automate actions based on Splunk ES detections using assigned playbooks, enabling seamless incident resolution.

Read more
learn Cribl Stream

Cribl Stream: Things I wish I knew before diving in

If you are like me when I started with Cribl, you will have plenty of Splunk knowledge but little to no Cribl experience. I had yet to take the training, had no JavaScript experience, and only had a basic understanding of Cribl, but I didn’t let that stop me and just dove in. Then I immediately struggled because of my lack of knowledge and spent countless hours Googling and asking questions. This post will list the information I wish I had possessed then, and hopefully make your first Cribl experience easier than mine.

Cribl Quick Reference Guide

If I could only have one item on my wish list, it would be to be aware of the Cribl Quick Reference Guide. This guide details basic stream concepts, performance tips, and built-in and commonly used functions.

Creating that first ingestion, I experienced many “how do I do this” moments and searched for hours for the answers, such as “How do I create a filter expression?” Generally, filters are JavaScript expressions essential to event breakers, routes, and pipelines. I was lost unless the filter was as simple as 'field' == 'value.' I didn’t know how to configure a filter to evaluate “starts with,” “ends with,” or “contains.” This knowledge was available in the Cribl Quick Reference Guide in the “Useful JS methods” section, which documents the most popular string, number and text Javascript methods.

Common Javascript Operators

OperatorDescription
&&Logical and
||Logical or
!Logical not
==Equal – both values are equal – can be different types.
===Strict equal – both values are equal and of the same type.
!=Returns true if the operands are not equal.
Strict not equal (!==)Returns true if the operands are of the same type but not equal or are of different kinds.
Greater than (>)Returns true if the left operand is greater than the right operand.
Greater than or equal (>=)Returns true if the left operand is greater than or equal to the right operand.
Less than (<)Returns true if the left operand is less than the right operand.
Less than or equal (<=)Returns true if the left operand is less than or equal to the right operand.

Regex

Cribl uses a different flavour of Regex. Cribl uses ECMAScript, while Splunk uses PCRE2. These are similar, but there are differences. Before I understood this, I spent many hours frustrated that my Regex code would work in Regex101 but fail in my pipeline.  

Strptime

It’s almost identical to the version that Splunk uses, but there are a few differences. Most of my problems were when dealing with milliseconds. Cribl uses %L, while Splunk uses %3Q or %3N.   Consult D3JS.org for more details on the strptime formatters.

JSON.parse(_raw)

When the parser function in a pipeline does not parse your JSON event, it may be because the JSON event is a string and not an object. Use an eval function with the Name as _raw and the Value Expression set to JSON.parse(_raw), which will convert the JSON to an object. A side benefit of JSON.parse(_raw) is that it will shrink the event’s size, so I generally include it in all my JSON pipelines.

JSON parse example

Internal Fields

All Cribl source events include internal fields, which start with a double underscore and contain information Cribl maintains about the event. Cribl does not include internal fields when routing an event to a destination. For this reason, internal fields are ideal for temporary fields since you do not have to exclude them from the serialization of _raw. To show internal fields, click the … (Advanced Settings) menu in the Capture window and toggle Show Internal Fields to “On” to see all fields.

Cribl source internal fields

Event Breaker Filters for REST Collector or Amazon S3  

Frequently, expressions such as “sourcetype=='aws:cloudwatchlogs:vpcflow‘” are used in an Event breaker filter, but sourcetype cannot be used in an Event Breaker for a REST Collector or an Amazon S3 Source. This is because this sourcetype field is set using the input’s Fields/Metadata section, and the Event Breaker is processed before the Field/Metadata section. 

For a REST collector, use “__collectible.collectorId=='<rest collector id>'” internal field in your field expression, which the REST collector creates on execution. 

Amazon S3 source

For further information, refer to the Cribl Docs – Event Processing Order.

Dropping Null fields

One of Cribl Stream’s most valuable functions is the ability to effortlessly drop fields that contain null values. Within the parser function, you can populate the “Fields Filter Expression” with expressions like value !== null.

Some example expressions are:

ExpressionMeaning
value !== nullDrop any null field
value !== null || value==’N/A’Drop any field that is null or contains ‘N/A’
dropping null fields

Once I obtained these knowledge nuggets,  my Cribl Stream was more efficient.  Hopefully, my pain will be your gain when you start your Cribl Stream journey.


Looking to expedite your success with Splunk and Cribl? Click here to view our Professional Service offerings.

© Discovered Intelligence Inc., 2024. Unauthorized use and/or duplication of this material without express and written permission from this site’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Discovered Intelligence, with appropriate and specific direction (i.e. a linked URL) to this original content.

4 Enhancements to Elevate Your Splunk Platform

Still winding down from the incredible experience at .conf24, where we delved into the latest market trends, we’ve uncovered several fascinating enhancements for the Splunk platform. These improvements not only elevate the performance and efficiency of Splunk but also offer exciting features that will be available in future releases. Join us as we explore four powerful upgrades that can be used in your Splunk environment.

Read more

Learning Splunk with the new ‘Getting Started with Splunk’ Video Series

Looking to enhance your understanding of Splunk in a fun and concise way?

Help Getting Started with Splunk

Splunk is a great data intelligence platform when used effectively. With a full understanding of Splunk’s functionality and capabilities, it should totally consume you with it’s awesomeness and you will find yourself preaching its benefits to your entire company! Our customers are always asking for recommendations on how to better grasp the fundamentals of the platform and the following article should provide this guidance. Read more

Dynamically Validate Splunk XML Dashboard Inputs

Ever felt a need to restrict Splunk searches on your XML dashboards based on a certain criterion? While the input types such as a dropdown or multiselect provide a controlled means of presenting a list of values to choose from, often the use of a text input is necessary to allow the user to manually enter a series of characters. For example, entering a specific src and/or a dest IP address to review communication from and/or to the IP address over a period.

Read more

Building a Unified View: Integrating Google Cloud Platform Events with Splunk

By: Carlos Moreno Buitrago and Anoop Ramachandran

In this blog we will talk about the processes and the options we have to collect the GCP events and we will see how to collect those in Splunk. In addition, we will even add integration with Cribl, as an optional step, in order to facilitate and optimize the process of information ingestion. After synthesizing all of this great information, you will have a great understanding of the available options to take, depending on the conditions of the project or team in which you work.

Read more

Discover the Power of SendResults: A Life-Changing Splunk Command and Alert Action

Are you tired of hardcoding email addresses into your searches and alerts? Do you want a more dynamic way to send search results to individuals based on the data within your search results? Look no further than SendResults, a powerful Splunk command and alert action developed by Discovered Intelligence.

Read more

ChatGPT and SPL: A Dynamic Duo for Learning Splunk’s Query Language

If you haven’t heard of ChatGPT yet, you likely have blocked notifications on social networks like Linkedin, Twitter or Reddit, as everyone is talking about the benefits (and concerns) of artificial intelligence. However, it’s ChatGPT who gets the lion’s share of the limelight in this story.

Read more