SlideShare una empresa de Scribd logo

Dealing with delayed events in Splunk

Descargar como PPTX, PDF
D
Daniel E. Hernández R.

Presentation for the Splunk User Group in London (June 2018), highlighting the importance of time extraction and parsing within a Splunk deployment, answering questions such as "Why is it relevant to have the correct timestamp in my Splunk events?", "How can I troubleshoot latency in my environment?" and "What can I do if my events are arriving late?"

Tecnología
1 de 19
Splunk User Group London Daniel Hernandez Dealing with delayed events
Agenda 1. Housekeeping rules & Introductions 2. Time extraction and parsing in Splunk 3. Monitoring delayed events 4. Impact on Splunk workflow 5. Potential risks deriving from delayed events
Housekeeping Feel free to stand up and grab a refill. Splunk brought us here, pizza keeps us here. Ask away! You’re not interrupting unless you’re asking where the exit is. Join the community, connect, share. Reach out if you’d like to contribute.
Introduction – Daniel Hernandez • Background in Networks and Security. • Splunk SCC1, working with ECS for about a year and a half in Security. • Currently leveraging Splunk for a SIEM replacement project in the banking sector.
Time extraction and parsing in Splunk
“Time is what keeps everything from happening at once” 1. Timezones: Time values from different locations may differ – a lot. 2. Realtime/Batch processing: Sometimes logs are collected in hourly/daily chunks. 3. Correlation Searches (Rules) and forensic investigations rely on the Extracted Time. Log generation time. Extracted from the log itself. (Extracted Time) Generated by an Indexer. Event indexing time. (Index Time) _time _indextime
First things first! First of all > 1. Make sure the _time field is extracted correctly! 2. You don’t want to use Splunk to report on internal network metrics. 3. Time extraction should be transparent for dashboards, alerts, and reports. Second of all > Check your clock skew to monitor any potential delays within the Splunk infrastructure.
Monitoring Delayed events
Monitoring clock skew > Code openly available in GitHub. Based in SimpleXML and tstats. Uses moving average (delay) to display clock skew violations.
Symptoms Events collected from a forwarder or from a log file are not yet searchable on Splunk. Even though the time stamps of the events are within the search time range, a search does not return the events. Later, a search over the same time range returns the events.
Narrowing down the issue: source=mysource | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by host source=mysource | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by source Determine the common denominator between them. For example, all of the delayed events might be from the same log file or the same host or source type. Also, compare the delay from your events with the delay from the internal Splunk logs. index=_internal source=*splunkd.log* | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by host
Finding the root cause If some sources are delayed but not others, this indicates a problem with the input. Thruput limits Network limits Time zone issue Windows event logs delay If all the logs are delayed, including the internal logs, then the delay is a forwarding issue.
Data Pipeline At a very high level: • Parsing Queue/Pipeline Responsible for source typing, break-lining, time stamping, event boundaries, regex. • Indexing Queue/Pipeline Event segmentation and indexing, index building. Splunk Admin 101: There’s a lot that can go wrong. You’ll find A LOT of creative ways to trash your data pipeline in a shared environment.
Avoid (trouble)shooting yourself in the foot > Make sure your Management Console is set up appropriately! You want to keep a close eye on your queues, and spot any potential bottlenecks.
What will go wrong? Congratulations, you’ve found severe delays in your Splunk infrastructure. What can you expect? Inconsistent dashboards. Inconsistent reports. And different results each time they’re run. You know that saved searches can’t be re-run. So your funky real-time correlation searches are going to miss events.
What can you do? • Focus on _indextime when writing real-time correlation searches: index=funky_index _index_earliest=-1h@h _index_latest=now() | <my_funky_correlation_search> • The scheduled saved search will capture events as they’re indexed. • Events will appear delayed but they won’t be missed by the alert. • Chase other teams to get it fixed ASAP! Team-work brings it home.
What does this mean in a SIEM?
Question time: fire away!

Recomendados

SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
Splunk
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
Sqrrl
 
Splunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdfSplunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdf
nitinscribd
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
Splunk
 
"Splunk Worst Practices"... und wie man diese behebt
"Splunk Worst Practices"... und wie man diese behebt"Splunk Worst Practices"... und wie man diese behebt
"Splunk Worst Practices"... und wie man diese behebt
Splunk
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix themWorst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 

Recomendados

SplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners SessionSplunkLive 2011 Beginners Session
SplunkLive 2011 Beginners Session
Splunk
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
Sqrrl
 
Splunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdfSplunk 6.4 Administration.pdf
Splunk 6.4 Administration.pdf
nitinscribd
 
SplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search OptimizationSplunkSummit 2015 - A Quick Guide to Search Optimization
SplunkSummit 2015 - A Quick Guide to Search Optimization
Splunk
 
"Splunk Worst Practices"... und wie man diese behebt
"Splunk Worst Practices"... und wie man diese behebt"Splunk Worst Practices"... und wie man diese behebt
"Splunk Worst Practices"... und wie man diese behebt
Splunk
 
Worst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix themWorst Splunk practices...and how to fix them
Worst Splunk practices...and how to fix them
Splunk
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
The Power of SPL
The Power of SPLThe Power of SPL
The Power of SPL
Splunk
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Best Practices for Splunk Deployments
Best Practices for Splunk DeploymentsBest Practices for Splunk Deployments
Best Practices for Splunk Deployments
Splunk
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Deployer son propre SOC !
Deployer son propre SOC ! Deployer son propre SOC !
Deployer son propre SOC !
SecludIT
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
Splunk
 
Getting Data into Splunk
Getting Data into SplunkGetting Data into Splunk
Getting Data into Splunk
Splunk
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
n|u - The Open Security Community
 
Hacker tool talk: maltego
Hacker tool talk: maltegoHacker tool talk: maltego
Hacker tool talk: maltego
Chris Hammond-Thrasher
 
Apache Flink @ NYC Flink Meetup
Apache Flink @ NYC Flink MeetupApache Flink @ NYC Flink Meetup
Apache Flink @ NYC Flink Meetup
Stephan Ewen
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
n|u - The Open Security Community
 
Ödül Avcılığı - Masanın Diğer Tarafı
Ödül Avcılığı - Masanın Diğer TarafıÖdül Avcılığı - Masanın Diğer Tarafı
Ödül Avcılığı - Masanın Diğer Tarafı
Çağlar Çakıcı
 
Nikto
NiktoNikto
Nikto
Sorina Chirilă
 
NMap
NMapNMap
NMap
Pritesh Raka
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
Splunk
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
David Sweigert
 
Monitoring Splunk: S.o.S, DMC, and Beyond Breakout Session
Monitoring Splunk: S.o.S, DMC, and Beyond Breakout SessionMonitoring Splunk: S.o.S, DMC, and Beyond Breakout Session
Monitoring Splunk: S.o.S, DMC, and Beyond Breakout Session
Splunk
 

Más contenido relacionado

La actualidad más candente

The Power of SPL
The Power of SPLThe Power of SPL
The Power of SPL
Splunk
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
Splunk
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
Splunk
 

La actualidad más candente (20)

The Power of SPL
The Power of SPLThe Power of SPL
The Power of SPL
 
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection ArchitectureSplunk Data Onboarding Overview - Splunk Data Collection Architecture
Splunk Data Onboarding Overview - Splunk Data Collection Architecture
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Best Practices for Splunk Deployments
Best Practices for Splunk DeploymentsBest Practices for Splunk Deployments
Best Practices for Splunk Deployments
 
Best Practices for Forwarder Hierarchies
Best Practices for Forwarder HierarchiesBest Practices for Forwarder Hierarchies
Best Practices for Forwarder Hierarchies
 
Deployer son propre SOC !
Deployer son propre SOC ! Deployer son propre SOC !
Deployer son propre SOC !
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
SplunkLive! Data Models 101
SplunkLive! Data Models 101SplunkLive! Data Models 101
SplunkLive! Data Models 101
 
Getting Data into Splunk
Getting Data into SplunkGetting Data into Splunk
Getting Data into Splunk
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Hacker tool talk: maltego
Hacker tool talk: maltegoHacker tool talk: maltego
Hacker tool talk: maltego
 
Apache Flink @ NYC Flink Meetup
Apache Flink @ NYC Flink MeetupApache Flink @ NYC Flink Meetup
Apache Flink @ NYC Flink Meetup
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Ödül Avcılığı - Masanın Diğer Tarafı
Ödül Avcılığı - Masanın Diğer TarafıÖdül Avcılığı - Masanın Diğer Tarafı
Ödül Avcılığı - Masanın Diğer Tarafı
 
Nikto
NiktoNikto
Nikto
 
NMap
NMapNMap
NMap
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Splunk Search Optimization
Splunk Search OptimizationSplunk Search Optimization
Splunk Search Optimization
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 

Similar a Dealing with delayed events in Splunk

Splunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringSplunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
Solr At Scale For Time-Oriented Data: Presented by Brett Hoerner, Rocana
Solr At Scale For Time-Oriented Data: Presented by Brett Hoerner, RocanaSolr At Scale For Time-Oriented Data: Presented by Brett Hoerner, Rocana
Solr At Scale For Time-Oriented Data: Presented by Brett Hoerner, Rocana
Lucidworks
 
An Overview of Spanner: Google's Globally Distributed Database
An Overview of Spanner: Google's Globally Distributed DatabaseAn Overview of Spanner: Google's Globally Distributed Database
An Overview of Spanner: Google's Globally Distributed Database
Benjamin Bengfort
 
Scylla Summit 2022: Stream Processing with ScyllaDB
Scylla Summit 2022: Stream Processing with ScyllaDBScylla Summit 2022: Stream Processing with ScyllaDB
Scylla Summit 2022: Stream Processing with ScyllaDB
ScyllaDB
 

Similar a Dealing with delayed events in Splunk (20)

Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
Intrusion Detection and Discovery via Log Correlation to support HIPAA Securi...
 
Monitoring Splunk: S.o.S, DMC, and Beyond Breakout Session
Monitoring Splunk: S.o.S, DMC, and Beyond Breakout SessionMonitoring Splunk: S.o.S, DMC, and Beyond Breakout Session
Monitoring Splunk: S.o.S, DMC, and Beyond Breakout Session
 
Virtual Knowledge Graphs for Federated Log Analysis
Virtual Knowledge Graphs for Federated Log AnalysisVirtual Knowledge Graphs for Federated Log Analysis
Virtual Knowledge Graphs for Federated Log Analysis
 
Splunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and MonitoringSplunk .conf2011: Real Time Alerting and Monitoring
Splunk .conf2011: Real Time Alerting and Monitoring
 
The Beam Vision for Portability: "Write once run anywhere"
The Beam Vision for Portability: "Write once run anywhere"The Beam Vision for Portability: "Write once run anywhere"
The Beam Vision for Portability: "Write once run anywhere"
 
PSUG 1 - 2024-01-22 - Onboarding Best Practices
PSUG 1 - 2024-01-22 - Onboarding Best PracticesPSUG 1 - 2024-01-22 - Onboarding Best Practices
PSUG 1 - 2024-01-22 - Onboarding Best Practices
 
Kqueue : Generic Event notification
Kqueue : Generic Event notificationKqueue : Generic Event notification
Kqueue : Generic Event notification
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Solr At Scale For Time-Oriented Data: Presented by Brett Hoerner, Rocana
Solr At Scale For Time-Oriented Data: Presented by Brett Hoerner, RocanaSolr At Scale For Time-Oriented Data: Presented by Brett Hoerner, Rocana
Solr At Scale For Time-Oriented Data: Presented by Brett Hoerner, Rocana
 
Distributed tracing - get a grasp on your production
Distributed tracing - get a grasp on your productionDistributed tracing - get a grasp on your production
Distributed tracing - get a grasp on your production
 
Advanced Log Processing
Advanced Log ProcessingAdvanced Log Processing
Advanced Log Processing
 
An Overview of Spanner: Google's Globally Distributed Database
An Overview of Spanner: Google's Globally Distributed DatabaseAn Overview of Spanner: Google's Globally Distributed Database
An Overview of Spanner: Google's Globally Distributed Database
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
 
Scylla Summit 2022: Stream Processing with ScyllaDB
Scylla Summit 2022: Stream Processing with ScyllaDBScylla Summit 2022: Stream Processing with ScyllaDB
Scylla Summit 2022: Stream Processing with ScyllaDB
 
Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016Sumo Logic QuickStart Webinar - Jan 2016
Sumo Logic QuickStart Webinar - Jan 2016
 
Cloud Dataflow - A Unified Model for Batch and Streaming Data Processing
Cloud Dataflow - A Unified Model for Batch and Streaming Data ProcessingCloud Dataflow - A Unified Model for Batch and Streaming Data Processing
Cloud Dataflow - A Unified Model for Batch and Streaming Data Processing
 
The Incremental Path to Observability
The Incremental Path to ObservabilityThe Incremental Path to Observability
The Incremental Path to Observability
 
Lab streaming layer
Lab streaming layerLab streaming layer
Lab streaming layer
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Dev opsdays 2018 - Observability, the practical approach
Dev opsdays 2018 - Observability, the practical approachDev opsdays 2018 - Observability, the practical approach
Dev opsdays 2018 - Observability, the practical approach
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

Dealing with delayed events in Splunk

  • 1. Splunk User Group London Daniel Hernandez Dealing with delayed events
  • 2. Agenda 1. Housekeeping rules & Introductions 2. Time extraction and parsing in Splunk 3. Monitoring delayed events 4. Impact on Splunk workflow 5. Potential risks deriving from delayed events
  • 3. Housekeeping Feel free to stand up and grab a refill. Splunk brought us here, pizza keeps us here. Ask away! You’re not interrupting unless you’re asking where the exit is. Join the community, connect, share. Reach out if you’d like to contribute.
  • 4. Introduction – Daniel Hernandez • Background in Networks and Security. • Splunk SCC1, working with ECS for about a year and a half in Security. • Currently leveraging Splunk for a SIEM replacement project in the banking sector.
  • 6. “Time is what keeps everything from happening at once” 1. Timezones: Time values from different locations may differ – a lot. 2. Realtime/Batch processing: Sometimes logs are collected in hourly/daily chunks. 3. Correlation Searches (Rules) and forensic investigations rely on the Extracted Time. Log generation time. Extracted from the log itself. (Extracted Time) Generated by an Indexer. Event indexing time. (Index Time) _time _indextime
  • 7. First things first! First of all > 1. Make sure the _time field is extracted correctly! 2. You don’t want to use Splunk to report on internal network metrics. 3. Time extraction should be transparent for dashboards, alerts, and reports. Second of all > Check your clock skew to monitor any potential delays within the Splunk infrastructure.
  • 9. Monitoring clock skew > Code openly available in GitHub. Based in SimpleXML and tstats. Uses moving average (delay) to display clock skew violations.
  • 10. Symptoms Events collected from a forwarder or from a log file are not yet searchable on Splunk. Even though the time stamps of the events are within the search time range, a search does not return the events. Later, a search over the same time range returns the events.
  • 11.
  • 12. Narrowing down the issue: source=mysource | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by host source=mysource | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by source Determine the common denominator between them. For example, all of the delayed events might be from the same log file or the same host or source type. Also, compare the delay from your events with the delay from the internal Splunk logs. index=_internal source=*splunkd.log* | eval delay_sec=_indextime-_time | timechart min(delay_sec) avg(delay_sec) max(delay_sec) by host
  • 13. Finding the root cause If some sources are delayed but not others, this indicates a problem with the input. Thruput limits Network limits Time zone issue Windows event logs delay If all the logs are delayed, including the internal logs, then the delay is a forwarding issue.
  • 14. Data Pipeline At a very high level: • Parsing Queue/Pipeline Responsible for source typing, break-lining, time stamping, event boundaries, regex. • Indexing Queue/Pipeline Event segmentation and indexing, index building. Splunk Admin 101: There’s a lot that can go wrong. You’ll find A LOT of creative ways to trash your data pipeline in a shared environment.
  • 15. Avoid (trouble)shooting yourself in the foot > Make sure your Management Console is set up appropriately! You want to keep a close eye on your queues, and spot any potential bottlenecks.
  • 16. What will go wrong? Congratulations, you’ve found severe delays in your Splunk infrastructure. What can you expect? Inconsistent dashboards. Inconsistent reports. And different results each time they’re run. You know that saved searches can’t be re-run. So your funky real-time correlation searches are going to miss events.
  • 17. What can you do? • Focus on _indextime when writing real-time correlation searches: index=funky_index _index_earliest=-1h@h _index_latest=now() | <my_funky_correlation_search> • The scheduled saved search will capture events as they’re indexed. • Events will appear delayed but they won’t be missed by the alert. • Chase other teams to get it fixed ASAP! Team-work brings it home.
  • 18. What does this mean in a SIEM?