Splunk Apps

Splunk Security Essentials

Detect insiders and advanced attackers in your environment with the free Splunk Security Essentials app. This app uses Splunk Enterprise and the power of our Search Processing Language (SPL) to showcase 55+ working examples of anomaly detection related to entity behavior analysis (UEBA). Each use case includes sample data and actionable searches that can immediately be put to use in your environment.

The use cases leverage analytics to give analysts the ability to detect unusual activities like users who print more pages than usual (spike detection) or logon to new servers (first seen behavior), the ability to see when adversaries change file names to evade detection, and more. Each use case includes the expected alert volume, an explanation of how the search works, description of the security impact, and you can save searches directly from the app to leverage any alert actions you have installed such as creating a Notable Event or Risk Indicator in ES, an External Alarm in UBA, or sending email for review.

Search Activity

Search Activity helps Splunk champions monitor users, grow usage, and understand personas. It provides metrics on use, organizational information, and adoption. Install it and answer all manner of Splunk questions, such as:

  • "Who are my top users?”
  • “Who is running realtime searches?”
  • “How complete is my users' grasp of the search language?”
  • “How many errors do they receive?”
  • “How long does it take them to run a search, and over what timeframe?”
  • “Who is exporting or sharing search results?”

To provide answers, this app features an accelerated data store, 75+ reports, dashboards, alerting capabilities and more. It is run in hundreds of Splunk installations both massive (tens of terabytes) and small (gigabytes).

Upleveling SPL

This app is built to help people learn new search techniques, with real data and fun examples. So far in the app, there are examples for:

  • Sorting Arbitrarily
  • Stats - Values vs List vs First and more
  • Creating Your Own Table with xyseries
  • Creating Time Buckets with Eval
  • Subsearching Your Transactions to Performance
  • Returning Results When You Have No Events
  • Formatting and Math on Arbitrary Column Names


Newsletters are a great technique for motivating your users, informing them about the latest and greatest, and more! This app helps you automate the process of creating a Newsletter for the latest and greatest in Splunk.

The app contains scripts that will pull from the official Splunk events, blogs, and answers sites and allow you to highlight items that are interesting to their users. Finally, you can either send it via Splunk, or just copy-paste into your email client to send out manually.

Security Ninjutsu

This is the companion app to the Security Ninjutsu (Ninjitsu) presentation, at .conf 2015, containing all of the searches from the presentation (currently: most.. soon: all).

Threat Activity Drilldown for ES

This search add-on contains adds workflow actions to the ES Notable Event and the ES Threat Activity events so that an analyst looking at either can drill down from a threat activity indicator to look at the underlying raw events.

Search Log Processing

For comparing indexer performance, understanding operators, or log levels (INFO .. CRIT), you have to leverage search.log. Indexing it isn't scalable though. This app will, every five minutes, launch a scripted input that will review the local dispatch directory for any search.log files, and the parse out the details into a JSON blob that will be put in index=_internal.

Details so far:

  • Per Search Peer: # of Results
  • Per Search Peer: Amount of time reported
  • Time to set up search peers
  • Count by log level of the search (e.g., INFO / WARN / ERROR / FATAL)
  • Count by log operator of the search (e.g., “SearchOperator:kv” vs LMConfig)
  • Time taken per operation (e.g., how many slow operations were there, how many fast ones — this can help identify particularly expensive regex / eval, etc.)
  • SearchID
  • Time Run

Overall, this should allow some trending information, and specifically to be able to detect an indexer that is slower than the rest.