4 Splunk Stream Tricks of the Trade

Splunk Stream is a purpose-built wire data collection and analytics solution from Splunk. Splunk Stream can be one of the most robust products Splunk offers as a free addition to your Splunk Enterprise environment.

However, some of us know that Splunk Stream can be daunting to setup and utilize to its full potential. With that in mind, let’s jump into some tips and tricks of the trade for working with the Splunk Stream.

1. One Simple REST Call

• The Stream REST API is a powerful function, and one simple REST command can help you power through configuring Stream Forwarders. One of the most common errors that is seen when deploying a Stream Forwarder is “Unable to ping server.” At times it can become difficult in determining whether this issue lays within your configuration or a network configuration.
  • Utilizing the following curl command helps determine whether you have the correct App location: curl http://<stream_app_server>:8000/en-US/custom/splunk_app_stream/ping 
• Using this command before deploying the Stream Add-on, or Independent Stream Forwarder, can help determine if the Stream Forwarder can access the Stream App within your deployment.

2. Independent Stream Forwarder or Stream Add-on?

• Planning a new deployment, or the addition of a forwarder can spring the above question, should I install an ISF or the Stream TA on a Universal Forwarder? The answer to this can vary by environment and collection method. But as with any Splunker, I love my data!
  • Click here to access the Universal Forwarder and Stream TA.
  • Click here to access the Independent Stream Forwarder.
• From the above charts you can start to compare the performance benefits of the ISF. Although your environment may never reach the ingestion rate at which you start to see dropped events from the Universal Forwarder, it is a peace of mind knowing that your forwarder can handle considerable amounts of data

3. Hunting Down Suspicious Subdomains using URL Toolbox

• You can perform some simple Stream hunting just utilizing DNS data. With DNS data from Stream you can start to investigate suspicious DNS queries and subdomains from within your environment. You can empower your investigations by utilizing this URL Toolbox link.
• For example, if you perform a Splunk search for your stream:dns data, then after populating the query value you can pass the queries to the URL Toolbox. This allows you to filter out URLs that you know are not suspicious and ones that don’t have a Top Level Domain. You can take this a step further by utilizing the URL Toolbox to calculate entropy values of the subdomains, and sort to see the highest scores. (The higher the score, the more randomized the URL is) Taking these scores into account, you can start digging into specific IP investigation.

4. Splunk Stream on a Raspberry Pi

• Of course it can work! One Splunk engineer put the Independent Stream Forwarder to the test to see how light-weight it really is. The Raspberry Pi is a cheap and easy way to play around with the possibilities of Splunk Stream. You could even implement this at home environment to add even more capabilities to your own lab environment. In fact, here is a link to the Splunk forwarder for Linux ARM download, which is installed on the Raspberry Pi for Splunk forwarder capabilities.
• This is a great example of the power of a Stream Independent Forwarder. The Raspberry Pi in my home environment is currently running as a Pi Hole, but I am going to implement the Streamfwd to run some searches and create dashboards of the queries and how the Pi Hole handles them.

Need help with Splunk Stream? You can actually get access to Kinney Group’s deep bench of Splunk experts, on demand. Check out our Expertise on Demand for Splunk service offering for more information on our various packages and let us know how we can help unleash the power of Splunk.

About Kinney Group’s Splunk Practice:

The Kinney Group team has the deepest bench of Splunk expertise in North America. Our team provides a comprehensive Splunk customer experience across multiple disciplines including Splunk Enterprise, Splunk Enterprise Security (ES), IT Services Intelligence (ITSI), and custom use cases in the areas of compliance, IoT, and machine learning. Kinney Group highlights include:

• A Top Global Splunk Professional Services Practice
• Splunk Elite Partner
• Splunk Public Sector Services Partner of the Year
• Experience with 300+ projects delivered nationwide and overseas
• Application development expertise for the Splunk platform

Visit www.kinneygroup.com/contact-us or call us at (317) 721-0500.