It’s Finally Here! Splunk Data Stream Processor

Splunk Data Stream Processor is finally here! The long-awaited Splunk Data Stream Processor is no longer in beta and is now released for public consumption. We’ve been anticipating the DSP service for quite some time. Who hasn’t been craving the real-time data processing and insights that DSP provides?

The Splunk Data Stream Processor (DSP) is a data stream processing service that manipulates data in real-time and shoots that data over to your preferred platform. DSP provides the ability to continuously collect high-velocity, high-volume data from diverse data sources, and distribute it to multiple destinations in milliseconds.

What’s the buzz about Splunk DSP?

Stream processing is the processing of data in motion, it is designed to analyze and compute on data instantaneously as it is continuously received. The majority of data sources are born in continuous streams, so being able to process them as such provides almost real-time insight into events for your analysts.

This is different from the “standard” data processing called batch processing. Batch processing collects the data (in batches) and then processes that data. The benefit to Stream processing is that you will have immediate insight into your critical events and can act on notable events more quickly.

How can I use Splunk DSP?

Use Case #1: Data Filtering/Noise Removal

With DSP, you can… filter or route non-useful and noisy logs to a destination of your choice. This use case allows you to route these logs to a separate syslog or storage solution for aggregation, but it is outside of Splunk, so it does not affect your Splunk license and it doesn’t fill your indexes with unwanted data. 

Use Case #2: Data Routing

With DSP, you can… ensure reception of high-velocity, high-volume data to multiple destinations. This use case allows you to send your data to Splunk, containers, S3, syslog aggregate and more at a rapid pace. This allows you to split the data to send to multiple destinations at the source without first having to index the data into Splunk then sending it off. Allowing for more efficient data flow.  

Use Case #3: Data Formatting

With DSP, you can… format your data using provided functions based on your configured conditions. This is a fairly straightforward use case allowing you to format your events to make your raw logs human-readable and informative without having to first index the data into Splunk. This can be combined with any of the use cases in this list to achieve maximum value with DSP.  

Use Case #4: Data Aggregation

With DSP, you can… aggregate data based on configured conditions and identify abnormal patterns in your data. You can pre-configure rules or conditions that will send data to different aggregate points based on the patterns within the data, that pertain to the rules configured. If you have a data source with a mixture of different kinds of logs, you can now pick up all the logs and forward them to different destinations with ease. 

What do I need with DSP?

First, look into what data sources are supported by Splunk DSP. Here are the data sources that are currently supported by the current version. Be on the lookout for more data sources that to be added in future releases.

Figure 1 - Splunk DSP supported data sources
Figure 1 – Splunk DSP supported data sources

Here are the system requirements that come with Splunk DSP. I’ve listed the more info on those below…

Figure 2 - Splunk DSP system requirements
Figure 2 – Splunk DSP system requirements

We’ve been more than excited for the release of this data stream processing service… we hope you are too. If you’re interested in learning more about Splunk Data Stream Processing, fill out the form below.

Lean on Splunk for your Remote Work Insights

In Security Tips for Work From Home (WFH) Life, we explored guidelines on how to efficiently and safely set up your work from home environments. The individual colleague has the responsibility to ensure they’re maintaining a secure remote-work environment. Looking past the individual worker, companies are now tasked with ensuring a good remote work environment for their colleagues to stay productive and secure. How can organizations get these critical insights? Let’s jump into Splunk and see your company can monitor the safety and performance of your remote workforce.

Splunk Remote Work Insights (RWI)

In light of COVID-19, Splunk has released the Remote Work Insights (RWI) Application. This free-to-download application contains reports and dashboards that provide insight into the critical applications your organization is using to keep the business running. Along with application management, the RWI solution gives immediate insight into business performance and network security. As we get through this pandemic and beyond, the Splunk Remote Work Insights solution will help your business monitor the success and safety of its remote workforce.

This Splunk application can be added to Splunk to increase your security posture and provide critical insight into how your applications are being used, who is using them, and from what locations.

Figure 1 - Splunk Remote Work Executive Dashboard
Figure 1 – RWI Executive Dashboard

When you open up the RWI application, you’ll be dropped into the Executive dashboard view. This dashboard is an aggregate summary view of all dashboards within the application. The major purpose of this dashboard is to provide the CTO/CIO or a data center of critical insights into remote business operations. RWI gives visibility into your company’s critical applications and how they are performing and being used.

Be the VPN Champion

VPN Login Activities dashboard shows where your colleagues are logging in from, the success/failure rate for these logins, and the top login failure reasons. This dashboard is a one-stop shop to audit your VPN activities. The data shown here is from GlobalProtect, but any VPN logs can be integrated into these dashboards.

The Global Protect VPN Login Activities dashboard is key for insights into VPN activities of your remote colleagues. In this example, you have a workforce that’s fully based in the U.S. Now, check out that top panel… there are some workers accessing the VPN client from China, if this is unexpected, you may have a breach on your hands!

Figure 2 - Global Protect VPN Login Activities
Figure 2 – Global Protect VPN Login Activities

Zip-Up Zoom Operations

The Zoom Ops dashboards show an aggregate view of your organization’s Zoom metrics. Looking at this dashboard, you’ll gain visibility into historical metrics and real-time information on active Zoom meetings. You can even see what devices the meetings are being accessed from, the types of meetings being conducted, and metrics surrounding the length of the meetings.

Figure 3 - Zoom Ops Dashboard
Figure 3 – Zoom Ops Dashboard

The following data sources were used to populate these dashboards:

  • GlobalProtect VPN
  • Office 365
  • Zoom Video
  • Okta Authentication
  • Google Drive
  • Webex
  • Slack

The external threats facing organizations are greater than ever. With the shift to a remote workforce, it is crucial for businesses to have these insights into their day-to-day operations to protect the safety of their organization its colleagues. Paired with all applications your organization uses today, the Splunk Remote Work Insights Application can dramatically increase your organization’s visibility into application performance. Interested in learning more about the Splunk Remote Work Insights solution or looking to implement the application? Contact our Kinney Group team of experts below.