One of my favorite times of the fall is the annual Splunk user conference. The pandemic has thrown lots of conferences into disarray. The Las Vegas .conf may be off, but virtual .conf is on — and is free. And yes, free as in free, not free like someone tried to give you a dog.
The virtual conference is 20-21 October for AMER, and 21-22 for EMEA and APAC.
Here are the top five sessions at Splunk .conf20 that I recommend my customers, colleagues, and students attend. There are many more interesting sessions across the Splunk product line and beyond (temperature scanning crowds to find the infected?).
1) PLA1454C – Splunk Connect for Syslog: Extending the Platform
Splunk Connect for Syslog is an outstanding system for onboarding syslog data into Splunk. Traditionally, Splunk uses a third-party syslog to write data to disk, and then a Universal Forwarder to read that data and send it to Splunk. This has worked well but requires building the syslog server and understanding enough of the syslog rules to configure the data correctly.
Enter Splunk Connect for Syslog, which handles the syslog configuration, sends the data to Splunk, and for many known sourcetypes makes the onboarding process a snap.
What I like best: This came from engineers looking at a problem and making things better.
2) PLA1154C – Advanced pipeline configurations with INGEST_EVAL and CLONE_SOURCETYPE
Eval is powerful way to create, modify, and mask data within Splunk. Traditionally it is performed at search time. This session shows methods for using INGEST_EVAL to perform eval logic as the data in being boarded. This helps with event enrichment, removing unwanted fields, event sampling, and many more uses.
What I like best: INGEST_EVAL opens a world of more control in Core Splunk.
3) SEC1392C – Simulated Adversary Techniques Datasets for Splunk
The Splunk Security Research Team has developed test data for simulating attacks and testing defenses in Splunk. In this session, they are going to share this data and explain how to use it to improve detecting attacks.
What I like best: Great test data is hard to come by, much less security test data.
4) PLA1129A – What’s new in Splunk Cloud & Enterprise
This session shows off the newest additions to Splunk Cloud and Splunk Enterprise. Each year these sessions show the new features that have arrived either in the last year or in new versions that often coincide with Splunk .conf.
What I like best: New toys to play with.
5) SEC1391C – Full Speed Ahead with Risk-Based Alerting (RBA)
I’ve talked to several customers who wanted to use a risk-based alerting (RBA) system for their primary defenses. Traditional methods require lots of tuning to avoid flooding the security staff with too many alerts. RBA is a method to aggregate elements together and then present the findings in an easier-to-consume method.
What I like best: Another option on how to approach security response.
Bonus Sessions: You didn’t think I could really stop at five, did you?
TRU1537C – Hardened Splunk: A Crash Course in Making Splunk Environments More Secure
TRU1276C – Splunk Dashboard Journey: Past Present and Future
TRU1761C – Master joining your datasets without using join. How to build amazing reports across multiple datasets without sacrificing performance
TRU1143C – Splunk > Clara-fication: Job Inspector
Our KGI team will be on board for .conf20 and we’re more excited than ever to attend with you. With over 200 virtual sessions at Splunk’s .conf20 event, this year is going to be BIG. With exciting updates to Splunk and grand reveal on new product features… Kinney Group is ready to help Splunkers along the way.
Keep your ears perked for some big, Splunk related announcements coming your way from Team KGI this month…