Please share a short Splunk preventative tasks lis...

SamHTexas · ‎05-29-2021

Please share a Splunk preventative tasks list a Splunk Admin. would do Daily / weekly to defend the turf. Thank u in advance. Please share SPLs if you would.

SamHTexas · ‎05-30-2021

Thank u very much. If you think of similar measures for defensive purposes please share. Happy Memorial day 2021.

tscroggins · ‎05-29-2021

@SamHTexas

EDIT: This list has more to do with platform stability than "defending the turf," but it's much easier to identify problems in an otherwise healthy environment than a sick one.

I generally do the following:

1. Configure the monitoring console and enable alerts. If you're using forwarders, configure forwarder monitoring. This should cover basic availability monitoring.

2. Create a report or dashboard quantifying _internal (or app specific) ERROR and WARN* events by source, component, or whichever category works best for you conceptually. Manage these as defects using quality control tools, e.g. Pareto charts.

3. Identify hosts and sources present today that were not present yesterday, i.e. new sources.

4. Identify hosts and sources present yesterday that are not present today, i.e. missing sources.

5. Identify anomalous changes in event counts across critical hosts and sources.

6. Work with your infrastructure or capacity team (if they're separate functions) to baseline Splunk performance and identify anomalous variances in principal components: CPU, memory, I/O, and storage.

Beyond the basics, you're getting into service quality and quantifying/qualifying user behavior: search performance, search coverage, data retention relative to storage pools, etc.

Please share a short Splunk preventative tasks list a Splunk Admin. would do Daily / weekly to defend the turf. Thank u

monitoring console

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases