Splunk Enterprise Security

Splunk app sideload/reverse engineer

danrogers1982
Engager

Hey all, I came across Website Monitor splunk app and its exactly what we need to monitor all of our tools. Problem is, we cant install apps! Especially ones that aren't legit splunk made. Can anyone walk me through implementing the xml so I can get the dashboard built?

https://splunkbase.splunk.com/app/1493/
Or let me know if its even possible. Thanks, much appreciated!

0 Karma

LukeMurphey
Champion

That app is open-source so you can view the source-code and pull out the portions that you want: https://github.com/LukeMurphey/splunk-website-monitoring

That said, this isn't trivial unless you intimately know how to make Splunk apps. The app includes Python code to run the modular input which gets the data. You would need to implement that in addition to the dashboards. The dashboards are pretty easy to copy over, the Python code is much more difficult.

I'm not sure of the reasons why your company won't allow the installation of apps but let me offer some thoughts:

  1. If your management is concerned about non-Splunk apps on your main Splunk installation: Perhaps you could get approval to install Website Monitoring on a Heavy Forwarder that sends the events to your Splunk install. This would keep the app off of you main Splunk install. You would then create the inputs on the Heavy Forwarder but could view the data on your main Splunk install.
  2. If your management is concerned about non-Splunk apps being of lower quality: I actually am a Splunk Developer (though I made this app in my free time). I also have created about 30 Splunk apps (including being the founder of Enterprise Security app). This app also have substantial number of tests which run in my CI system. Thus, quality ought to be pretty good.
  3. If your management is concerned about non-Splunk apps not having support: Its true that this app won't come with official support. However, neither will something you write yourself.

danrogers1982
Engager

Luke,

Thanks so much for your reply! I see that you are very active in this community and I appreciate it greatly. Being very new to this splunk game, I am very behind but very interested and eager to learn. I have sent your reply up to see how they want to proceed. The parts that I would need from your gihub link would be the xml files, correct?

0 Karma

LukeMurphey
Champion

The XML files would only get you the views but wouldn't get the data. For the data your would a lot more files.

0 Karma

danrogers1982
Engager

Ok sounds good. Hopefully they sign off on us getting the whole app! Super slick and exactly what we need.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...