Splunk offers you a very diverse set of mechanisms for alerting. Each one is extensible toward a variety of applications and can be utilized by most organizations. As technology progresses, it’s worth taking time to explore new ways we can leverage the wide variety of tools and devices we have at our fingertips. In this blog post, I’m going to talk about a new and very specific alerting mechanism I set up in my own Splunk instance that makes use of the Internet of Things (IoT) -- one that hopefully gets you thinking a little bit. I packaged this alerting tool into an app that I titled, “Roxanne”.
In case you’re wondering what inspired the name “Roxanne”... It actually stemmed from my original intention, which was changing the color of my LIFX Lightbulb to red from inside of Splunk, combined with my appreciation for the song “Roxanne” by The Police.
Bizarre, beneficial, or both?
Now the biggest question I’ve gotten about all of this is “Why? Why would you bother doing this?” which, in my opinion, is a perfectly valid question. The development of this app did make me feel like I might be turning into some kind of mad scientist, so questions surrounding my seemingly bizarre IoT projects are understandable. A lot of people would argue that “strange” and “mad” are appropriate descriptors for me, but I do believe that an app like this actually has quite a few beneficial use cases.
So, answering the question “why” boils down to the fact that alerting needs to take on all kinds of different forms to truly be effective.
Take your cellphone for example. If you have your cellphone in your pocket and you receive a text message, you generally get two different types of alerts. Your phone will make a noise, and it will also vibrate. For most people, the purpose of this is so you have less chance of missing the message. Maybe you don’t hear the alert because you were on the subway, but you felt the sensation of it vibrating instead. This type of dual alerting may also serve purposes for people who have hearing loss or for people who can’t feel sensations as acutely.
What would Admiral Ackbar do?
Imagine taking that same theory to something like a Security Operations Center (SOC). What if we had the ability to not only fire off emails, tickets, and chat notifications (all which come with audible, visual, and physical alerts of their own), but to actually change the appearance of an entire room based on an alert?
I’m not just suggesting this because Admiral Ackbar used color changing lights as an alerting mechanism when destroying the Death Star. His command center was cool, but it also flew around in space... I can’t help you (literally) get your SOC off the ground in this article, but I can show you how you can come up with some very futuristic alerting.
The very simple example I set up for myself involved telling me when my plants needed to be fertilized. I know, it’s maybe not as flashy as detecting ransomware, or imperial x-wing fighters in space, but it does serve a purpose and has helped me personally become quite the successful gardener.
Setting it all up
Once that’s installed, the syntax is quite simple using the Splunk Map command.
Start out by searching for the lightbulb you want. In my case, I wanted my “Living Room” light bulb to be affected. Make sure that the search only outputs one distinct id by using the “dedup” command as shown below. If I want more light bulbs to change, I could search for more bulbs, but still use the dedup command.
index=lifx label="Living Room" | dedup id
Next come up with a search that you want to have an alert on. Again, make sure that it only outputs one result by using the “dedup” command. In my case, I’m going to alert if the fertilizer level for my plant is too low.
sourcetype=flower_power_garden_locations_status index=parrot | spath "fertilizer.instruction_key" | search "fertilizer.instruction_key"!=fertilizer_good | dedup fertilizer.instruction_key
Finally, we can merge these two items together with the map command and by appending one of the 6 built-in commands for Roxanne. In this case, I’m going to change a lightbulb color to red when my plant needs to be fertilized. For this I use the command “redlight lightid=$id$” at the end of my search as shown below.
index=lifx label="Living Room" | dedup id | map search="search sourcetype=flower_power_garden_locations_status index=parrot | spath "fertilizer.instruction_key" | search "fertilizer.instruction_key"!=fertilizer_good | dedup fertilizer.instruction_key |redlight lightid=$id$"
Have I convinced you yet?
With this search scheduled to run every day, I’d theoretically never have to wonder about my plant’s health again because a giant red light would be on in my living room. If I were to take this sort of alerting to a SOC, or some other real life scenario, then I could potentially have even more realistic alerts in place to notify a team, not only with the traditional e-mail and chat notifications, but with the same technology that was used to destroy the Death Star. And if that’s not a reason to like IoT, I’m not sure what is.