Splunk – List REST API users and their IPs

Want to get a list REST API users and their IPs

Run this search

The limitation is if the users are going via a Load Balancer, you will see  Load Balancer’s IP as the clientip

Use Glide to create a catalog of books and movies from the Tim Ferris blog

So I was playing with web scraping a couple of years ago and scraped the list of Books, Movies and other items mentioned in Tim Ferris Blog and Podcast and yesterday I’ve somehow stumbled on the Glide. So I thought to myself, “why not try to use Glide to create a catalog of books and movies from the Tim Ferris blog?”

On my original blog post I already had all the Titles , Images and Links so used a bit of VSCode regex magic to clean up the HTML (couldn’t find the original “raw” data from the scraping exercise).

In Google Sheets

  • created a new Google Sheet
  • copied the data
  • added the titles to each column
  • named the sheet (this is quite important as it will be used as the title of the screen in the Glide app)

In the Glide App

  • Selected which Sheet to use
  • On the Screens screen 🙂
  •  – selected the Tiles layout
  •  – removed the “mapping” for the Details component
  • On the Details screen
  •  – added a Button component
  •  – added a Separator component (to visually separate Image from the button)
  • On the Button configuration screen
  •  – made sure to Data is mapped to the Link column
  •  – selected URL as an Action


That’s It,

It took me probably 5 times (if not more) longed to write this blog post and make screenshot for it then the whole process of getting the required “raw” data from my old blog post, uploading it to Google Sheets and creating the app in Glide.

Notes from SplunkLive! Sydney 2019

Notes from SplunkLive! Sydney 2019

I’ve had a chance to got SplunkLive! in Sydney this year.

It was freezing (by Sydney standards) 7.6 with winds which felt like -0.2 according to weatherzone app on my phone and my face.

So I wouldn’t have minded if the event turned out to be a total disaster, as long as they would have served coffee and it was warm inside, but it turned out to be quite interesting.

Continue reading Notes from SplunkLive! Sydney 2019

Python – Test Network Connection

The below will return True/False

Or you can use this version to return the Exception in case connection has failed

Python – Get local machine IP

Here is how to use Python – to Get local machine IP


Configure Splunk SSO with Auth0 as your identity provider

I had to work on Splunk SSO Integration and since had never touched SSO/SAML before, I wanted to play with it a little bit on my machine. I’ve decided to use Oath0 as my IdP

This tutorial is based on SAML SSO with Auth0 as Service Provider and as an Identity Provider, but the steps that are relevant to configuring an Auth0 tenant as the Service Provider (SP) are replaced with Splunk Configuration.


Set up the Auth0 IDP

In this section you will configure one Auth0 tenant (tenant 2) to serve as an Identity Provider. You will do this by registering an application, but in this case, the ‘application’ you register is really a representation of tenant 1, the SAML Service Provider.

In the Auth0 dashboard:

  1. Click on “Applications” link at left.
  2. Click on the red “+ CREATE APPLICATION” button on the right.

  1. In the Name field, enter a name (I’ve had mine as “Splunk 7.0.3 Container”).
  2. Press the blue “SAVE” button.
  3. Click on the “Settings” tab.
  4. Scroll down and click on the “Show Advanced Settings” link.
  5. In the expanded window, scroll down to the “Certificates” section and click on the “DOWNLOAD CERTIFICATE” link and select PEM from the dropdown, to download a PEM-formatted certificate. The certificate will be downloaded to a file called “YOUR_TENANT.pem”. Save this file as you will need to upload this file when configuring the other Auth0 tenant, tenant 1.

  1. Click on the “Endpoints” tab and go to the “SAML” section.. Follow the “SAML Metadata URL” to download the IdP metadata file which we will need later in Splunk SAML configuration.
  2. Click on the “Endpoints” tab and go to the “SAML” section. Copy the entire contents of the “SAML Protocol URL” field and save it as in the next step you will need to paste it into Splunk SSO configuration .

Creating User(s) in Auth0

Next, create a user to use in testing the SAML SSO sequence. In the Auth0 dashboard:

  1. On the lefthand side, navigate to Users and Roles > Users
  2. Click on the “+ CREATE YOUR FIRST USER” button.

  1. In the Email field, enter an email for your test user. The domain name for the email should match what you enter in section 3 below. For example, if your user is john.doe@abc-example.com, you would enter that here, and then enter “abc-example.com” in step 3 below for the Email domain.
  2. Enter a password for the user
  3. For the Connection, leave it at the default value. (Username-Password-Authentication)
  4. Press the blue “SAVE” button.

Creating Roles and assigning user(s) in Auth0

Since Splunk relies on the IdP to return the user roles you will need to create at least one  new Role and assign a user to it.

  1. On the lefthand side, navigate to Users and Roles > Roles
  2. Click on the “+ CREATE ROLE” button.
Auth0 Create Role – details
  1. Once the Role is created click on “ADD USERS” button

  1. From the dropdown list select the user and click “ASSIGN

NOTE: for Auth0 to return the groups information in SAML you will need to follow the steps in Return User Roles in Auth0.

Configure Splunk

  1. Login to Splunk
  2. Navigate to “Settings” > “Access Controls” > Authentication Method”
  3. Under External authentication methods, select “SAML” and click the “SAML Settings” link

  1. Create the required SAML groups (and assign roles to them), so that these group names will be matched with the Auth0 role names

Splunk SAML Groups

  1. On top right corner click the SAML Configuration” button
  2. On the right of the “Metadata XML File” click Select File” and upload the IdP metadata file that you’ve downloaded from Auth, it will be called something like dev-1a2b3c4d-idp_au_auth0_com-metadata.xml (the first part will depend on your Auth0 t

Return user roles in Auth0

I wanted to play with SAML Authentication in Splunk and decided to use Auth0 is my SAML Identity Provider (IdP).
Since i’ve never worked with Auth0 I just followed the SAML SSO with Auth0 as Service Provider and as an Identity Provider tutorial,, which worked well, but when I tried to use Splunk as Service Provider(SP), i.e. SAML service consumer, I noticed that roles are not returned by Auth0 SAML assertion, so I had to find a way to return user roles in Auth0 together with other user’s information.

Of course the  prerequisite of returning roles assigned to the user is to have them defined, so configure a few Roles under the User & Roles section on the left and assign 1 or more rule to a user.

Auth0 Roles

I’ve created bu1_p and bu2_p (as for Business Unit 1/2 – Power User).

Next you will need to configure a Rule.

“Rules are JavaScript functions that execute when a user authenticates to your application. They run once the authentication process is complete, and you can use them to customize and extend Auth0’s capabilities.”

So from different sources I’ve stitched up a simple rule that adds roles assigned to a user and adds them to the user context.

Go to Rules and create a new Rule using empty rule template

Update the function to look like this:

Save it.

If you want to test it by clicking “TRY THIS RULE” button, but don”t forget to update the context to include the  authorization with the roles (last couple of lines in the snippet below)


That’s it, now the authorization will return user roles in Auth0 as “rolez” attribute

Rule Try Output

Manage Splunk KV Store using REST API

I’ve started working with Splunk KV store for one of my recent projects. It is a robust system with an extensive API. since I was learning and documenting my fundings anyway I thought, why not put up a blog post about how to manage Splunk KV Store using REST API.

Continue reading Manage Splunk KV Store using REST API

Colour code Google calendar events automatically using Google Apps Script

Sometimes you want to have a certain colour for the Google Calendar events. I know that you can do it manually, but what if you want it to be colour coded automatically based on some filters. In my case it was based on meeting organizer (my wife to be precise 🙂 ). So decided to try and colour code Google calendar events automatically using Google Apps Script.

Continue reading Colour code Google calendar events automatically using Google Apps Script