I’ve been in charge of integrating Splunk into our work network, and its been quite the learning curve- Splunk is truly powerful in its abilities. At work we’ve been concentrating on IIS, Log4Net, System Event logs, system metrics (HDD free space, CPU utilization, etc), and our custom logging.

However, In my personal time I’m developing a Splunk App to parse the top 10 clients/bouncer’s logs and put them in a searchable format, and eventually add dashboards. It’s got a working name of IRC Ninja and is up on my GitHub at IRC Ninja (GitHub). The next section will Focus on Splunk’s props.conf and transforms.conf. Both of which are vital to the creation of new sourcetypes in Splunk. One may occasionally use fields.conf but that’s another topic. In the mean while those with Splunk questions I’ve found the Slack and IRC channels to be excellent learning resources when reading the config file’s page doesn’t work and neither does googling:

  • To join the IRC channel its #splunk on irc.EFnet.org

    • Be aware EFnet keeps its nick length short.

  • Joining the Splunk Slack channel is a little more complex:

I’ll write up more of my journey to publishing this app as the days go by.

If you have IRC logs from a current IRC client hit me up via the contact page, they will significantly help me add the different IRC clients.