Tom Kopchak

Hurricane Labs

It’s one thing to help support an organization with a mission that you feel strongly about.  But seeing something that you feel strongly about growing from an idea into something that is making a massive impact across the Cybersecurity industry and the world is something that is difficult to put ... Read More

Introduction If you’re running Splunk Enterprise Security Suite, you are already leveraging accelerated datamodels to power your detections and altering. However, there may be situations where you want to leverage those same datamodels you already have when running searches on your other search heads. You could enable acceleration on all ... Read More

Introduction If you’re a Splunk admin, there’s an excellent chance you’ve used the btool command to troubleshoot your configuration. This command is the best way to understand configuration precedence in Splunk and what settings in the config files are active in your environment.  One common frustration for an experienced Splunk ... Read More

As cybersecurity enthusiasts, we don't miss any chance to participate in events that challenge our skills and support up-and-coming security professionals in the process. That's why it was a thrill to represent Hurricane Labs at the Northeast regional event for the Collegiate Cyber Defense Competition (NECCDC 2023). Meredith Kasper and ... Read More

If you're like me, you love Splunk. It's an amazing tool for monitoring and troubleshooting your systems. But there's one thing that can drive a Splunk sysadmin crazy–high CPU usage. With this in mind, I'm going to show you how to identify and reduce high CPU usage in Splunk Stream.  ... Read More

With the introduction of Splunk Enterprise 9.0, Splunk has changed the language used for certain directories in indexer-clustering. Let’s explore how this works in practice. Some history and background In versions of Splunk prior to 9.0, the configurations that would be sent to the indexers would be stored in the ... Read More

Introduction When deploying Splunk Enterprise Security, there are several configuration optimizations which can be used to improve the performance of the environment. A notable example is the scheduler configuration, which allows for more scheduled and summarization searches to run simultaneously. The default scheduler settings in Splunk often do not allow ... Read More

One of the most requested features in Splunk has been better audit logging for changes. With the introduction of Splunk Enterprise 9.0, a new feature has been introduced for configuration change tracking. Let’s take a look at how this new feature works! Overview To implement the change logging feature, Splunk ... Read More

CVE-2022-32158 Details Hurricane Labs is aware of the recent vulnerability involving Splunk Enterprise deployment servers. This vulnerability was announced by Splunk on 2022-06-14.  Successful exploitation of this vulnerability could result in a compromised universal forwarder being able to leverage the deployment server to distribute configuration changes to all other universal ... Read More

One common task that comes up when troubleshooting Splunk search performance issues is validating the correct resources are available. For on-premise Splunk Enterprise, you can easily do this through the Monitoring Console: Settings -> Monitoring Console The amount of memory and CPU cores will be displayed in the upper [...] ... Read More