Using Splunk in a Screen Saver

Sometimes users of Splunk like to have Splunk tell them what is happening with their infrastructure without doing an ad-hoc search. The most obvious way to accomplish this is to use Splunk Alerts. An alert gets generated for a saved search that is executed over a configured period and matches user defined conditions.

Now suppose you want to visually just watch a saved search run on periodic basis. One approach would be to have the Splunk Web application in the browser auto refresh itself. If the requirement is that you would like this to appear full screen in real time for others to see without giving them any other access to your desktop computer (as you may be away), a possibility is to have the search run in a screen saver. I’ll explain one way to get this to work.

First, decide what searches you would like to run in a screen saver and test them out in a browser. Next, create a permalink to the search by using the pull down menu next to the Splunk search bar clicking on permalink. The URL will appear in the browser’s address bar and should be copied away to some documentation utility such as notepad in Windows. An example URL that has been “permalinked” by Splunk would be:

http://localhost:8000/?q=sourcetype%3D%22WinEventLog%3AApplication%22%20startminutesago%3D15&selStart=false&selEnd=false

Next, you’ll need to install a screen saver creation utility that allows web pages to be used as screens in a screen saver. For the purposes of testing, I’m using 2Flyer Screensaver Builder. All I did next was to use the saved URL above to create a web page for the screen saver and have it run every 30 seconds. This would allow me to execute a sequence of searches each being shown for 30 seconds at a time. After previewing the results, you can build the screen saver from the tool and you’ll get a screen such as below running from your screen saver.

Now, the next question is authentication. For the purposes of testing, I used the free edition of Splunk and didn’t have to deal with it. For the enterprise edition of Splunk, there is an application on Splunkbase called autologin that will allow automatic login into Splunk using a pre configured Splunk user and password. It is recommended to use an underprivileged user as your base user for security reasons. I got this working with Firefox as my default browser, but for some reason in IE, it had me go through one extra mouse click to accept the Splunk Certificate each time even though it had been added as an acceptable certificate and CA from the browser beforehand. Screen savers, by definition, don’t allow you to interact with them using mouse clicks as that would exit the screen saver. Since 2Flyer Screensaver Builder was based on the IE rendering engine, I didn’t try this any further.

In retrospect, I don’t recommend using an autologin feature to authenticate into Splunk as it does introduce a backdoor that you may not want, even if it is for an underprivileged user. A more acceptable approach would be to have the screensaver builder accept users and passwords to authenticate with any HTML form as part of building the screen saver. Overall, I write this blog entry to show you another interesting way to monitor activities in your operations center beyond traditional ad-hoc searches and alerts.