leehinman

• Assumptions
• Create necessary temp dirs
• Build Custom Beat
• Download any other beats you need (filebeat & metricbeat are minimums)
• Build agent

Assumptions

leehinman

Problem Statement

We require specific go tool chain version for reproducible builds and sanity in dealing with CI. Unfortunately, versions can change frequently, which means you have to change your go tool chain frequently.

Solutions

leehinman

Intro

Filebeat's httpjson input can be used query Splunk's REST API and ingest the original data. This doesn't make use of any Splunk processing (CIM or apps). This doc covers 2 common use cases. The first is when you want to ingest from the current forward. For example if you want to compare how Splunk and Elastic differ in detections on the same data. The second use case is when you want to ingest historical data. For example if you want to pull in the last 6 months of data to compare how Splunk and Elastic differ. This method is good for comparing Elastic and Splunk, but shouldn't be considered a final ingest strategy for customers.

Limitations

This will only work for Filebeat modules where the raw message stored in splunk is the same as what the input provides. Modules that won't work are netflow and Winlogbeat because each of those does heavy processing on the raw data.

leehinman

#!/usr/bin/env python3

import argparse
import json
import os
import pprint
import difflib

def parse_args():
    parser = argparse.ArgumentParser()

leehinman

1. Install Homebrew https://brew.sh/

2. Install python3 with homebrew

   brew install python
   

3. Install go with Homebrew

   brew install golang
   

4. Install Docker with Homebrew (start it after install, should be in Applications folder)

brew cask install docker