Howto recover "| delete"ed events

After a while we want to restart the blog series. Today we want to show how to recover data in splunk which had been deleted using the "| delete" command.

Even if “| delete” is not a very common command, it’s used from time to time to clean up unwanted events. So what happens if you delete data by mistake? How to recover those events when the docs say it’s not possible?

Read full post

published Splunk Technology Add-On for Mikrotik RouterOS

As some of you know we love these small Mikrotik boxes running RouterOS. They are offering a rich feature set and functionality at a very reasonable price. We also love Splunk.. so it makes perfect sense to import RouterOS data into Splunk. To have greater value of your data we’ve created a Splunk Technology Add-On for RouterOS.

Development takes place in the git repo hosted at . You can download it from there or from

Data is extracted for the Splunk CIM data models network traffic, name resolution (DNS), DHCP and authentication.

Why using XML Event Logs sucks using Splunk

Yesterday I had a discussion with a colleague if we should switch the indexing of Windows Eventlogs to XML. He mentioned that he was told that it’s faster, needs less data volume and language agnostic.

As I couldn’t imagine that something with the abbreviation “XML” in it could be something like “small” and “fast” I decided to do a test.

Read full post