Erik Horton

IT Automation

Read this first

Containerize your Deployment of a Python app to AWS Lambda

Local Prerequisites

python 3.6+ (3.8 will be used in this setup)

AWS Prerequisites

AWS Access/Secret keys or AWS SSO
AWS Lambda


Make a local directory and set up local files

mkdir test-python-lambda && cd test-python-lambda
touch Dockerfile requirements.txt
python -m venv venv
source venv/bin/activate


Edit your requirements.txt with your dependencies. In my case, I’m including the lambda runtime / xray sdk, as well as boto3/botocore.



Be sure docker is started, configure your Dockerfile



RUN pip install --upgrade pip
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt

CMD ["app.handler"]

python app

Configure your python app, using handler...

Continue reading →

Ansible - Kerberos message encryption to enable WinRM

Kerberos message encryption was just released for pywinrm, and it’s a great time to be alive.

With this, if you don’t have a fully deployed certificate architecture, you can still have encrypted messages flying around while using the WinRM easy-mode of http over tcp/5985. If you’re not using windows 10, just skip the WSL install portion.

If you have any problems, feel free to email me:

Current environment looks like the following:
Windows 10
Windows Subsystem for Linux (WSL) - upgraded to ubuntu 16.04
Python 3.5 / pip3
Domain joined computer, configured krb5.conf

Let’s get started.

Install WSL

Open Powershell, and run:
lxrun /install


Make sure you’re on ubuntu 16.04:
lsb_release -a

If you’re still on 14.04, be aware of the following:

Continue reading →

Splunk - Diff examples and One-Way diff

Splunk’s ‘set’ command will allow you to ‘diff’ two result sets. What this means is that say you have two sets:

Set A: “event1 event2 event3”
Set B: “event2 event3 event4”

Splunk will tell you all the differences that occur between these two sets. When you run the following command, the output will be “event1 event4” because they are not common in both sets.

| set diff [set A] [set B]

A full Splunk search to generate the following example might look like:

| set diff
[| makeresults | eval events=“event1 event2 event3” | makemv events | mvexpand events | table events]
[| makeresults | eval events=“event2 event3 event4” | makemv events | mvexpand events | table events]

This would be considered a two-way diff. It can be very useful for determining that there are events from both sets (search results) that can’t be found in the opposite set.

To break down the commands used:


Continue reading →

Synthesia on Windows 10 (VirtualMIDISynth)

Problem: On Windows 10, when trying to use VirtualMIDISynth + Synthesia for lag-free piano playing, VirtualMIDISynth does not appear as an option for output.

Use Case: You followed the following, with no luck.

Solution: Under the following two registry keys, create a new string (REG_SZ) key/value pair, called “midi3”. Make the value: C:\Windows\System32\VirtualMIDISynth\VirtualMIDISynth.dll

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

View →

Dell XPS 9550 Mouse Lag only over Windows Desktop

Problem: Mouse lags when going over just the Windows desktop
Hardware: Dell XPS 9550
Software: Windows 10

Solution: Task Manager -> Startup tab -> Disable Nvidia Capture Server Proxy; Restart your computer.

Edit: More recently, I also had to uninstall Nvidia GeForce Experience

Note: This mouse lag occurs when programs that use hardware acceleration are open. For me, programs that would cause this issue included Google Chrome and Lync (Skype for Business). You can disable hardware acceleration in Google Chrome settings which would resolve the issue. Lync does not have this feature. By disabling Nvidia Capture Server Proxy, I no longer receive mouse lag on the windows desktop / wallpaper.

View →

Ansible - Splunk Forwarder Deployment - Pt.1

This post will help you get up and running with Ansible with the end goal of deploying Splunk universal forwarders to both Windows and Linux.


.conf 2015 talk - Splunk Configuration Management and Deployment with Ansible - Jose Hernandez / Sean Delaney



Follow installation guidelines here:

Install dependencies for connecting to windows hosts

Linux Specific

  • User who can ssh
  • User who can sudo

Windows Specific

  • Domain account who can access server via winrm, and install software
  • A share location that your servers can pull down files from (using your domain account)
  • HTTP/AllowUnencrypted=True

    winrm set winrm/config/service ‘@{AllowUnencrypted=“true”}’


  • HTTPS/AllowUnencrypted=False



Continue reading →

Splunk - Automatically update GeoIP database across environment

Information for this post was inspired by this post.

On every Splunk upgrade, they also push out a GeoIP database found here. Instead of waiting, I wanted to automate the pull on search heads. The following is how you can set up the same in your environment.

Create app structure on Deployment Server


This will download and extract the database, as well as set the correct permissions on it.


  Author: Andrew Wurster
  Date: 13 Jan 2015

cd /opt/splunk/etc/apps/Splunk_geoip/bin

wget -O GeoLite2-City-Latest.mmdb.gz || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
gunzip -f GeoLite2-City-Latest.mmdb.gz
chmod 644

Continue reading →

Splunk Deployment Server: Grab all deployment clients

There are times when you need to know what’s out there. If you’re like me, you have thousands of deployment clients in the environment, and browsing to the GUI interface to see your forwarders just doesn’t cut it.

The following can be run as a search on your deployment server to pull all of your deployment clients.

    | rest /services/deployment/server/clients splunk_server=local | table hostname dns clientName utsname

You can then pipe this out to outputcsv to better use the data.

If for some reason you cannot do it this way, you can always pull information on the command line. To get all the IP addresses of your clients, run the following:

    /opt/splunk/bin/splunk list deploy-clients | grep -Po 'ip:\s+\K([0-9]{1,3}\.){3}[0-9]{1,3}'

View →

How to use Regex in Splunk searches

Regex to extract fields

| rex field=_raw "port (?<port>.+)\."


The source to apply the regular expression to. This is a Splunk extracted field.

left side of ()

The left side of what you want stored as a variable. Anything here will not be captured and stored into the variable. Everything here is still a regular expression.

right side of ()

The right side of what you want stored as a variable. Anything here will not be captured and stored into the variable. Everything here is still a regular expression. Because “.” is outside of the parentheses to the right, it denotes the period ends the expression, and should not be included in the variable.


Store captured regex in variable “port”.


Regex to capture and save in the variable. In this case, an unlimited amount of characters until the end of the line.

Putting it all together

Say you have _raw data equal...

Continue reading →

Splunk Cisco_IPS app no longer pulls from IPS


After an upgrade to Splunk 6, the Cisco_IPS app fails to download IPS logs.


  1. Navigate to /var/log/splunk/sdee_get.log
  2. Events like the following show up

    Exception thrown in sdee.get(): URLError: <urlopen error [Errno 1] _ssl.c:521 error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error>


Note: Upgrade to the latest version and you shouldn’t experience the problem anymore. App Link

Info for the fix was pulled from: This Splunk forum

  1. Navigate to /etc/apps/Splunk_CiscoIPS/bin/pysdee/
  2. Edit:
  3. Directly after the default import statements, paste the following.

     The section below is to override the default socket connection
     which will fail with these devices. The newer version of openssl
     in Python does not support the ciphers these devices would like to use
    import httplib
    from httplib import HTTPConnection, HTTPS_PORT

Continue reading →