Splunk DFIR Case Manager

Why I Built This Tool

As a cybersecurity professional, I frequently work with Splunk for log management, threat detection, and incident response. One challenge I faced was managing indexes efficiently—whether creating new ones, deleting old ones, or backing them up for migration.

While Splunk’s CLI and Web UI are powerful, I wanted a faster, scriptable solution that could:
✅ Automate index management (create, delete, list)
✅ Backup entire indexes (including folder structure and .dat files)
✅ Restore backups easily
✅ Work cross-platform (Windows, Linux, macOS)

So, I built Splunk Index Manager—a Python-based CLI/GUI hybrid tool to simplify Splunk index operations.

Key Features

1. Easy Index Management

• Create new indexes with a single command

• List all non-system indexes (filters out _internal, main, etc.)

• Delete indexes (with confirmation to prevent accidents)

2. Backup & Restore Functionality

• Full index backups (including empty folders)

• Password-protected ZIPs (optional)

• Restore from backups (even if the index doesn’t exist yet)

3. User-Friendly Interface

• Tkinter file dialogs for browsing paths

• Auto-saved config (remembers Splunk path & credentials)

• Progress feedback during long operations

How It Works

First-Time Setup

python splunk_manager.py

The tool will prompt for:

• Splunk binary path (auto-detects common locations)

• Splunk credentials (saved in config.txt)

Example Workflow

1. Create an index

    

   > Enter the name for the new index: threat_intel
   > Index 'threat_intel' created successfully!

2. Backup an index

    

   > Select backup directory: [Browse]
   > Backup completed successfully!
   > Saved to: /backups/threat_intel_backup_20250805.zip

3. Restore from backup

    

   > Select backup file: [Browse]
   > Restore completed successfully!

Security Considerations

⚠ Warning: The tool currently stores credentials in plaintext (config.txt). For production use:

• Use app tokens instead of passwords

• Encrypt the config file

• Set strict file permissions

Get the Tool

🔗 GitHub: https://github.com/dfirvault/Splunk-Case-Manager

Final Thoughts

This tool has saved me hours of manual work when managing Splunk indexes. If you’re a SOC analyst, Splunk admin, or cybersecurity professional, give it a try and let me know what you think!