Every Click You Make, Splunk is Watching You…

 

When I am at client sites I often get asked how they can get a better understanding of what is going on in their Splunk environment. A recent client wanted to understand what dashboards were being used the most in their environment and who were the top users. What a great thought! I knew that Splunk had to have a way to track this. It was just a matter of locating the data and then determining the best way to pull it. After going back and forth between metadata and the internal index, I came across this in Splunk’s internal index.

...

Splunk, Where's my Props?!

Here’s the scenario. You find the perfect app for your data. You onboard the data, configure all your files, look through all your dashboards to finally see the views you have been waiting for. Then your greatest fear is realized, your dashboards are not working! You trouble shoot the searches in your dashboards and the fields that are needed for this search do not exist. Where are your field extractions?

Once you see that everything seems to be configured right on your app, you go through the TA apps you installed to make sure everything is working together. Everything seems to be...


Simulating Data with the Splunk Event Generator

While installing a new app to your Splunk search head can usually be considered a rather benign action, sometimes the introduction of a TA on your forwarders and indexers requires more attention.  This is commonly the case, especially if your production environment is guarded by change control.   The problem is that without the data generated by those inputs your newly installed app may not display properly, and without seeing your new app’s dashboards populated with data, you may not be able to conclude how useful it really is.  I suppose deploying a fully mirrored “dev” environment to...


OH NO!! Splunking log files with multiple formats?? No problem!

I was recently at a client site  for a two-week engagement assisting them with ramping up their Splunk installation, and I came across something particularly interesting. One of the log files the client wanted to index in Splunk contained four different log formats with four different timestamps. Take a look at a sample of the log:

Splunk Data Input Pipeline and Processors

Image courtesy of the Splunk on Splunk App

I was a recent attendee of Splunk’s worldwide user’s conference .conf 2012. It was held at the ultra modern and chic Cosmopolitan Hotel located in the heart of Las Vegas, Nevada.  Over 1000 people attended the conference and there were 90+ information sessions geared towards a wide range of Splunk user levels. At any given moment over the 3-day conference, there were 12-16 sessions going on at the same time. There was literally a world of knowledge being handed out to anyone who...


The Seven Dwarfs of Data On-boarding in Splunk

In my time working with and using Splunk, I have learned a few tricks and tips to make the Splunk experience even better. This post assumes you are familiar with a few Splunk keywords. If you are having trouble following along, take a look at this link and look up the terms: http://docs.splunk.com/Splexicon. If you have never seen Splunk before, I suggest taking a look at the Splunk Tutorial to familiarize yourself with the product: ...


Stay In Touch