Quick tip when working with stats command

Categories:

When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3
| streamstats count
| eval foo="bar"
| stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:

Splunk Tip: Regex Extractions in Props.conf

Categories:

When you create an extraction in props.conf (a search-time field), you specify the name of the new field through a named capture group in the regular expression. For example:

EXTRACT-foo =  (?P<foo>\w+)

This configuration will create a field "foo" with a value of the first word found in the _raw field. You can also specify a field besides _raw in your extraction:

EXTRACT-foo =  (?P<foo>\w+) in host

How to change the default search time range in Splunk 6

Categories:

This is a simple request, but the official docs are out of date.

  1. Create a file: $SPLUNK_HOME/etc/apps/search/local/ui-prefs.conf
  2. Create a search stanza like this:

    [search]
    dispatch.earliest_time = -7d@d
    dispatch.latest_time = now

Restart Splunk and you're good to go!

VirtualBox bridged networking doesn't work (OS X 10.11 El Capitan)

Categories:

If you are having trouble getting a Linux (Ubuntu, in my case) guest OS to get a network address using "bridged networking", make sure you have installed "virtualbox-guest-additions-iso".

You can install this package through apt-get:

apt-get install virtualbox-guest-additions-iso

As soon as I installed this package, my Ubuntu 15.10 Server guest received a DHCP address and was connected to my network!

An Open Source Economy

Categories:

Indulge me for just a moment, and consider a future in which you choose a bank just as easily as you choose a gas station. Where banks charge competitive fees for the useful commodity services that they actually provide. Where the banks don't hold a monopoly on access to the financial system. Where individuals like you and I can autonomously contribute to the development and improvement of the financial system.

I Just Discovered Simple XML Dashboard Extensions!

Categories:

I just discovered that Simple XML dashboards in Splunk can be customized with JavaScript! That's right, the point and click dashboards can be customized in a very powerful way. Here's the official docs, and an official example.

How to Make Faster Joins in Splunk

Categories:

Although it's often possible--and recommended--to avoid the join command, sometimes it is necessary to use join. I was recently exploring the performance impact of the join command and I wanted to share my findings.

Splunk Configuration Management -- my progress so far

Categories:

Part of being a responsible software engineer includes the systems engineering process of configuration management. Although backups and access controls are a necessary part of maintaining a secure IT system, relying on these processes for configuration management is inefficient and dangerous.

How to Monitor Splunk Index Growth Over Time

Although you can use the Splunk on Splunk app to monitor Splunk index sizes (and many other things!), you might be interested to monitor index growth over time as well. I'll show you how to do that.

Just for demonstration purposes, you can run this search to see the kind of data that we will collect. This uses the rest command to collect the current index metadata from the Splunk REST API. As you can see, I renamed a few fields just for asthetic reasons.

How to Delete Splunk Events When Using a Transforming Command

Categories:

Recently, I needed to delete some events that matched certain summary conditions. For example, where the event count exceeds a certain threshold:

Example showing event search with stats criteria

Now, if you try to delete the events by appending | delete, you'll receive an error:

Error in 'delete' command: This command cannot be invoked after the non-streaming command 'stats'

Pages

Subscribe to Pixelchef.net RSS