Find size of lookup files in Splunk Web


I needed to list the lookup tables and their sizes using Splunk Web. Here's a query to do just that!

| rest splunk_server=local /services/data/lookup-table-files/
| rename as app 
| table app title 
| search NOT title IN (*.kmz) 
| map maxsearches=990 search="| inputlookup $title$ 
| eval size=0
| foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]" 
| stats sum(size) by app title
| sort - sum(size)

Splunk foreach command examples


The Splunk foreach SPL command is pretty useful for building powerful queries. Here are some examples that I've created as a reference for how to use this powerful command.

Trello Guide for IT Project Management


I've been a Trello user and fan for a long time. The intuitive interface provides a powerful platform for managing any project in a Kanban or Scrum methodology.


Splunk macro to remove identical fields



Suppose that you have a Splunk query that returns a result set with some duplicate fields. Would you like to remove the duplicate fields so that you can quickly identify the differenes between each result? Here's a macro to do it!

Splunk macro to remove empty fields


If you have a Splunk query that returns empty fields, you can use this query to programatically remove these blanks.

Identifying Splunk forwarders that phone home too frequently


As I've worked on many large-scale Splunk environments, a common problem I've noticed is that Splunk forwarders phone home to the deployment server (DS) too frequently. When a forwarder phones home to the DS more often than necessary, it wastes resources on the DS, and can prevent the DS from deploying apps to forwarders correctly.

Bookmarks every Splunk admin must have

If you are Splunk admin, consultant, or power user, you may find yourself referring to the docs frequently. I bookmarked the Splunk docs that I frequently use, and I am sharing these bookmarks for everyone to use.

To add these bookmarks to Chrome, open the bookmark manager and then click import bookmarks.

To add these bookmarks to Firefox, open the bookmark manager and then click import bookmarks from HTML.


Splunk saved search (and correlation search!) explorer


As a Splunk administrator, have you ever needed to list out your saved searches in some way? Perhaps you need to know which searches might be accelerated, scheduled, or even real-time scheduled? Here's a quick dashboard to show this information.

The dashboard is available in this GitHub repo.

saved search explorer screenshot


How to escape text for markdown formatting


If you work with the Markdown markup language, it's only a matter of time before you need to escape the markdown formatting characters. For instance, pasting source code into Trello cards requires the text to be escaped or else certain characters of the source code will be interpreted as markdown.

Quick tip when working with stats command


When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3 
| streamstats count
| eval foo="bar"
| stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:


Subscribe to RSS