splunk

Normally, I prefer to send CSV or JSON data to Splunk. But sometimes XML can't be avoided. I recently needed to ingest an XML file, and through judicious use of 'MUST_BREAK_AFTER' and 'BREAK_ONLY_BEFORE' in props.conf, I was able to extract the events from the XML file that looked like this:

In this short tutorial I will show you how to create a dashboard table with dynamic columns. When the user selects the radio button toggles, the search does NOT run again -- only the display is updated. Demo: https://youtu.be/l-p83je4RgQ

I am including the full source code to the dashboard with this post for your review. But here's the secret sauce:

I've been having trouble indexing CSV files. In particular, CSV files from Tripwire. I'll show you the format and how I was able to index the files in Splunk

Node Name,Node Type,Policy,Parent Test Group,Test Name,Description,Element,Result Time,Result State,Actual Value
"192.168.1.1",Linux Server,"My Policy Name","My Test Group","My Test Name","My Test Description","Some Element",10/25/15 2:02 AM,passed,"ELEMENT=foo"

Here's my Props.conf stanza:

I've been working with Splunk Enterprise a lot lately (and it's very powerful and easy to use!). In many situations, it is useful to show some metric compared to the same metric a month ago (or some other time period).

One way to accomplish this is with the community-supported Splunk app, Timewrap. I couldn't get Timewrap to output the data as I wanted, so instead here's the approach that I used.