Blogs

At the recent Hack In The Box Conference in Kuala Lumpur, Malaysia, I was presenting on insider crime visualization. I was also showing how you can use Splunk on the command line (and through the Web interface) in order to retrieve events and process them further with your own scripts. One of the ways to use Splunk on the command line is simply the following:

./splunk search "ipfw | fields + SourceAddress DestinationAddress" -auth admin:changeme | awk ‘{printf"%s,%s",$1,$2}’ | afterglow -t -b 2 | neato -Tgif -o test.gif
What this command does, is running a search in Splunk. The search extracts only two fields from the logs, the SourceAddress and the DestinationAddress. Then you format Splunk’s output as CSV (I think there is also…

The following is a short interview I conducted with an IT event that I discovered last week while investigating an issue within my data center.

Maverick
Hello and thank you for taking time to participate in this interview.
IT Event
No problem. Thanks for having me, Mav.

Maverick
So tell us a little bit about yourself. What kind of event are you? Syslog? Web App? Proxy Log?
IT Event
Sure. I’m a syslog event.

Maverick
I see. Any particular kind?
IT Event
Well, I’m NOT a syslog-NG event, if that’s what you mean. Just plain standard syslog.

Maverick
No. I mean, what type? User event? SNMP trap? Something like that?
IT Event
Oh, yeah, I’m an sshd “session opened” event.

Maverick
As in reporting USER activity?
IT Event
Precisely.

Maverick
That makes sense. So when were you written out to the log…

We have been using agile development processes splunk for the past few months, including sprints, daily standing meetings and functional scrum groups. Our fearless chief mind, David suggested that we should have a team leader hat, like they wear for a rugby scrum, to protect them from thrown objects.

I thought it was a great idea too, what do you think?

Keyboard shortcuts are a powerful and useful UI interaction pattern. Surprisingly, detecting and binding to keyboard events is not a simple task in browsers.

Meet E.Key, a JavaScript key event listener utility that tries to help. VI and Emacs browser key bindings, no problem!

Happy keyboard shortcuts,
Carl (Doc Yes)

In one of my old blog posts I talked about how to do a lookup of IP addresses to map them to a geo location. That time, I was showing how it is done on the command line and totally outside of Splunk. However, what I really wanted is a way to lookup the locations within Splunk whenever an IP address is shown in an event.

A lookup should take the IP address, figure out its coordinates and then plot the result on a map. What better to use than Google Earth and Google Maps. This is what my Google add-on does. The problem that I had to overcome was the mapping of the IP address to a location. I could have used…

There’s lots of subtle things that are required for good user experience. Simplicity, speed, comprehensibility, consistency. These are the core value of any software, and there’s a spectrum on which they’re at the other end from ‘Features’.

Features are cool. They make you sound smart. Whether you’re a customer talking to a sales guy, or an engineer fleshing out an idea you had. New stuff tends to show up in sentences as the word ‘feature’. It’s exciting. Sure it has a certain cost in speed or something. It tends to not color entirely within the lines. But that’s OK. It’s new, therefore it’s cool.

Jumping forward many years though, everything at some point was new, and gets old and those…

Im a pretty nostalgic guy, so hanging out with me there’s a lot of ‘back in the day’, ‘onion on my belt’ kind of stuff. You have been warned.

So my history at splunk — I started here in March ‘05. First UI Developer, inheriting the front end built by our notorious founder Erik Swan. They brought me in as a dHTML guru and gave me free reign (crossed fingers notwithstanding). But for better or for worse Splunk has always been pretty different on the client-side. Even the alphas and private betas all were all client-side XSLT and had that holy crap moment where you wonder why the hell everything is clickable and lighting up on mouseover.

Then during the sprint…

Maybe you noticed, maybe you didn’t but SplunkBase got a big face lift last week. We have a really amazing team of people who have been taking all your input and revitalizing our community IT knowledge base over the last several months. Our goal is to keep plugging away and innovate different ways to enable the sharing of IT knowledge and cool ways to use Splunk. We’re also now eating our own dog food. Splunk support is now using SplunkBase to support our own products and services.

So what’s new?

• Answers – a large and growing set of answers about Splunk, IT events and different types of technologies that generate a lot of IT data.
• How-To’s – more in-depth recipes for everything from configuring syslog-ng to…

Adventures on a mini-bike amongst the boxes in engineering:

External view:

Internal view:

Dev destroys support in a 4 on 4 boat race.