That happened: episode 28

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: Wired vs wireless, the big data bang, tooting our own horn:

The eternal pursuit of connectivity

There’s a “urine trouble” joke in here somewhere, but I’m not going to go looking for it:

<duckfez> I have two wifi deadspots in the house … my side of the bed, and the toilet.  You can see how both of those must be resolved
<mlanghor> lmao duckfez
<@amrit|wrk> haha
<jspears> I had a CTO way back when who made sure there was a jack in the bathroom when he wired his house
<duckfez> if linksys had not gotten cheap, I could just put a higher gain antenna on my existing kit
<duckfez> jspears: had a colleague who did that.  really messed up his phone lines in the house when his potty-training son used it for target practice
<duckfez> apparently, enough pee in a phone jack will short out pots lines
<Nerf> Store that tidbit of info away for future use
<snowmizer> duckfez: I was wondering about that just a few minutes ago
<duckfez> Nerf / snowmizer – “The more you know…”

Fields are the ‘star stuff‘ of Splunk

Surely some of us count as multi-value fields:

<emiller42> well this is fun.  I knocked together an irssi theme to format irc logs into clean key-value pairs
<MuS> splunking #splunk 😀
<emiller42> yup basically
<emiller42> which looks like:  2012-12-21 02:11:56 -0600 event=”own_msg”;opflag=” “;nick=”emiller42″;message=”yup basically“;
<Dutchy> dutchy=”having fun”
<Dutchy> 😉
<emiller42> great now you’re a field
<emiller42> GOOD JOB
<emiller42> 😛
<MuS> aren’t we all only fields in the universe after all?
<MuS> 😀

Reasons to /join #splunk, #20182398 and 20182399

Just being in here makes you smarter:

<t_bizzle> lets say I have a search time field extraction that I know matches 99.7% of my events coming in
<t_bizzle> and I want to find the unmatched .3% by looking for the absence of a field that regex pulls out
<jrodman> t_bizzle: yeah, no optimizations are available for that
<t_bizzle> in this case, its no faster to use ‘NOT field=*’ or ‘| where isnull(field)’
<t_bizzle> yeah
<t_bizzle> its only if I can benefit from an index
<jrodman> or sourcetype or other filtering
<jrodman> (time range always helps a lot)
<t_bizzle> definitely
<t_bizzle> and just like that, I learned something on the first friday back to work after the holiday – and I assumed today would be a complete waste!

<jalljo> hmm
<jalljo> didn’t know i wasn’t in here to start, but the indexer must have sensed that i rejoined
<jalljo> as i spent at least 30 minutes trying to find something in the dashboard but as soon as i /j #splunk i see it
<jalljo> go figure, but i’ll take it

