That happened: episode 34
Addiction or codependence?
Either way, #splunk = support group
*** jtrucks has joined #splunk
<jtrucks> I was having withdrawal.
<kkolb> hi jtrucks
<jtrucks> amrit|wrk: yes
<@amrit|wrk> that’s why the download’s free
<jtrucks> that first … always is :
<jtrucks> come on, it’s 500MB free!
<jtrucks> you can do it
<jtrucks> everyone is doin’ it.
<@amrit|wrk> and 500mb should last you forever, right?
<jtrucks> oh man yeah
<kkolb> and then one day…you’re HOOKED
<jtrucks> Oh, you like that cloudy stuff…
<jtrucks> well, lemme show you this thing I have under my coat.. SplunkStorm.
<jtrucks> you’ll NEVER have to pay for it and you get a whole GB!
<glitch_> Another question for the geniuses! “index=unix_idx earliest=-2d latest=@d splunk_server=splunxindexer NOT host=splunkindexer | chart count by splunk_server” Every time I run this, the count decreases. I was hoping for the total events for yesterday. Which should be static. What’d I miss?
<glitch_> ah, right. Regardless, 2days ago to midnight should still be static.
<glitch_> d’oh! missing @d on the earliest.
<glitch_> why is it I have to pull out half my hair, then pull out my laptop, skirt around the firewall and open a console irc app, fight with proxies and connect up to all’y’all to see my own mistake?
Don’t linebreak my heart etc etc
Regexes and namechecking my blog will get you a long way:
<rayutsw> what’s the easiest way to say, “Never line break this input”
<^Brian^> “never line break this input or else”
<duckfez> rayutsw: one way is to give it a completely insane LINE_BREAKER, like LINE_BREAKER=([\r\n]*)NeverGonnaGiveYouUpNeverGonnaLetYouDownNeverGonnaRunAroundAndDesertYou
<Yorokobi> If that doesn’t make the “That Happened” blog, I’m gonna be upset. Too funny, duckfez
<DaGryph1> Now I have that song stuck in my head!!!
<duckfez> Achievement Unlocked -> IRC Rickroll
<rayutsw> duckfez: you going to be around in a couple hours? I need some of your regexfu after I return from hooters
<automine> regex and hooters?
<automine> this really is a great channel
Sometimes, the magic is also poop
Splunk> it’s magic, you wouldn’t understand*
<axisys> how do I modify this to show when count is higher than 100?
<axisys> sourcetype=jumpsshd “invalid user” | rex field=_raw “invalid user (?<user>.*) from (?<srcip>.*) port” | search user=”*” srcip=”*” | stats count by srcip
<jspears> | search count > 100
<axisys> jspears: so simple yet I did not think of it
<axisys> jspears: thanks
<jspears> I know, it’s hard to think in terms of Splunk magic
<axisys> jspears: magic indeed
<jspears> when I found out you can remove fields from a timechart the same way, I got vaporlock for a second
<Arsenius> love it how splunk sometimes looks like magic
<Nerf> s/sometimes //
<^Brian^> disturbing thought. I’m writing up an email on the pipeline process and splunk, and how things get applied. And the first thing I thought of was a gastric metaphor
<automine> well, it’s food metaphor for the state of the data, so…
<^Brian^> Splunk> The intestines for your data
<^Brian^> Splunk> Absorbing the goodness from your logs
<automine> yeah, that could get pretty gross
<automine> null queueing
<^Brian^> it could go downhill fast
<Yorokobi> Here is an apropos moment to, once again, state that Splunk poops magic.
<Yorokobi> Back reference: http://blogs.splunk.com/2013/02/06/that-happened-episode-29/
*cf cerby’s custom-embroided Splunk shirt, 2012.