Blogs: Maverick

I’ve had this topic come up in several technical conversations lately, so I thought I would blog about it now.

Situation: You have two different source types containing common key field values, but the actual name of the field itself is different within each of the source types.

Question: How do you produce a report within Splunk that correlates all of these fields values together under one normalized field name?

Answer: Use the new FIELDALIAS and EXTRACT features included with Splunk 4.0 to normalize the field name at search-time.

Example: Let’s suppose you have two different types of call detail records, each containing a number that represents the total duration in seconds that someone is on a phone call.

One CDR event looks like this:

TELCOE,2.1,7e197787-655330a9-7a458301-70845177@12.13.20.20,,0,,H,,S,,sip:7622550@127.10.15.17:5050, sip:5558889999@120.10.20.20:55555,TELCO:Dallas,TX,0,sip:7622555@110.130.52.25:5050,NORTH:NORTH,200,0
,1,0,1,0,08/02/2009:05:03:21,08/02/2009:02:03:22,92,UNKNOWN,0,0

and the…

After demonstrating the amazing features and capabilities of Splunk to numerous clients over the past couple years, I find that people still perceive it to be a very disruptive technology. So much so, it’s still difficult for some to truly understand the magic of Splunk.

They ask me “How is it that I can feed Splunk any kind of IT data I want, log files, SNMP traps, alerts, configuration files, xml, whatever, and know it will be indexed correctly?”

The answer is one of most powerful features of Splunk called Universal Indexing and, hopefully by the time you finish reading this article, you will have a better understanding of what that is and why it’s so powerful.

To start down that path to…

Happy New Year and thanks to everyone who has been subscribing to my blog recently. I greatly appreciate it!

Every week people ask me to show them how to use Splunk to stitch together multiple events that might exist in different locations within different sources because, from an IT perspective, they are considered to be part of larger transaction groups. They tell me they want to know how to do this because the ability to trend against transitively-related events becomes very powerful in helping them understand the reality of IT operations and how efficiencies can be increased and costs can be more quickly and significantly reduced.

I thought I would share a quick example of how to do this using the transaction command.

Let’s…

That’s right! It’s “on fire” folks! Hotter than the sun! Burning its way into the thoughts and minds and data centers across the world.

Unfortunately, what I wanted to talk about today is not related to how hot Splunk is, but rather a very special and sometimes misunderstood character called “the pipe”. For most of us tech geek types, the pipe is our friend. We use it all the time at the command-line to make efficient use of our tools and our time. For non-techie folks, it may be more mysterious or intimidating concept, so I felt it might be a good topic to discuss and demonstrate just what it is and how to use it in the Splunk search box.

Also…

Dear CEO, CTO, CIO, and other Company Leaders,

Consider this letter a wake-up call.

As an individual responsible for setting the vision of your company, please be aware that the people who work for you now, those smart, intelligent, high-tech individuals who believe in your vision, who are extremely proud of serving you, do not want to let you down.

Every day, these individuals work hard for you and you pay them well for their services. They are system and network administrators, security analysts, application developers, infrastructure architects, QA testers, and various other IT consultants.

As these individuals attempt to move your company forward towards explosive growth and expansion, incredible innovation, and unbounded profitability, you are either not aware of or not focusing enough…

…actually a couple ideas for songs about Splunk have made their way into my geeky little brain since my last blog post. Yeah, yeah, I know what you’re saying…”Hey Maverick, the world doesn’t need another nerdy song about an IT Search Platform.” My natural response is, you’re probably right, but I can’t help myself. I’m a nerd, a songwriter, I love Splunk: I have no choice!

So where’s the mp3, dude?!

Truth is, I am just too damn busy these days to spend time on it. That is one of the reasons why I haven’t posted a new blog entry since September of last year. Turns out the demand for Splunk has increased significantly since then, which means I am traveling more…

The following is a short interview I conducted with an IT event that I discovered last week while investigating an issue within my data center.

Maverick
Hello and thank you for taking time to participate in this interview.
IT Event
No problem. Thanks for having me, Mav.

Maverick
So tell us a little bit about yourself. What kind of event are you? Syslog? Web App? Proxy Log?
IT Event
Sure. I’m a syslog event.

Maverick
I see. Any particular kind?
IT Event
Well, I’m NOT a syslog-NG event, if that’s what you mean. Just plain standard syslog.

Maverick
No. I mean, what type? User event? SNMP trap? Something like that?
IT Event
Oh, yeah, I’m an sshd “session opened” event.

Maverick
As in reporting USER activity?
IT Event
Precisely.

Maverick
That makes sense. So when were you written out to the log…

As we say here in Dallas, TX, YEEEEEEEEEE-HAW!!!1!11!!

Splunk 3.0 is GA now!!!!

In celebration of this wonderful day, I would like to redirect you to a previous blog article regarding a song I wrote about being a Splunk user. It’s real geeky, I admit, but hey, if you use Splunk or are thinking about it, I’m am sure you can relate to it. And if you are a long-time customer already, well, then,…you know doing geeky stuff like this is part of being a Splunkhead.

Check out my rap song called “Splunk IT”

Also, if you have a sysadmin that is an absolute rockstar where you work, please go and nominate them for Sysadmin of the Year. Let us know what makes them…

After being extremely inspired by all you die-hard Splunk fans out there, I decided to lay down some high-tech “geeky” rhymes over some old familiar classic rock riffs, including Queen’s “We Will Rock You”, Rush’s “Tom Saywer”, and AC/DC’s “Back In Black”. So…

Yo, dog, turn up da bass and check it….Maverick is in da hayouse!

Splunk IT.mp3

Here are the sick lyrics, dog!

Splunk IT (a rap by Eric “Maverick�? Garner)
Copyright © 2007, Garner. All rights reserved.

We got all kinds of issues occurring in the system
They’ve always been there, but I guess we just missed ‘em
We need Splunk to help troubleshoot it
We got Red Hat 3.0, so we won’t have to chroot it

Yo, we got hundreds of servers in multiple locations
And the IT…

Recently, I received an email from a client that was struggling with a Splunk configuration issue. He was a sysadmin trying to figure out how to setup Splunk-2-Splunk within his private testing environment. The specific issue he was encountering was not so much related to the Splunk software not working or throwing an exception, etc. But rather, it was more about him trying to understand the “how to” part of Splunk-2-Splunk.

I think anytime you have a technical IT tool like Splunk combined with the ability for a technical person to download, install, and evaluate it for FREE, you will also have plenty of “how to” questions that will naturally accompany those evaluation efforts.

With this said, I want to remind all…