Social Media Roundup
Because Splunk can index any kind of data, many of our customers have found it useful for indexing and analyzing social media events like Tweets, Facebook posts, and blog posts.
Tweets posted during Hurricane Sandy from the affected regions were indexed and analyzed. They were used to track how many people left the area and when they left relative to the arrival of the storm, people’s sentiment regarding levels of critical supplies, and people’s levels of anxiety and fear.
Using built in Splunk analytics capabilities combined with add-ons like Sentiment Analysis, this site indexes and correlates data from regulations.gov to better understand public sentiment as it relates to specific regulations. The site provides insight on …
IHAC: Splunk, Cisco Meraki Data, and Line Wait Times
I Had a Customer (IHAC…now that makes sense…) who wanted to see how we could combine Splunk and Cisco Meraki Data to calculate wait times. View the video to see how we did it and, if you want to follow along with your own Splunk instance, download the app!
IHAC: Splunk for Cisco Meraki Data
I Had A Customer (IHAC, get it?) give us data from a Cisco Meraki device stationed in their facility. Their ask? Can we Splunk the Cisco Meraki data to analyze foot traffic? My answer? Of course! The video shows how. If you want to try it at home, download the app and install it on your own Splunk instance.
Data Model Cheat Sheet
Have you been curious about how to incorporate data models into your Splunk life, but unsure about how to take the first step? Try this cheat sheet! It takes you step-by-step through the process of thinking about your data and creating usable data models to use yourself and share with others!
Quick N’ Dirty: Retention
Inspired by a customer conversation, I recently posted a blog entry on funnels. This customer also asked about calculating retention. As it happens, retention is just a variation on the funnel concept. The main difference is that we add the subsearch concept.
So, first, let’s define retention in the way this customer defined it. For him, retention was defined as the percentage of this week’s users who also visited last week or the week before.
Let’s start with the first part of the question. Specifically: how many unique visitors did we see this week?
sourcetype=retention | stats dc(VisitorID) as this_week
Quick N’ Dirty: Funnels
I recently had a customer ask me how to calculate funnels in Splunk. His source data consisted of custom application logs, but this method will work with any logs that have a field representing a unique visitorID.
In this context, a “funnel” is a calculation that shows what percentage of visitors progressed through each step in a process, usually a purchase process. So, for example, a classic funnel would show how many people visited a site, clicked on a product page, added the item to their shopping cart, and then purchased the item.
In Splunk, of course, this is simple, as long as you are familiar with the appendcols function. The appendcols function allows you to “glue” two independent searches …
Quick n’ Dirty: Splunk Form Cheat Sheet
Have you ever made a terrific dashboard in Splunk and then thought…”Hmm, this is such a great dashboard, but I wish I could filter it for a subset of this data” or “hmmm….this dashboard should win an Academy Award, and now I’d like to exactly recreate it but for a different set of data”. Yes? Then you’re a great candidate for Splunk’s Simple XML forms.
There’s some great documentation on that topic here, but no documentation is so great that it can’t be improved with a cheat sheet. I’ve made one and it lives here. Enjoy and please email me (firstname.lastname@example.org) with praise, concerns, suggestions, and knock knock jokes.
Capturing Omniture (or Google Analytics, or Webtrends) Data into Splunk
Option #1: CSV Export
Quick N’ Dirty: Delimited Data, Sourcetypes, and You
Sometimes you have data. It’s great data, it’s consistent data, and it would just be a heck of a lot more useful if Splunk knew each and every field.
You could always do it old school and use Splunk’s built in Interactive Field Extractor (also known as IFX). Upside: it’s easy. Downside: you’ll need to extract each field individually. And if your data has, like, twenty columns, that’s a lot of extracting you’re doing. there’s a faster way.
If your data is delimited, there’s an easier way to teach Splunk to understand it. As long as your data is consistently delimited…say with a space, comma, or tab…you can teach Splunk how to separate the data and how to label …
Many of our customers use Splunk to analyze their Web traffic simply by indexing their apache or IIS server logs. Those logs are useful, but in many cases they only provide half the picture. This blog shows how you can send both server-side and client-side data to Splunk and have the best of both worlds.
What is server-side and client-side? Let’s say you’re reading this on blogs.splunk.com. You’ve loaded this page and that action has been recorded in the apache server log, also known as server-side. However, there are some interactions you can have with this page that won’t show up in the logs. For example, you could “mouse over” the list of categories on the right nav or …