Social Media Roundup

Because Splunk can index any kind of data, many of our customers have found it useful for indexing and analyzing social media events like Tweets, Facebook posts, and blog posts.


Hurricane Sandy

Tweets posted during Hurricane Sandy from the affected regions were indexed and analyzed. They were used to track how many people left the area and when they left relative to the arrival of the storm, people’s sentiment regarding levels of critical supplies, and people’s levels of anxiety and fear.

eRegulations Insight

Using built in Splunk analytics capabilities combined with add-ons like Sentiment Analysis, this site indexes and correlates data from to better understand public sentiment as it relates to specific regulations. The site provides insight on …

» Continue reading

IHAC: Splunk, Cisco Meraki Data, and Line Wait Times

I Had a Customer (IHAC…now that makes sense…) who wanted to see how we could combine Splunk and Cisco Meraki Data to calculate wait times.  View the video to see how we did it and, if you want to follow along with your own Splunk instance, download the app!




» Continue reading

IHAC: Splunk for Cisco Meraki Data

I Had A Customer (IHAC, get it?) give us data from a Cisco Meraki device stationed in their facility.  Their ask?  Can we  Splunk the Cisco Meraki data to analyze foot traffic?  My answer?  Of course!  The video shows how.  If you want to try it at home, download the app and install it on your own Splunk instance.


» Continue reading

Data Model Cheat Sheet

Have you been curious about how to incorporate data models into your Splunk life, but unsure about how to take the first step?  Try this cheat sheet! It takes you step-by-step through the process of thinking about your data and creating usable data models to use yourself and share with others!





» Continue reading

Quick N’ Dirty: Retention

Inspired by a customer conversation, I recently posted a blog entry on funnels. This customer also asked about calculating retention. As it happens, retention is just a variation on the funnel concept. The main difference is that we add the subsearch concept.

So, first, let’s define retention in the way this customer defined it. For him, retention was defined as the percentage of this week’s users who also visited last week or the week before.

Let’s start with the first part of the question. Specifically: how many unique visitors did we see this week?

sourcetype=retention | stats dc(VisitorID) as this_week

retention_1Next, we ask the second part of the question: of those visitors, how many were here last week as …

» Continue reading

Quick N’ Dirty: Funnels

I recently had a customer ask me how to calculate funnels in Splunk. His source data consisted of custom application logs, but this method will work with any logs that have a field representing a unique visitorID.

In this context, a “funnel” is a calculation that shows what percentage of visitors progressed through each step in a process, usually a purchase process. So, for example, a classic funnel would show how many people visited a site, clicked on a product page, added the item to their shopping cart, and then purchased the item.

In Splunk, of course, this is simple, as long as you are familiar with the appendcols function. The appendcols function allows you to “glue” two independent searches …

» Continue reading

Quick n’ Dirty: Splunk Form Cheat Sheet

Have you ever made a terrific dashboard in Splunk and then thought…”Hmm, this is such a great dashboard, but I wish I could filter it for a subset of this data” or “hmmm….this dashboard should win an Academy Award, and now I’d like to exactly recreate it but for a different set of data”.  Yes?  Then you’re a great candidate for Splunk’s Simple XML forms.

There’s some great documentation on that topic here, but no documentation is so great that it can’t be improved with a cheat sheet.   I’ve made one and it lives here.  Enjoy and please email me ( with praise, concerns, suggestions, and knock knock jokes.

Download Splunk Simple XML Form Cheat Sheet

» Continue reading

Capturing Omniture (or Google Analytics, or Webtrends) Data into Splunk

I’ve spoken to many customers who love their client-side tracking tools (Omniture, Google Analytics, Webtrends, etc.) but also want to get that data into Splunk so that they can correlate web traffic data with other things and really see “the big picture”.  But how?  What are the options?  Basically there are four ways to go:

Option #1: CSV Export

Create a report in your client-side tracking tool of choice and export the data.  In Splunk, upload the data (“Manager > Add Data > From files and directories”) and voila, you may now visualize and correlate to your heart’s content.
Pros: Easy and fast access to Splunk’s correlation, visualization, and analysis features.
Cons: Not automated, not real-time, and limited access to
» Continue reading

Quick N’ Dirty: Delimited Data, Sourcetypes, and You

Sometimes you have data.  It’s great data, it’s consistent data, and it would just be a heck of a lot more useful if Splunk knew each and every field.

You could always do it old school and use Splunk’s built in Interactive Field Extractor (also known as IFX).  Upside: it’s easy.  Downside: you’ll need to extract each field individually.  And if your data has, like, twenty columns, that’s a lot of extracting you’re doing.  there’s a faster way.

If your data is delimited, there’s an easier way to teach Splunk to understand it. As long as your data is consistently delimited…say with a space, comma, or tab…you can teach Splunk how to separate the data and how to label …

» Continue reading

Client-Side Splunk!

Many of our customers use Splunk to analyze their Web traffic simply by indexing their apache or IIS server logs.  Those logs are useful, but in many cases they only provide half the picture.  This blog shows how you can send both server-side and client-side data to Splunk and have the best of both worlds.

What is server-side and client-side? Let’s say you’re reading this on  You’ve loaded this page and that action has been recorded in the apache server log, also known as server-side.  However, there are some interactions you can have with this page that won’t show up in the logs.  For example, you could “mouse over” the list of categories on the right nav or …

» Continue reading