Letters from a Splunk Admin
No one writes letters anymore. It’s been such a long time since I’ve written a letter, it got me thinking what I would even write about… which then got me thinking what would a Splunk Admin write a letter about? If your awesome Splunk Admin were to write a letter, I might go something like this…
A Common Language for DevOps
Is DevOps short for “building a bridge over shark infested waters while juggling on a unicycle?” No, no, of course not. That’s SecOps. In the time I’ve worked at Splunk, observing the DevOps relationship has been somewhat like watching two tribes learn a common language. Communication begins with a hurried knowledge transfer session just as an application is pushed into production. It might include a short list of error codes and their descriptions or a page posted to an internal wiki with log locations. It might end as an awkward dance of hand gestures, contorted facial expressions and primitive grunting noises.
Imagine my surprise and excitement to encounter a DevOps relationship where both parties spoke the same language. Last month, it was my distinct pleasure to work with Sudip and Adam, who both work for a forward company which creates software so you can collaborate anywhere with anyone. Sudip and Adam presented their DevOps story and regaled us with their success using Splunk as common ground.
Deployment Server Goodies
Did you know Splunk can help manage the menagerie of its own configuration files? If you are already using Puppet or Chef or some other tool of choice, this discussion is likely not relevant to you. If you are planning to implement Deployment Server or want to improve your current setup, however, let’s roll. After all, it is that time of year to start thinking about changes… the good kind of course.
Please note: the intent of this post is not to extol the virtues of Deployment Server over any other tool for managing config file changes. We at Splunk do not feel strongly if you do or you don’t use Deployment Server. Licensing does not change as the Deployment Server is a core Splunk feature. And we understand there are plenty of considerations to weigh when choosing an update tool, the most obvious being you already have a change control process with associated tool. For the souls who have decided to use Splunk’s Deployment Server, the intent is to present gotchas and guidelines.
Shiny Splunk Cake
It’s the season of shiny objects and there are a lot of them swirling around at Splunk–the newly announced Splunk Developer Platform, Splunk for Big Data, Splunk Storm, Splunk 4.3. I am a big fan of shiny objects, especially these. They are the icing that makes the cake. Icing without the cake is just… well, too sweet. So let’s make sure our cake is in good order.
What’s Your ulimit?
If you don’t know the answer to that question, you should go into the corner for a 5 minute time out. No need to beat yourself up for not knowing. It’s not something most people would think to check when deploying Splunk. Since it usually rears its slightly-monstrous-yet-interesting head when system load creeps higher, let’s just set it and forget it. Or for a little added drama, address it when Splunk crashes or hangs.
Back to School
Every year Splunk has been the summer home for talented interns from universities all over the world. This year was no exception. We now have a college recruiter onboard to source the best talent from higher education. While our deluxe interns have been toiling spectacularly in Splunk Engineering and Solution Pods, there are countless interns out there working on projects for our customers. I had an incredible time working with 2 such interns from the University of Wisconsin-Madison. Emily and Peter were assigned to Splunk projects when they signed on as summer interns with one of our long time customers, a leading innovator in the personal and business finance sector.
Workshop on Supercharging Your Searches
One of the questions I often hear is, ‘Where’s the turbo button?’ We’re working on that, but it’s not easy to make a turbo button that will work for everyone so we want to empower you to make better decisions about how you search. This is a workshop designed to help Splunk users supercharge their searches, slim down searches by addressing common mistakes and help users understand how the search engine works under the hood. In many ways, performance is governed by the hardware and Splunk infrastructure already in place, however there are some critical decisions users can make to increase search speeds. Get smarter. Go faster.
The New Splunker Workshop: Part II
The second in our workshop series for the Splunk Admin / Owner / Program Manager is a session to introduce new and experienced users to Splunk reports and dashboards.
It was a little surprising, but not uncommon, to learn from some of our veteran Splunkers they didn’t know Splunk could create interactive, smart visuals (also known as graphs/charts/reports) and arrange them quickly on custom dashboards. This 30-45 minute workshop will catapult searchers into a whole new world of visualizations.
How Much Does a Sourcetype Cost?
A while ago, I published a guide on taming sourcetypes. It turns out, Scenario 4 is not as rare as originally thought. It is the case where a single stream of data contains multiple types of events. Splitting the stream into multiple sourcetypes requires the use of an index-time transform to rewrite the sourcetype metadata field. How much does each transform affect indexing performance? Is the degradation linear or exponential? Let’s find out.
The New Splunker Workshop
As a kid, I was a devoted fan of the New Yankee Workshop. Yes, I much admired Norm’s plaid shirts and planned some day to have my own workshop where I could build highboys and rocking chairs to my heart’s delight. Things didn’t quite pan out that way, but that doesn’t mean I’ve abandoned workshops altogether. I’ve just taken to a different kind of workshop–the kind to pull basic users along the learning curve to become Splunk search experts or at least more Splunk savvy.