SplunkTalk – #69 – The Walking Dead

Ok… we’re officially never again going to say “we’re back”. Except for right now. We’re back. At Splunk’s 2013 User Conference, (a.k.a. “.conf”–get it… dot conf.. our configuration files :P ) a number of listeners came up to us and said “Yo… when’s the podcast coming back?!?!?!?” To that we replied, “well, how about now”. So with out further adieu, I, Michael Wilde, your faithful Splunk Ninja would like to introduce an amazing new co-host of SplunkTalk, Hal Rottenberg. (That’s long o in Rottenberg, as in O my gosh he’s great). This episode of SplunkTalk returns with an overview of our favorite features in the newly released “Splunk 6.0″, and a question about a Splunk 6.0 search head on …

» Continue reading

SplunkTalk – #68 – Trick or Treat, Splunk 5.0 is Complete!

SplunkTalk is back for its third season. Our apologies for the latency between episodes, but we’re trying to fix that. For season three we’ve got some new segments for our listeners (including stuff for brand new Splunk users) and a new host, Support Manager and Zombie Defense Force General, Corey McClure. This weeks episode highlights a few of our favorite features of Splunk 5.0. Wilde covers Clustering/Index Replication, Maverick chats about Report Acceleration (a.k.a – automatic summary indexing), and Corey gives us some detail around the “bunny rabbit button” in the UI. A new segment debuts this week for “new splunk users”. Some of you more seasoned Splunk users might *not* know about the hotkeys and mouse clicks you can use in the Splunk Search UI, but for the new users this will help speed up your searching. Wilde is in LOVE with DeployButton.com as he’s been learning python and building some lookups. DeployButton and GitHub make it really easy to push code and configs from your desktop to a server. Awesome!

» Continue reading

SplunkTalk – #67 – Will they ever return? ;)

Maverick? Splunk Ninja? Where are you guys? Is this the end of SplunkTalk? Rest assured fine feathered listeners, it is not. This is really the end of what feels like the second season of SplunkTalk. After Splunk’s User Conference 2012 (Sept 10-12 in Las Vegas at the Cosmopolitan), we’ll be starting a new season with an enhance format, some more personalities and a whole lot more Splunkin!. On this episode, Maverick and Wilde talk about some interesting things they’ve learned lately. Maverick presents an interesting challenge with using the “Transaction” search command with Windows Security Event Logs and the way fields appear. Wilde discovers that even though you might be awesome at regex for making fields, there are some times you just can’t actually find your field–and we’ll show you how to overcome that. A few more nerdy tidbits and the usual silliness. SplunkTalk, comin back in October 2012 – Season 3. Tell your friends. Tell us what you’d like to hear about as well!

» Continue reading

SplunkTalk – #66 – Baby New Year brings us Splunk 4.3

The lost episodes have been found! This episode was recorded in January 2012 and its a fun, healthy conversation by Michael Wilde, Splunk Ninja and Eric “Maverick Garner. Some of y’all aren’t on the cutting edge, upgrading your whole production environment every 15 seconds Splunk releases new code–If you are.. rock on!–If not, then this episode will give you a great overview of some of the cool features in Splunk 4.3. Even if you are using Splunk 4.3 there’s a chance you don’t know about a lot of the cool new features in there. Give it a listen and check out. We’re gettin the backlog of episodes out and new ones comin up right around the corner.

» Continue reading

SplunkTalk – #65 – Don’t overfeed the animal

As we say, “Splunk Eats Everything”, but can you overfeed it? Yep. Splunk Ninja was working with a user recently who was noticing the “splunkd” process was crashing on Windows. Upon further inspection, this user “ate his whole C:\ drive”. OMG WTF BBQ? We figure out how that happened on the show this week, and also talk about the sweetest diagnosis app for Splunk built by our support team called “S.o.S” or “Splunk on Splunk“. Hop over to the App Catalog up on SplunkBase and download it. S.o.S is very helpful! Maverick discovered some interesting challenges with configuration needs for his forwarders. Wilde is a HUGE fan of the iOS/Android app called “Voxer“, check that …

» Continue reading

SplunkTalk – #65 – Don’t overfeed the animal

As we say, “Splunk Eats Everything”, but can you overfeed it? Yep. Splunk Ninja was working with a user recently who was noticing the “splunkd” process was crashing on Windows. Upon further inspection, this user “ate his whole C:\ drive”. OMG WTF BBQ? We figure out how that happened on the show this week, and also talk about the sweetest diagnosis app for Splunk built by our support team called “S.o.S” or “Splunk on Splunk“. Hop over to the App Catalog up on SplunkBase and download it. S.o.S is very helpful! Maverick discovered some interesting challenges with configuration needs for his forwarders. Wilde is a HUGE fan of the iOS/Android app called “Voxer“, check that …

» Continue reading

SplunkTalk – #64 – The Next Action

Today’s episode brings Maverick and Wilde one main question: What’s the next action? Serious! If you have ever wondered what people do right after they do what they do.. wait, that didn’t make sense. In mobile apps that might use several api’s a user might search, friend, like, lookup, map, etc. Developers may need to know what the most popular “next action” is. We’re gonna describe how that’s done along with a few other cool topics and some of our favorite search commands like “streamstats” and “eventstats”.

» Continue reading

SplunkTalk – #63 – Strange things happen after midnight

Yes yes yes… I know, its been a while–not because we’ve been silent, but we’ve been super busy and low on editing time. I’ve got a pile of them i’m about to release week by week so we’re all caught up. This episode, aptly titled “Strange things happen after midnight” has been waiting to get out of the gate. It’s been saying “Wilde! Edit me”. So I have.

Pay attention to your clocks my friend! Splunk Ninja answers a question (and helps diagnose) an issue where realtime search “seemed to not be working” when the real culprit was a forwarder whose time was ahead of the indexer–and thus, realtime isn’t the “future”. Well, it will be event-ually :). Maverick gives us some insight on the best ways to share whats in your splunk server with other users in your company. Taking a cue from Gregg Woodcock, Splunk customer at MetroPCS–who presented at SplunkLive–we’ve got some great tips worth sharing.. about sharing!

Splunk Ninja and the crew will be at Interop this year Wooo-hoo, in Las Vegas and NYC as a part of the Interop NOC (a.k.a nerd camp). Finally Maverick reveals what strange things happen right after midnight in Splunk (during an extremely rare situation).

Note: Check out our Developer Portal and send your vendors or developers over to the Logging section so they can learn how to better design log output so you can use it better!

Episodes are recorded live every Friday at 11AM Central Time – Email us at splunktalk@splunk.com to ask questions and have them answered on air!

» Continue reading

SplunkTalk – #62 – Going off the Rails

Today’s SplunkTalk is a chat about a few recent experiences with folks we’ve been helping. First up, SplunkNinja was working with someone who had a production Rails app. This user had some challenges getting a universal forwarder to work as they weren’t aware that the Splunk Command Line Interface (CLI) is a great way to make changes to the forwarder without monkeying around with config files such as “outputs.conf”. “splunk add forward-server” and “splunk list forward-server” are two of my favorite. Fast, easy, reliable. Next up, adding data. Editing inputs.conf? Bah Humbug! use “splunk add monitor (file/directory)”. No restarts needed! But sometimes how and where splunk stores user created objects (inputs, searches, fields) is unclear–we cover that in this week …

» Continue reading

SplunkTalk – #61 – Game, Set, Match

So there are 80+ search commands. Every so often we run across one we’ve never used. This week, “we” is Wilde. Maverick holds a CLINIC on the “set” search command. Not so fast, listener/reader–we’re not talking about setting a variable or field (Which you can do with “veal”). This is more about working with two “sets” of results and looking for differences, union, intersection to use them to make some interesting decisions about your data. Rumor has it there’s a “Splunk Book” being written. Wilde is gaga about Splunk 4.3 (coming soon!). Maverick hosted the inaugural Dallas Splunk Users Group. One user has 32 indexers. Yeah. THIRTY TWO INDEXERS. Like a boss!

Episodes are recorded live every Friday at 11AM …

» Continue reading