Getting out the office to see successful Splunk customers is always a pleasure, and the presentations and conversations at SplunkLive in London were especially a treat. One of the most striking things about all three customers (Vodafone, Telenor and Accenture) is how Splunk has transitioned from a tool used by a couple of working teams into a cross-organization IT utility. Despite being from two different industry verticals, they also all approached the problem in a similar way, and that way suggests the new dynamic lookup feature is going to be very popular.

If you’re an existing Splunk user, you might be familiar with our transaction search-time command. It’s used to identify patterns that indicate a single, unified intention – such as buying something from an online store – even across multiple data sources. That works great when there is some common piece of data to anchor on, such as an IP address or user name. In both the online retail and telecom use cases we saw in London, that was a major part of how groups at different layers of the stack exposed their data to their peers working elsewhere; e.g. the IP address was a way for the web team to track the network behavior of a host through the router logs to look for network-layer abnormalities. These kinds of searches were common to all of our London presenters’ normal use of Splunk.

But what do you do if there is no shared piece of data tying two sources together?

Enter the dynamic field lookup feature. It’s like summary indexing light – you run a search that populates a smaller, more manageable table structure with data. But here’s the difference: dynamic lookups can act as an intermediary, joining data from one sourcetype with another at search time. For example, we use this for the Windows GUID lookup feature. When Splunk indexes Active Directory, it identifies all the GUIDs and adds the GUID and its associated common name to a lookup table. Then, if you ask Splunk to translate GUIDs, it takes all the GUIDs in your search return and checks to see if it’s in that table. If it is, a new field is dynamically added to your searched events – the common name – as if it had always been there.

That’s a fairly basic use of the feature, however. Vodafone, who was a London presenter and Splunk 4.0 beta tester, had a more ingenious use case. They’re using it to create abstracted data access points for each IT service they manage. So one service – for example, the customer management system – can return via a Splunk search the last few numbers a customer called if you search on the customer number, but not return the customer’s name or other revealing information. Other groups can then consume that information, much like a feed or other web advertised service, directly in their own searches and dashboards. Not only is the data access constrained by role, but potentially also by time as well, providing secure windows into past activity that still respect the privacy of Vodafone’s customers.

The idea of joining data from one source contingent on another source in a safe and controlled fashion using Splunk seems to resonate with almost all of our beta customers. Dynamic lookup tables may end up being one of those features that has much more mileage in it than we ever anticipated. Learn how to make yours here.

Here in the Ivory Tower of Splunk, it’s easy to forget sometimes that people in the rest of the world are busy too. Despite our undying love for search software, there are plenty of people out there who are just doing a drive-by of our software. We should make it super - dead - simple to use.

That’s a neverending story, however. But today’s installment is a video on getting started with Splunk on Windows. If you’re confused or having trouble getting going, it’s our fault. But maybe this will help:

 http://www.splunk.com/view/SP-CAAADKS

Enjoy, and merry Splunking.

Recently I was speaking with a customer who was concerned that one of the Windows admins was reading the email of regular users. Thought I’d share this tidbit as a simple example of the power of search. In this case, we didn’t even have to go to other data sources other than the relevant event log, though later analysis of netflow logs triangulated from where the admin was connecting to the Exchange server from.

Problem: Senior admin has reason to think another admin is abusing privileges and reading other people’s mail on Exchange.
Use Case: Splunk the Exchange event logs to check for insider threat.
Search 1: bad_admin_username “EventCode=1016”

Finds: User who has opened up a mailbox that is owned by someone else.

Search 2: bad_admin_username “EventCode=1013”

Finds: User who has opened up an additional mailbox. Needed because if the mailbox is shared (ie alias for a particular department) you won’t get a 1016

Use Case 2: Check for network logins by the admin to the Exchange box in the security log. This search will show if they’ve been using the Exchange console to connect remotely and take unauthorized actions
Search: bad_admin_username “Login Type=Network” “Success Audit”

Finds: Shows if admin has been using the Exchange console to connect remotely and take unauthorized actions. Note that you will not know what the action is unless you have turned on more aggressive auditing than the default.

Ever had a girlfriend that just wouldn’t … leave?

(or, for those that prefer boys, if you’ve known a Mission emo brat, you too know what I mean)

Maybe it was a hookup. Maybe a friend of a friend. But you were always just sorta biding time. Hanging out till something better comes along. Eventually, that better thing turned out to be, well, anything else. Like watching dust collect on the shriveled remains of your caring.

Remember the relief when one day, after months of items too conveniently “forgotten” at your house, ignored phone calls and awkward social gatherings when you suddenly realized…

They were gone?

<<cricket noise>>

Now crystallize and concatenate that relief you felt with the very real, inescapable fact that Boost is gone. That’s right, janky code that stuck around way too long, forgotten about until it called you in the middle of 24 to tell you that it had left a mutex behind the couch. Another moment lost, stolen by the one that won’t, for the love of God, get away.

Now it is gone. Mitch killed it. Exorcised it from Splunk with rituals to dark pagan Gods. Slayed it like Grendel. The deed is done.

Now we feast* and drink in revelry to this glorious act. Come and raise a glass of de-boost. Only on the South Side.  

Did you know the earth, in addition to warming, is slowing? We, the early Global Slowing movement, are raising awareness of this issue here at Splunk.

So dire is the threat that time itself is being distorted by this world-wide phenomenon. To compensate, authorities have declared a Leap Second to protect us from slowing rotational patterns.

Therefore, the Global Slowing movement beseeches you to use this extra second wisely. Join us as we protest this travesty with a shot at exactly midnight GMT (16:00 PST) on the south side.

Remember, it’s like it never was. What happens on the leap second, stays on the leap second.

What is this? Do you know how hard we in the morale department work to keep you happy? Our fingers bleed; have you seen a callous this big before? Only on that black pit you call a soul.

We paid good money for that tasty goodness rotting away in the kitchen. Don’t pretend like you didn’t seem them there. Lots of fresh, organic, artisanal local fruit. Grown by professionals. Armies mobilized from Central America to come a pick them, risking life and limb. Delivered to mere feet from your lazy desk by hipsters on the backs of biofueled, trendy little scooters.

And for what? So you can watch them attract flies. A vile waste that will not be tolerated!

Unfortunately, the morale department cannot eat that many pears single-handed. Therefore, you will be further indulged, like a African despot bribed into a life of privileged seclusion in a villa outside London.  

So bring your aviator shades and come to the south side. Where we will cut, gut and turn delicious pear goodness into tasty shots. It’s pear-on-gin-on-pear action that will make you happy, the pear happy, and the gin happy.

On the South Side.

Sometimes you must be reminded by loss to appreciate what you have. Consider, for example, the tragic loss of liquor that afflicted us for 13 years. Makes the truancy of your Splunk bar staff seem like a mere bathroom break.

But all bad things come to an end.

Seventy five years ago the US repealed Prohibition, and tonight the South Side repeals ours. And rest assured, we’re doing it in style – Manhattan style. Ever wondered how to make the drink that self-describes as “perfect?” I’ll give you a hint: it gets more perfect the more you have.

South Side at 5. A toast to the 21^st.  

Woe. Calamity. Bust. As your retirement account swoons and banks once mighty crumble to dust, you might start to wonder what to do at a time like this. Do you flee to cash? Bullion? Or do you reach deep into those pantalones and find your last bit of pocket change to plow into this bottom? (it is the bottom, right?)

No. All of those involve risk. And require far too much effort.

No, you drink you silly Splunker. And while we watch lower Manhattan sink into the Hudson, we will ask is that glass half full, or half empty. For half-empty is the only way I can imagine serving the Market Crash, a delicious and nutritious blend of brown booze. After all, when you mix red ink with black, brown is what you get.  

5 on the South Side.

For a nice sunny summer week, far too many of us have succumbed to illness. Clearly the move, sprinting and attendant stress has been too much for some Splunkers. We salute their sacrifice to the greater good. Those who still survive should take all due and proper precautions to ensure their continued health. For that no tonic is better than the (in)famous Harvey Wallbanger.

Bringing together the restorative powers of orange juice, ancient Italian herbs and wholesome grain liquor, the Harvey Wallbanger provides all the nutrition the body needs to ward off sickness and scope creep. That it sounds like your creepy uncle also helps add extra tre chic that PBR sipping hipsters adore. This ain’t your sister’s screwdriver – this is bona fide old school.

So come get the cure for what ails you down on the south side after five. As a special bonus, I’ll explain the subject line and other dirty names for OJ based beverages that they only teach in Sunday school.

After last week’s little sojourn to the desert, many of you have expressed thoughtful concern for my well being. After all, even a many-talented drinker like myself might be challenged by:

1. Riding a bike
2. Avoiding 50,000 dirty hippies
3. Avoiding Matt
4. Maintaining a satisfactory blood alcohol content

…especially when one must do all of these things at the same time, all day, every day for a whole week. What technology makes this possible? Surely John isn’t mixing patchouli flavored, rose colored martinis.  

Indeed not.

May I present you with a useful little concoction, should you find yourself wandering the Sahara with the cast of Ab Fab. Playa Sangria. It’s quick, it’s easy, it’s cheap, it’s tasty and you can use it to wash down a hippie. If you don’t mind them being a bit sticky afterwards. And since it’s hotter here than it was in the middle of the Nevada desert, a little sounds delish.

On the South Side, starting now.