There has been a lot of talk about the Splunk Platform of late, but what exactly does it mean when we say we have a platform? I figured this would be an interesting question to spring upon unsuspecting members of the development team, and here’s what they (and I) had for our answers:

Browsing over on Wikipedia, one excerpt states that “a platform describes some sort of hardware architecture or software framework”, and the description for a software framework, says it “may include support programs, code libraries, a scripting language, or other software to help develop and glue together the different components of a software project”.

A platform can be considered as a type of framework - one which helps developers write software faster by a) giving them the tools to develop against it, and b) transparently dealing with the under-the-hood, nitty-gritty work necessary when dealing with difficult problems. Difficult problems like indexing and searching gigabytes upon gigabytes of event data, for example.

Well, that’s exactly what the Splunk Platform does for developers. It provides resources, examples, and SDKs for developing a variety of applications around the robust Splunk engine, and it provides a launching point for domain specific development, from availability and security, to business intelligence and compliance.

I have a Google alert set up to email me news of the extraordinary concerning Splunk. Most of them are press releases by either us or our agency, which are all well and fine (this is how most companies seed stories anyway), but one caught my eye this morning by Charlie Schluting over on Enterprise Networking Planet.

Two things struck me interesting about Charlie’s post.

First, he noticed the changes in the UI we’ve been slowly making over the last few releases. If you’ve ever done UI design, you know how much sweat goes into every little detail, and how much momentum a design carries over time. That someone noticed the new changes *and* liked them is a HUGE win for the UI team. It’s even better how fast someone noticed!

Second, he actually spends quite a bit of time explaining the security workaround in the free product - one that I covered earlier, coincidently enough. I figure if someone goes to the time and trouble to figure out how they can keep using the product in a secure, legitimate way, then they must really, really like it. You simply can’t argue with an evangelist like this.

With the new release of Splunk Preview out, I’ve run into a problem keeping the different versions straight on my laptop. I have the free version, the Preview, the official release, and a version of current running - often times simultaneously. It’s getting messy.

What you really want to do is refer to them with different subdomain names, where something like http://splunkpreview.mydomain.com/ would bring up Splunk without having to remember the port number.

If you are running Apache, (like I am on Leopard) you get a reverse proxy server for free. With just a few lines of configuration, you can alias subdomains (or domains for that matter) to your heart’s content.

You also get the ability of putting content behind some basic authentication provided via Apache’s HTTP auth methods. This comes in handy if you’d like to link to your Splunk install from a publicly facing page, but don’t want people to know what type of content is behind the authentication. It also works for limiting access to a particular IP address group or domain.

I’ve put together a screencast covering how to do this from OS X’s version of Apache. Click on the thumbnail below to play the screencast.

Ruby on Rails is a popular programming framework for quickly creating web applications. It provides its own web server for development testing, and ships with OSX, which means the tools are now widely available to a broad group of programmers/coders/hackers. Coupled with the fact that most Rails developers use either Linux or OSX, and Splunk runs great on both of those platforms, it seemed obvious that we should come up with some sort of solution for mashing the two together.

I mentioned this in passing to one Sean Dick who is a developer friend of mine in Oklahoma City. What follows is a nearly identical post to the one he made over at his self-named blogpost on Blogger on how to get Rails to integrate with Splunk. “There’s plenty left to do.”, he said, but I’m convinced it’s worthy of mentioning here. Thanks for hammering this out Sean!

Serious Material from Sean Begins Here

As per the norm, this post assumes you’ve downloaded Splunk for your particular platform. It also requires a newer install of Ruby on Rails. Come back when you’ve completed both these tasks.

Get Splunk started now:

> sudo export SPLUNK_HOME=/opt/splunk/
> sudo ./opt/splunk/bin/splunk start


Mark Cohen posted a while back about enabling syslog on the iPhone for the sole purpose of logging to a Splunk instance on your laptop. This hack is a follow up to that post, and extends it slightly to include logging of the pages browsed by Safari on the phone. WARNING: If you brick your phone, you can still use it as an ergonomic pot-scraper. Splunk won’t be responsible for you going off and getting your $600 $400 piece of joy stuffed, but we’ll be happy to log the event.

Let’s get dirty. Go into settings..general..auto-lock and set locking to ‘never’. This will keep the phone on while you hack around on it. Keeping the phone on and connected to the network will drain your battery like nobody’s business, so make sure you plug in the charging cable.

Now install AppTap. Follow the instructions, and come back here when you are all done.

Using the AppTap installer on the phone, install the Community Sources, BSD Subsystem, Term-vt100, OpenSSH, Tinyproxy, and UIctl apps, in that order. UIctl will let you stop and start sshd on the phone. Launch it now to see if sshd is running. Click on the ‘load’ button if it’s not.

This is an easy-to-follow tutorial for charting battery usage on your Mac laptop with a small shell script and Splunk. Watching your battery charge is as exciting as watching paint dry, but analyzing it over time is pretty interesting. You may discover a few things about the software you run - like it eats your battery’s amps for desert.

A friend of mine, Sean Dick, showed me a version of this idea using Splunk on Linux and a program called ‘apci’. As I’m a Mac fanboy of sorts, I dug up a shell script for the Mac that will print out a single logfile-like line containing laptop battery information, including amp draw, amp-hours left, and more. It’s aptly named ‘battery’, and you can download it here.

I suggest you put battery in a directory under your home directory, say something called ’scripts’. Head into ‘terminal’ to start the dirty work.

Here’s an example output line from ‘battery short’:

G4:~ kord$ ./scripts/battery short
2007-10-07 18:34:27 1 _________i__ 11.232V -1.454A 2.788Ah of 4.720Ah (59.1%) of 4.400Ah (107.3%) 13 cycles

Rob Das gives us the skinny on Splunkd’s use of various pipelines and processors. This is the first pass at Splunk’s tech talks, so the screen caps of the terminal are a little blurry on the smaller versions. We’ll be re-filming this particular piece again this week, except this time the beer guy is going to do it.

More video formats are available from Splunk’s Tech Talks section.