I’ve had this topic come up in several technical conversations lately, so I thought I would blog about it now.

Situation: You have two different source types containing common key field values, but the actual name of the field itself is different within each of the source types.

Question: How do you produce a report within Splunk that correlates all of these fields values together under one normalized field name?

Answer: Use the new FIELDALIAS and EXTRACT features included with Splunk 4.0 to normalize the field name at search-time.

Example: Let’s suppose you have two different types of call detail records, each containing a number that represents the total duration in seconds that someone is on a phone call.

One CDR event looks like this:

TELCOE,2.1,7e197787-655330a9-7a458301-70845177@12.13.20.20,,0,,H,,S,,sip:7622550@127.10.15.17:5050, sip:5558889999@120.10.20.20:55555,TELCO:Dallas,TX,0,sip:7622555@110.130.52.25:5050,NORTH:NORTH,200,0
,1,0,1,0,08/02/2009:05:03:21,08/02/2009:02:03:22,92,UNKNOWN,0,0

and the other CDR record looks like this:

TIME=20090802104826865|CHAN:332|SESSIONID:100102345|CALLDURATION:93|CALLINGNUM:5558431297|
CALLEDNUM:5559903894|UNIQID:8948373827100002938847889873474893

Now, let’s take a look at the Splunk configuration files to index these source types and extract the call duration values out into fields.

inputs.conf
[monitor:///$SPLUNK_HOME/etc/apps/cdr/logs/CDR.txt]
sourcetype= cdr_log

[monitor:///$SPLUNK_HOME/etc/apps/cdr/logs/cdr2.txt]
sourcetype= cdr2_log

props.conf
[cdr_log]
EXTRACT-calldur = ^.*?:\d\d:\d\d:\d\d,(?<callDuration>\d+),\w+,\d+\.\d+\.\d+\.\d+,

[cdr2_log]
REPORT-cdr2 = cdr2-kvpairs

transforms.conf
[cdr2-kvpairs]
DELIMS = “|”, “:”

After demonstrating the amazing features and capabilities of Splunk to numerous clients over the past couple years, I find that people still perceive it to be a very disruptive technology. So much so, it’s still difficult for some to truly understand the magic of Splunk.

They ask me “How is it that I can feed Splunk any kind of IT data I want, log files, SNMP traps, alerts, configuration files, xml, whatever, and know it will be indexed correctly?”

The answer is one of most powerful features of Splunk called Universal Indexing and, hopefully by the time you finish reading this article, you will have a better understanding of what that is and why it’s so powerful.

To start down that path to understanding, I would like you to think about Yoda.

Yeah, that’s right, Yoda from the Star Wars movies. You know, he’s that short funny-looking wrinkly green muppet character that speaks in a severely mixed-up manner. Remember him now?

Now what does Yoda have to do with Universal Indexing, you ask? Well, it’s not so much about Yoda, really, as it is about how Yoda talks.

Happy New Year and thanks to everyone who has been subscribing to my blog recently. I greatly appreciate it!

Every week people ask me to show them how to use Splunk to stitch together multiple events that might exist in different locations within different sources because, from an IT perspective, they are considered to be part of larger transaction groups. They tell me they want to know how to do this because the ability to trend against transitively-related events becomes very powerful in helping them understand the reality of IT operations and how efficiencies can be increased and costs can be more quickly and significantly reduced.

I thought I would share a quick example of how to do this using the transaction command.

Let’s start with a couple sample user activity log files containing some events that are related by multiple keys. Take a moment to study the two following sample activity log files and notice how the user and session key values are related between the files.

That’s right! It’s “on fire” folks! Hotter than the sun! Burning its way into the thoughts and minds and data centers across the world.

Unfortunately, what I wanted to talk about today is not related to how hot Splunk is, but rather a very special and sometimes misunderstood character called “the pipe”. For most of us tech geek types, the pipe is our friend. We use it all the time at the command-line to make efficient use of our tools and our time. For non-techie folks, it may be more mysterious or intimidating concept, so I felt it might be a good topic to discuss and demonstrate just what it is and how to use it in the Splunk search box.

Also known as the vertical bar character, the pipe (|) allows you to create simple yet powerful ad-hoc Splunk searches. You might think of it as if it were an actual pipe where things flow into one end and then flow back out the opposite end. Within the context of Splunk searches, the “things” that flow in and out of the pipe are your IT events.

Dear CEO, CTO, CIO, and other Company Leaders,

Consider this letter a wake-up call.

As an individual responsible for setting the vision of your company, please be aware that the people who work for you now, those smart, intelligent, high-tech individuals who believe in your vision, who are extremely proud of serving you, do not want to let you down.

Every day, these individuals work hard for you and you pay them well for their services. They are system and network administrators, security analysts, application developers, infrastructure architects, QA testers, and various other IT consultants.

As these individuals attempt to move your company forward towards explosive growth and expansion, incredible innovation, and unbounded profitability, you are either not aware of or not focusing enough on “how” they are striving to realize your vision and make it a reality.

Of course, you are probably thinking it’s not your job as a company leader to worry about “how” things are done so much as “why” or “when“. After all, that’s what being a company leader is all about, right?

Indeed, this may be true, but the reality is you need to be aware of the “how” more now than ever.

…actually a couple ideas for songs about Splunk have made their way into my geeky little brain since my last blog post. Yeah, yeah, I know what you’re saying…”Hey Maverick, the world doesn’t need another nerdy song about an IT Search Platform.” My natural response is, you’re probably right, but I can’t help myself. I’m a nerd, a songwriter, I love Splunk: I have no choice!

So where’s the mp3, dude?!

Truth is, I am just too damn busy these days to spend time on it. That is one of the reasons why I haven’t posted a new blog entry since September of last year. Turns out the demand for Splunk has increased significantly since then, which means I am traveling more now, giving more Splunk demos and presentations, and assisting more companies with their Splunk evaluations than ever before. Don’t get me wrong, I love writing songs, but nothing is more satisfying than traveling across Midwest America to show off a product as cool as Splunk.

And when I say “travel”, boy do I mean “TRAVEL”!

The following is a short interview I conducted with an IT event that I discovered last week while investigating an issue within my data center.

Maverick
Hello and thank you for taking time to participate in this interview.
IT Event
No problem. Thanks for having me, Mav.

Maverick
So tell us a little bit about yourself. What kind of event are you? Syslog? Web App? Proxy Log?
IT Event
Sure. I’m a syslog event.

Maverick
I see. Any particular kind?
IT Event
Well, I’m NOT a syslog-NG event, if that’s what you mean. Just plain standard syslog.

Maverick
No. I mean, what type? User event? SNMP trap? Something like that?
IT Event
Oh, yeah, I’m an sshd “session opened” event.

Maverick
As in reporting USER activity?
IT Event
Precisely.

Maverick
That makes sense. So when were you written out to the log file, exactly?
IT Event
A couple weeks ago. My timestamp is Sep 7 10:36:17, assuming you are interested in my details.

Maverick
Of course. Why would you think I’m not interested in your details?
IT Event
Well, most of the time we go unnoticed, is all. Most of the time me and all my fellow events just sit in our log file until it gets rotated out and eventually written over.

As we say here in Dallas, TX, YEEEEEEEEEE-HAW!!!1!11!!

Splunk 3.0 is GA now!!!!

In celebration of this wonderful day, I would like to redirect you to a previous blog article regarding a song I wrote about being a Splunk user. It’s real geeky, I admit, but hey, if you use Splunk or are thinking about it, I’m am sure you can relate to it. And if you are a long-time customer already, well, then,…you know doing geeky stuff like this is part of being a Splunkhead.

Check out my rap song called “Splunk IT”

Also, if you have a sysadmin that is an absolute rockstar where you work, please go and nominate them for Sysadmin of the Year. Let us know what makes them a rockstar in your eyes and they might win some fabulous prizes, like a new guitar, laptop, a case of redbull, etc. Do it now!

Recently, I received an email from a client that was struggling with a Splunk configuration issue. He was a sysadmin trying to figure out how to setup Splunk-2-Splunk within his private testing environment. The specific issue he was encountering was not so much related to the Splunk software not working or throwing an exception, etc. But rather, it was more about him trying to understand the “how to” part of Splunk-2-Splunk.

I think anytime you have a technical IT tool like Splunk combined with the ability for a technical person to download, install, and evaluate it for FREE, you will also have plenty of “how to” questions that will naturally accompany those evaluation efforts.

With this said, I want to remind all you technical folks, especially those of you who may still be struggling with the HowTos of Splunk, that as Sales Engineers, it’s our job to provide you with the HowTo support you need during your evaluation of Splunk. In a way, you can think of us as Splunk’s HowTo Team, always willing and able to discuss and recommend the best ways to configure and test out Splunk. It’s our job to make sure you understand all of the technical features and how best to leverage them for your specific needs. And, it’s also our job to help you develop a strong business case for purchasing a Splunk license based on the technical benefits. That way, your manager or director can more easily justify the purchase of that license for you. And, if you are like me, more often than not you need all the justification you can get.