I’ve had this topic come up in several technical conversations lately, so I thought I would blog about it now.

Situation: You have two different source types containing common key field values, but the actual name of the field itself is different within each of the source types.

Question: How do you produce a report within Splunk that correlates all of these fields values together under one normalized field name?

Answer: Use the new FIELDALIAS and EXTRACT features included with Splunk 4.0 to normalize the field name at search-time.

Example: Let’s suppose you have two different types of call detail records, each containing a number that represents the total duration in seconds that someone is on a phone call.

One CDR event looks like this:

TELCOE,2.1,7e197787-655330a9-7a458301-70845177@12.13.20.20,,0,,H,,S,,sip:7622550@127.10.15.17:5050, sip:5558889999@120.10.20.20:55555,TELCO:Dallas,TX,0,sip:7622555@110.130.52.25:5050,NORTH:NORTH,200,0
,1,0,1,0,08/02/2009:05:03:21,08/02/2009:02:03:22,92,UNKNOWN,0,0

and the other CDR record looks like this:

TIME=20090802104826865|CHAN:332|SESSIONID:100102345|CALLDURATION:93|CALLINGNUM:5558431297|
CALLEDNUM:5559903894|UNIQID:8948373827100002938847889873474893

Now, let’s take a look at the Splunk configuration files to index these source types and extract the call duration values out into fields.

inputs.conf
[monitor:///$SPLUNK_HOME/etc/apps/cdr/logs/CDR.txt]
sourcetype= cdr_log

[monitor:///$SPLUNK_HOME/etc/apps/cdr/logs/cdr2.txt]
sourcetype= cdr2_log

props.conf
[cdr_log]
EXTRACT-calldur = ^.*?:\d\d:\d\d:\d\d,(?<callDuration>\d+),\w+,\d+\.\d+\.\d+\.\d+,

[cdr2_log]
REPORT-cdr2 = cdr2-kvpairs

transforms.conf
[cdr2-kvpairs]
DELIMS = “|”, “:”

After demonstrating the amazing features and capabilities of Splunk to numerous clients over the past couple years, I find that people still perceive it to be a very disruptive technology. So much so, it’s still difficult for some to truly understand the magic of Splunk.

They ask me “How is it that I can feed Splunk any kind of IT data I want, log files, SNMP traps, alerts, configuration files, xml, whatever, and know it will be indexed correctly?”

The answer is one of most powerful features of Splunk called Universal Indexing and, hopefully by the time you finish reading this article, you will have a better understanding of what that is and why it’s so powerful.

To start down that path to understanding, I would like you to think about Yoda.

Yeah, that’s right, Yoda from the Star Wars movies. You know, he’s that short funny-looking wrinkly green muppet character that speaks in a severely mixed-up manner. Remember him now?

Now what does Yoda have to do with Universal Indexing, you ask? Well, it’s not so much about Yoda, really, as it is about how Yoda talks.

Happy New Year and thanks to everyone who has been subscribing to my blog recently. I greatly appreciate it!

Every week people ask me to show them how to use Splunk to stitch together multiple events that might exist in different locations within different sources because, from an IT perspective, they are considered to be part of larger transaction groups. They tell me they want to know how to do this because the ability to trend against transitively-related events becomes very powerful in helping them understand the reality of IT operations and how efficiencies can be increased and costs can be more quickly and significantly reduced.

I thought I would share a quick example of how to do this using the transaction command.

Let’s start with a couple sample user activity log files containing some events that are related by multiple keys. Take a moment to study the two following sample activity log files and notice how the user and session key values are related between the files.

That’s right! It’s “on fire” folks! Hotter than the sun! Burning its way into the thoughts and minds and data centers across the world.

Unfortunately, what I wanted to talk about today is not related to how hot Splunk is, but rather a very special and sometimes misunderstood character called “the pipe”. For most of us tech geek types, the pipe is our friend. We use it all the time at the command-line to make efficient use of our tools and our time. For non-techie folks, it may be more mysterious or intimidating concept, so I felt it might be a good topic to discuss and demonstrate just what it is and how to use it in the Splunk search box.

Also known as the vertical bar character, the pipe (|) allows you to create simple yet powerful ad-hoc Splunk searches. You might think of it as if it were an actual pipe where things flow into one end and then flow back out the opposite end. Within the context of Splunk searches, the “things” that flow in and out of the pipe are your IT events.

The following is a short interview I conducted with an IT event that I discovered last week while investigating an issue within my data center.

Maverick
Hello and thank you for taking time to participate in this interview.
IT Event
No problem. Thanks for having me, Mav.

Maverick
So tell us a little bit about yourself. What kind of event are you? Syslog? Web App? Proxy Log?
IT Event
Sure. I’m a syslog event.

Maverick
I see. Any particular kind?
IT Event
Well, I’m NOT a syslog-NG event, if that’s what you mean. Just plain standard syslog.

Maverick
No. I mean, what type? User event? SNMP trap? Something like that?
IT Event
Oh, yeah, I’m an sshd “session opened” event.

Maverick
As in reporting USER activity?
IT Event
Precisely.

Maverick
That makes sense. So when were you written out to the log file, exactly?
IT Event
A couple weeks ago. My timestamp is Sep 7 10:36:17, assuming you are interested in my details.

Maverick
Of course. Why would you think I’m not interested in your details?
IT Event
Well, most of the time we go unnoticed, is all. Most of the time me and all my fellow events just sit in our log file until it gets rotated out and eventually written over.

As we say here in Dallas, TX, YEEEEEEEEEE-HAW!!!1!11!!

Splunk 3.0 is GA now!!!!

In celebration of this wonderful day, I would like to redirect you to a previous blog article regarding a song I wrote about being a Splunk user. It’s real geeky, I admit, but hey, if you use Splunk or are thinking about it, I’m am sure you can relate to it. And if you are a long-time customer already, well, then,…you know doing geeky stuff like this is part of being a Splunkhead.

Check out my rap song called “Splunk IT”

Also, if you have a sysadmin that is an absolute rockstar where you work, please go and nominate them for Sysadmin of the Year. Let us know what makes them a rockstar in your eyes and they might win some fabulous prizes, like a new guitar, laptop, a case of redbull, etc. Do it now!

After being extremely inspired by all you die-hard Splunk fans out there, I decided to lay down some high-tech “geeky” rhymes over some old familiar classic rock riffs, including Queen’s “We Will Rock You”, Rush’s “Tom Saywer”, and AC/DC’s “Back In Black”. So…

Here are the sick lyrics, dog!

Splunk IT (a rap by Eric “Maverick� Garner)
Copyright © 2007, Garner. All rights reserved.

We got all kinds of issues occurring in the system
They’ve always been there, but I guess we just missed ‘em
We need Splunk to help troubleshoot it
We got Red Hat 3.0, so we won’t have to chroot it

Yo, we got hundreds of servers in multiple locations
And the IT folks are venting all their frustrations
Telling me that grep is a bottleneck
We need something better, we need to Splunk IT

Oooooohhhh We need to Splunk IT
Yo, Yo, I’m telling you, dog, we need to Splunk IT
Oooooohhhh We need to Splunk IT
(Word to your mother)