An Amazing Summer Internship At Splunk

First of all, I would like to extend my deepest gratitude to my manager, Alex Raitz who taught me invaluable skills and professionalism during this internship.  I was fortunate to be offered a second summer internship with the incredible App Foundations team.

Access to People and Knowledge

Among the amazing perks I received as an intern was the direct and open access to people and knowledge.  It was a pleasure to learn from my amazing teammates, Roy, Bill, Michael, Melanie, Ian, Kellen, Bumyong and Roussi who shared their knowledge of this field and taught me not only about software development, but also the values of teamwork and how to succeed together.  I had the opportunity to work closely with …

» Continue reading

Quick Tip: Wildcard Sourcetypes in Props.conf

Here is a quick one I use often.  Here is an excerpt from props.conf.spec:

[<spec>]
* This stanza enables properties for a given <spec>.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host, or host-matching pattern, for an event.
3. source::<source>, where <source> is the source, or source-matching pattern, for an event.
4. rule::<rulename>, where <rulename> is a unique name of a source type classification rule.
5. delayedrule::<rulename>, where <rulename> is a unique name of a delayed source type
   classification rule.
These are only considered as a last resort before generating a new source type based on the
source seen.

 

However, I often want to wildcard a sourcetype for …

» Continue reading

RDP to Windows Server from a Splunk Dashboard

Say you are browsing a Splunk dashboard and notice something odd in the data about a Windows server and you feel compelled to remote in to that server to do some more investigation. Sure, you could pull up your favorite RDP client and connect in. Or, you can save a couple of clicks and RDP to your server directly from the Splunk dashboard in one click.

Here is what the end results looks like in a dashboard:

RDP from Splunk

Clicking the RDP icon generates a .rdp file on the fly.  Your system’s file type association picks up the .rdp file and launches the RDP client with the correct parameters filled in.

RDP Connection

Generating a .rdp File on the Splunk Server

To RDP to …

» Continue reading

What’s new in TA-windows 4.7.0?

If you are a Windows admin and use Splunk then you’ve likely deployed Splunk_TA_windows on your endpoints. It’s a central method for handling Windows data and has all the extractions you need to handle Windows event logs. We’ve just released version 4.7.0. So what’s new and should you upgrade?

The first thing we did was we organized the data. The well considered best practice is to not put data in the default index. Yet here we were putting data in the default index. That has now changed. By default, we create three indices for you:

  • perfmon is used for performance data
  • wineventlog is used for event logs
  • windows is used for everything else

This change will not affect you if …

» Continue reading

Indexing data from Saas solutions running on relational databases

As we began work on building the Salesforce.com app, I was again face to face with a familiar challenge…a challenge that you would encounter anytime you want to ingest structured data coming from any Saas based application that is running on a back-end relational database. In such a Saas based environment, the data is usually exposed via a REST, Webservices API or similar. As you know, in a typical relational database, all data is stored in multiple tables and records are linked across tables using ID’s. For instance the Incident table in ServiceNow does not have the Username that created that ticket but has a User Identifier (long cryptic string) referencing another record in the “Users” table that includes the …

» Continue reading

Updated Keyword App

Last year I created a simple app called Keyword that consists of a series of form search dashboards that perform Splunk searches in the background without having to know the Splunk search language. You can read about the original app here and see how it easy it is to use. This year, I added some dashboards for the Rare Command, but I didn’t think it was newsworthy to blog about it.

Then, Joe Welsh wrote a blog entry about using the cluster command in Splunk, which allows you to find anomalies using a log reduction approach. Joe’s example using Nagios is easy to follow and gives the novice a useful approach to get rare events. So, using this approach, I …

» Continue reading

Splunk Cloud at MindTouch: From the Corner Office to the Cafeteria

I’ve blogged previously about the value customers tell us they get from Splunk Cloud and I’m thrilled to be sharing more. In a freshly minted press release, customer case study, and video, MindTouch talks about all the different ways they use Splunk Cloud across their business.

Some amazing nuggets include, how they:

  • Exceeded all customer SLAs using Splunk Cloud for real-time monitoring
  • Tripled customer count without any additional DevOps headcount
  • Increased customer retention by using machine data insights to demonstrate Mindtouch value to their customers
  • Display Splunk Cloud dashboards in the company cafeteria, so the entire company has visibility into the health of the Mindtouch cloud-based software

Testimonials like this are amazing … customers relying on …

» Continue reading

Splunk Command> Cluster

Being a Splunk sales engineer is incredible.  I get to talk to customers about their use cases, ‘Splunk’ their data, and together discover the insight Splunk provides them.  Initial demos typically start with the search bar, looking for keywords in their data.  Usually doesn’t take long before the “Ah Hah!” moment comes – either by using Splunk’s intuitive GUI to interact with extracted fields of interest or employing a very small subset of the 130+ search commands with in the search bar to gain operation intelligence not readily seen before.  At a recent customer visit I employed the Splunk on Splunk (S.o.S.) App, explored some of the underlying searches and noticed the cluster command, which I never used before.  …

» Continue reading

Tracking calls and SMS with Splunk

splunk-app-for-twilio

Telecommunication systems are vital to all of us around the world, though rarely do we look deeply into the vast amounts of valuable data being generated.

Comparing call length against sales success. Looking at call costs vs customer value. Or examining the most effective time to call prospects. Just a few examples that I’ve seen Splunk customers implement in tele-sales environments. The use-case for this telecommunication data reaches much further than just call centers though.

In this post we’ll examine data generated by Twilio, a service that allows you to bake voice and SMS capabilities into your apps.

But remember, Splunk is a machine data platform. If you’re not using Twilio,  this data could be taken from any other voice or SMS management tool.…

» Continue reading

Updating the iplocation db

When Splunk added the new version of the iplocation command in v6.0, it added the ability to add location info without the need for internet concenttivity. We did this by shipping a custom version of the MaxMind DB in the 6.0.x release. However, because we used a Splunk specific version of the DB, you still had to wait for a new version of Splunk to get a new copy of the DB.

In 6.1 we added support for using the native MaxMind DB (.mmdb), allowing you to update the DB yourself at anytime! It looks like some of you have already figured this out (Go George go!), but I figured I would add some additional info about this …

» Continue reading