SplunkTalk – #66 – Baby New Year brings us Splunk 4.3

The lost episodes have been found! This episode was recorded in January 2012 and its a fun, healthy conversation by Michael Wilde, Splunk Ninja and Eric “Maverick Garner. Some of y’all aren’t on the cutting edge, upgrading your whole production environment every 15 seconds Splunk releases new code–If you are.. rock on!–If not, then this episode will give you a great overview of some of the cool features in Splunk 4.3. Even if you are using Splunk 4.3 there’s a chance you don’t know about a lot of the cool new features in there. Give it a listen and check out. We’re gettin the backlog of episodes out and new ones comin up right around the corner.

» Continue reading

SplunkTalk – #65 – Don’t overfeed the animal

As we say, “Splunk Eats Everything”, but can you overfeed it? Yep. Splunk Ninja was working with a user recently who was noticing the “splunkd” process was crashing on Windows. Upon further inspection, this user “ate his whole C:\ drive”. OMG WTF BBQ? We figure out how that happened on the show this week, and also talk about the sweetest diagnosis app for Splunk built by our support team called “S.o.S” or “Splunk on Splunk“. Hop over to the App Catalog up on SplunkBase and download it. S.o.S is very helpful! Maverick discovered some interesting challenges with configuration needs for his forwarders. Wilde is a HUGE fan of the iOS/Android app called “Voxer“, check that …

» Continue reading

SplunkTalk – #65 – Don’t overfeed the animal

As we say, “Splunk Eats Everything”, but can you overfeed it? Yep. Splunk Ninja was working with a user recently who was noticing the “splunkd” process was crashing on Windows. Upon further inspection, this user “ate his whole C:\ drive”. OMG WTF BBQ? We figure out how that happened on the show this week, and also talk about the sweetest diagnosis app for Splunk built by our support team called “S.o.S” or “Splunk on Splunk“. Hop over to the App Catalog up on SplunkBase and download it. S.o.S is very helpful! Maverick discovered some interesting challenges with configuration needs for his forwarders. Wilde is a HUGE fan of the iOS/Android app called “Voxer“, check that …

» Continue reading

SplunkTalk – #64 – The Next Action

Today’s episode brings Maverick and Wilde one main question: What’s the next action? Serious! If you have ever wondered what people do right after they do what they do.. wait, that didn’t make sense. In mobile apps that might use several api’s a user might search, friend, like, lookup, map, etc. Developers may need to know what the most popular “next action” is. We’re gonna describe how that’s done along with a few other cool topics and some of our favorite search commands like “streamstats” and “eventstats”.

» Continue reading

SplunkTalk – #63 – Strange things happen after midnight

Yes yes yes… I know, its been a while–not because we’ve been silent, but we’ve been super busy and low on editing time. I’ve got a pile of them i’m about to release week by week so we’re all caught up. This episode, aptly titled “Strange things happen after midnight” has been waiting to get out of the gate. It’s been saying “Wilde! Edit me”. So I have.

Pay attention to your clocks my friend! Splunk Ninja answers a question (and helps diagnose) an issue where realtime search “seemed to not be working” when the real culprit was a forwarder whose time was ahead of the indexer–and thus, realtime isn’t the “future”. Well, it will be event-ually :). Maverick gives us some insight on the best ways to share whats in your splunk server with other users in your company. Taking a cue from Gregg Woodcock, Splunk customer at MetroPCS–who presented at SplunkLive–we’ve got some great tips worth sharing.. about sharing!

Splunk Ninja and the crew will be at Interop this year Wooo-hoo, in Las Vegas and NYC as a part of the Interop NOC (a.k.a nerd camp). Finally Maverick reveals what strange things happen right after midnight in Splunk (during an extremely rare situation).

Note: Check out our Developer Portal and send your vendors or developers over to the Logging section so they can learn how to better design log output so you can use it better!

Episodes are recorded live every Friday at 11AM Central Time – Email us at splunktalk@splunk.com to ask questions and have them answered on air!

» Continue reading

SplunkTalk – #62 – Going off the Rails

Today’s SplunkTalk is a chat about a few recent experiences with folks we’ve been helping. First up, SplunkNinja was working with someone who had a production Rails app. This user had some challenges getting a universal forwarder to work as they weren’t aware that the Splunk Command Line Interface (CLI) is a great way to make changes to the forwarder without monkeying around with config files such as “outputs.conf”. “splunk add forward-server” and “splunk list forward-server” are two of my favorite. Fast, easy, reliable. Next up, adding data. Editing inputs.conf? Bah Humbug! use “splunk add monitor (file/directory)”. No restarts needed! But sometimes how and where splunk stores user created objects (inputs, searches, fields) is unclear–we cover that in this week …

» Continue reading

SplunkTalk – #61 – Game, Set, Match

So there are 80+ search commands. Every so often we run across one we’ve never used. This week, “we” is Wilde. Maverick holds a CLINIC on the “set” search command. Not so fast, listener/reader–we’re not talking about setting a variable or field (Which you can do with “veal”). This is more about working with two “sets” of results and looking for differences, union, intersection to use them to make some interesting decisions about your data. Rumor has it there’s a “Splunk Book” being written. Wilde is gaga about Splunk 4.3 (coming soon!). Maverick hosted the inaugural Dallas Splunk Users Group. One user has 32 indexers. Yeah. THIRTY TWO INDEXERS. Like a boss!

Episodes are recorded live every Friday at 11AM …

» Continue reading

Its the weekend. Still we Splunk.

Its Saturday Evening (Dec 3, 2011), a little after 10pm right now in Austin Texas, and i’ve got to tell you this story.

A short while ago, I was just on the couch in my living room, watching the movie “Super 8“. My two kids had fallen asleep next to me. Look at them. So peaceful. Someday ‘ll show them that picture when they’re older and being “not so peaceful”. Back to my story…

Super 8 was…well…kinda “ok”. The movie just ended and being the Apple Fanboy i am, my iPhone was sitting on the arm of my couch. Out of it comes that familiar “ping” sound when a new email comes in. As i am now programmed, …

» Continue reading

SplunkTalk – #60 – Diamonds in the rough

When you hit sixty, isn’t that time for a mid-life crisis? Perhaps, but not this crew. We’ve been SplunkTalk’in for sixty episodes now. One might say its our “diamond anniversary”. Why not. This week we’ve got a few questions for ya and some learning even mid-episode. Splunk Ninja answers a question that new users might have around re-enabling the web interface on a “light or heavy” forwarder. Maverick answers a really neat question around reporting on top 5 daily java exceptions and how to dynamically generate dashboard panels–and Wilde learns about the “accum” search command in the context of Mav’s answer. In the “What did we learn this week” segment, Ninja discusses a bit about the forthcoming MySQL lookup plugin …

» Continue reading

SplunkTalk – #59 – Schooled by the n00b

Greetings friends! Its time for another cozy chat with (maybe) your favorite nerds, Maverick Garner and Michael Wilde, the Splunk Ninja. On this week’s episode we have a chat about using Splunk’s Deployment Monitor app to take a gander at nodes not reporting in when you hope them to be. Setting up alerts might be the answer–perhaps? Maverick answers a question on access control based on information in a lookup (which may not be totally possible) but the discussion is interesting. The real fun part about this episode is in the title “Schooled by the n00b”. One of our favorite Splunker’s supern00b Jesse Miller schools us by teaching Wilde a little thing about field extraction. Jesse’s not really a n00b anymore–after all he’s been at Splunk for 7 months and rocks!!!! Simon Shelston wrote a sweet blog post about how to detect anonymous proxies hitting your servers. We highly recommend you check this out as the technique is quite good!. We’re looking for feedback on how to make the Splunk community much better. Feedback please!

Episodes are recorded live every Friday at 11AM Central Time – Email us at splunktalk@splunk.com to ask questions and have them answered on air!

» Continue reading