It’s my most favorite time of the month – Patch Tuesday! Ok, I might be slightly exaggerating there. Let’s face it. It’s a pain in the neck. I have to go around to every server in my development environment and ensure that all the critical patches have been taken care of. Usually, this means a trip to Windows Update, or checking the logs of the Windows Server Update Services (WSUS) server. Today, I woke up and decided Splunk was going to assist with this.

One of the first questions customers ask when they start considering index replication is about storage requirements. Index replication keeps additional copies of data for redundancy purposes, but how would it affect the storage needs and what are the factors to consider in designing scalable storage architecture are the main questions. I’ll cover the important factors in this blog post.

There are two major dimensions to consider. First one is the replication policies and the second one is the data retention period.

Replication Factor (RF) and Searchability Factor (SF) control the replication policies. RF determines the number of raw data files to keep while SF determines the number of time series indexed files. For syslog data, the raw data files…

Imagine a scenario in which one of your Splunk indexers just abruptly went down due to hardware failures. The data stored in the indexers aren’t available for searching until the indexers are restored. Your business users are unhappy, because they’re unable to act on the very important historical data.

This scenario can be completely avoided, thanks to a new feature in Splunk 5.0 called Index Replication. The index replication allows IT administrators to specify and store redundant copies of the data across a cluster of indexers. When one of the indexers is down, the system automatically detects this failure and redirects the search queries to other available indexers, which has the data. Everything happens so seamlessly that your business users…

One of the coolest features we’ve introduced in Splunk 5.0 is Report Acceleration. This speeds up reports by many orders of magnitude, and it is so easy to set up.  So, what is the secret behind such a powerful acceleration?   I’ll attempt to explain some of the concepts that powers report acceleration in this post.

Before report acceleration, one of the ways for users to speed up reports is through summary indexing. Although very powerful, summary indexing was more suited for Splunk admins rather than for report developers. Summary indexing also didn’t have a way to auto-update its summaries to back-fill data and it stores the summaries on the search heads instead of on the indexers.

Report acceleration is targeted…

Using the new Splunk Sentiment Analysis app I was able to correlate how positive tweets were, depending on how many people follow a twitter account. It’s a slight stretch, but essentially, are you happier with more friends?

index=twitter | sentiment twitter body | chart avg(sentiment) by actor.followersCount


It seems that people with smaller circles of friends are more positive. More friends equals more negativity, up until about 75 friends. Seems like a fairly good life lesson, but take it a grain of salt — spam twitter accounts may skew things.

EXCERPT FROM “EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE (SPL) PRIMER AND COOKBOOK”. Kindle/iPad/PDF available for free, and hardcopy available for purchase at Amazon.

Problem

You need to find transactions with specific field values.

Solution

A general search for all transactions might look like this:

          sourcetype=email_logs | transaction userid

Suppose, however, that we want to identify just those transactions where there is an event that has the field/value pairs to=root and from=msmith. You could use this search:

   sourcetype=email_logs
   | transaction userid
   | search to=root from=msmith

The problem here is that you are retrieving all events from this sourcetype (potentially billions), building up all the transactions, and then throwing 99% of the data right in to the bit…

I work a lot with the various people who plan, deploy and support the Splunk App for Active Directory. Some issues come up quite frequently and I thought it would be a good idea to give you a roadmap of things to check as you deploy your environment. I’ll go through the issue and how to check for it so that you can make your roll-out as smooth as possible.

When setting up data inputs for Splunk, it is never long before you start to talk about the semantics of names for Sourcetypes. So how do I name my sourcetype and what difference does that make?

On the second Tuesday of each month, Splunkers in the Dallas / Fort Worth Metroplex area have been getting together on a regular basis to talk about all things Splunk. Seems the users are able to take advantage of spending just a couple hours with each other, trading notes about Splunk, helping each other solve problems with our Splunk deployments and configurations, and sharing a beer and pizza too.
If you are interested in attending now, please click this link below for details:

http://www.meetup.com/Splunk/Plano-TX

On the second Tuesday of each month, Splunkers in the Dallas / Fort Worth Metroplex area have been getting together on a regular basis to talk about all things Splunk. Seems the users are able to take advantage of spending just a couple hours with each other, trading notes about Splunk, helping each other solve problems with our Splunk deployments and configurations, and sharing a beer and pizza too.

BTW, we are 40 members and counting now!

Our next meeting will be held at the Splunk Office in Plano, Texas on Tuesday, June 12th @ 6:00p CST.