Making service desk relevant within your organization

With Knowledge14 kicking off next week, it’s a good time to reminisce on your service desk, the face of your operations to both internal and external customers.

For external facing service desks supporting customers, the effectiveness has traditionally been measured on mean time to resolution, first level resolution rates, escalations and such. And for internal facing service desks that support employees, its effectiveness has been measured mostly around service delivery within acceptable internal SLOs/SLAs.

These days, service desks are expected to continuously improve end-user satisfaction by delivering high quality, timely customer/user support. How do you enable this?

Let’s look at each of the delivery models individually.

External Facing Service Desks:

The most important metrics to track the external service desk …

» Continue reading

It’s That Time Again!

The other day I was asked how Splunk can be configured to index a file where the events have different timestamps.  If you index this type of log file, your events end up being merged together because the timestamps are in multiple formats and may end up looking something like this:


Here is an example snippet of a catalina.out log file with multiple timestamps.  Feel free to import this into your own Splunk instance for learning purposes.

Mar 15, 2014 8:18:33 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 576 ms
2014-03-17 23:58:21,246 [pool-2-thread-3068] ERROR org.apache.thrift.server.TThreadPoolServer - Thrift error occurred during processing of message.
org.apache.thrift.protocol.TProtocolException: Missing version in readMessageBegin, old client?
at org.apache.thrift.protocol.TBinaryProtocol.readMessageBegin(

You certainly can’t ask the developers …

» Continue reading

That happened: episode 40

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: Ducky drops some wisdom, the #splunk buddy system in action, some things never get old,  sharing the Splunk clue:

Interested in Splunk performance as it relates to kernel filesystem caching?

Check out this awesome blog post from resident #splunk genius duckfez

The family that upgrades together…

…might also need a tetanus shot:

<Degann> catalan you upgrade to 6.0.3?
<catalan> yep
<Degann> we can be upgrade buddies, I just finished
<Degann> :)
<catalan> awwww
* catalan cuts her thumb and holds out the knife

Is there nothing regex can’t do?…

» Continue reading

Higher Education, Heartbleed, and the Heroes in your IT shop

At Splunk we spend a lot of time working with rank-and-file IT folks in higher education who must consistently deliver on two wildly divergent fronts – first, protect against threats foreseeable and unforeseeable (who saw HeartBleed coming?); and second, provide open infrastructure for the creation and sharing of next-generation human knowledge. I’ve had the privilege of working with some brilliant thinkers in this realm, folks who many years ago told me things like “the business model of higher education is broken” and “digital footprints from the learning process will form the foundation of next-generation education”, but the day-to-day lives of IT workers needs to change before these grand ideas take systemic hold. In the meantime, university IT budgets continue to …

» Continue reading

Windows Print Monitoring in Splunk 6

Splunk 6 has been out almost six months and I have not yet finished covering all the new Windows features. Let’s continue doing that by looking at print monitoring. If you have ever wanted to do charge back reporting for print jobs but lacked the data, then this is for you. The Windows Print Monitor is a new data input in the Splunk 6 Universal Forwarder (ok – it’s also available on Splunk Enterprise).

The idea of this is fairly simple. Install a Splunk 6 Universal Forwarder on your print servers, set up the data input and you will get data. There are two types of data you can get – inventory type information such as the printers, the ports …

» Continue reading

Reflections on a Splunk developer’s journey : Part 1

It seems like only yesterday

…that I was writing my first Splunk App. It was the openness and extensibility of the Splunk platform that attracted me to this pursuit in the first place, and when I discovered the thriving community on Splunkbase (now called Splunk Apps / Answers), I just had to contribute. 11,000+ downloads across 9 different freely available community offerings later, I am feeling somewhat reflective. So in this 2 part blog series I want to share with you some of my lessons learned from developing and supporting Splunk community Apps/Add-ons (part 1) and then some musings on why you should consider developing Splunk Apps/Add-ons yourself and contribute to the Splunk developer ecosystem (part 2).

Some lessons learned…

» Continue reading

Splunk App for VMware v3.1: Transforming operational visibility into virtualized datacenters with built-in storage correlation

Earlier today, we announced the general availability of the latest release version 3.1 of the Splunk App for VMware. This release is monumental providing radical cross-tier insights into your virtual infrastructure. In this latest release, we’ve focused on improving time-to-value with 3 important features – correlated insights, adaptable reporting and enhanced topology map. Let’s delve a little deeper into each area.

1. Built-in correlation between VMware and storage environments:

If you’re running a virtual datacenter, storage latency in virtual environments is one of the most common performance issues you are likely to deal with. Storage I/O latencies impact performance of VMs because read/write operations can cause performance issues to the shared resources in your datacenter; as VMs contend with each …

» Continue reading

Detecting Windows XP Systems with Splunk

Windows XP is dead! Soon after Windows XP was introduced, Microsoft introduced the Trustworthy Computing Initiative – a kind of “security first” thinking that has been the hallmark of Microsoft for the last decade. Prior to the security focus, Microsoft operating systems were well known as a leaky sieve for viruses. Now, 12 years later, Windows XP is finally ready to be dropped. Well, to be honest – that happened a few years back. But many people are holding on to their XP installs for one reason or another. Now it’s time to give them up.

How can you tell who is connecting to your facilities with Windows XP systems? There are a variety of ways depending on if they …

» Continue reading

Splunk as a Recipient on the JMS Grid

A number of years ago, I was fascinated by the idea of SETI@home. The idea was that home computers, while idling, would be sent calculations to perform in the search for extraterrestrial life. If you wanted to participate, you would register your computer with the project and your unused cycles would be utilized for calculations sent back to the main servers. You could call it a poor man’s grid, but I thought it of it as a massive extension for overworked servers. I thought the whole idea could be applied to the Java Messaging Service (JMS) used in J2EE application servers.


Almost a decade ago, I would walk around corporations at “closing” time and see a mass array …

» Continue reading

Another NY Metro Splunk Users Group Meeting

We had our first NY Metro Splunk Users Group meeting of the year this week and it was hosted at Blackrock in NYC with Reed Kelly, one of the leaders of the users group playing host. Thanks Reed.

Our first order of business was to watch a presentation from Splunk Product Manager Jack Coates on the new 3.0 Splunk Common Information Model. Unlike the past CIM that focused heavily on security, the new CIM is general purpose for all of IT and flexible to add more knowledge to it, when needed. As a bonus, the app in the app store has data models to quickly get started and test your data sources.

Next, we had a discussion (or some …

» Continue reading