Smart AnSwerS #69

Hey there community and welcome to the 69th installment of Smart AnSwerS.

Time has been flying by with Splunkers working incredibly hard and adapting to new changes in our office space. It’s hard to believe that we’re halfway through 2016 already, but that’s what happens when you’re constantly focused and pushing through the daily grind. Luckily, HQ and other Splunkers in the US are getting a nice 5 day Summer break starting tomorrow for the 4th of July weekend. This is our chance in the middle of the year to refresh and recharge before finishing off strong with the next couple quarters ahead. Cheers!

Check out this week’s featured Splunk Answers posts:

How to add upper and

» Continue reading

Splunking a Microsoft Word document for metadata and content analysis

The Big Data ecosystem is nowadays often abbreviated with ‘V’s. The 3Vs of Big Data, or the 4Vs of Big Data, even the 5Vs of Big Data! However many ‘V’s are used, two are always dedicated to Volume and Variety.

Recent news provides particularly rich examples with one being the Panama Papers. As explained by Wikipedia:

The Panama Papers are a leaked set of 11.5 million confidential documents that provide detailed information about more than 214,000 offshore companies listed by the Panamanian corporate service provider Mossack Fonseca. The documents […] totaled 2.6 terabytes of data.

This leak illustrates the following pretty well:

  • The need to process huge volume of data (2.6 TB of data in that particular case)
  • The need to
» Continue reading

Eureka! Extracting key-value pairs from JSON fields

With the rise of HEC (and with our new Splunk logging driver), we’re seeing more and more of you, our  beloved Splunk customers, pushing JSON over the wire to your Splunk instances. One common question we’re hearing you ask, how can key-value pairs be extracted from fields within the JSON? For example imagine you send an event like this:

{"event":{"name":"test", "payload":"foo=bar\r\nbar=\"bar bar\"\tboo.baz=boo.baz.baz"}}

This event has two fields, name and payload. Looking at the payload field however you can see that it has additional fields that are within as key-value pairs. Splunk will automatically extract name and payload, but it will not further look at payload to extract fields that are within. That is, not unless we tell it to.


» Continue reading

Smart AnSwerS #68

Hey there community and welcome to the 68th installment of Smart AnSwerS.

It’s the week of LGBT Pride in San Francisco, so SplunQers and fellow allies came together yesterday afternoon for our second party ever in the new building at HQ. The courtyard was set up with rainbow themed decorations, treats, and libations (of course) to celebrate the many identities that make up the diversity of our company. The turnout was amazing as we filled the courtyard with lively energy and blaring music in true Splunk fashion. Big thanks to the SplunQers, Fun Council, and Facilities for organizing and promoting an open culture.

Check out this week’s featured Splunk Answers posts:

How to speed up LDAP / Active

» Continue reading

Supporting a cycling world record attempt using analytics

It’s not every day that you get to be involved in a record attempt, but Splunk is currently supporting a team of four cyclists in their quest to break the world record for a team cycling from the West coast to the East coast of the US.

The Race Across America (RAAM) is an annual cycle race involving teams of four riders. The total race distance is 3,070 miles and it involves 55 stages between a series of waypoints – fixed coordinates on a route that starts at Oceanside, California and ends at Annapolis, Maryland.

The stages themselves can vary dramatically in length, terrain and altitude change. The weather conditions and wind speed will have a significant impact on …

» Continue reading

Spotting the Adversary… with Splunk

Howdy Ya’ll. Eventually there is a Rubicon to cross in every Security professional’s life. With a satisfied sigh he’ll take a step back from the keyboard, wipe Dorito dust covered hands on khakis, take a long slug of Mountain Dew, and gaze proudly at his Splunk instance and utter the words “I’ve added all the data sources I can. The network is being ‘monitored’”. Then the smile will falter as his cyber demons claw their way up to the surface.  He’ll hear them scream out “but WHAT am I supposed to look for??”  He (and you) are not alone. Ever since time immemorial (or at least when I first began “practicing” the dark arts of cyber security) I would hear the question of “but what …

» Continue reading

Smart AnSwerS #67

Hey there community and welcome to the 67th installment of Smart AnSwerS.

For folks who will be in the San Francisco Bay Area the first full week of July, you’re all welcome to join us at the SFBA User Group meeting on Wednesday, July 6th @ 6:30PM PDT. chuckers has graciously offered to host at Comcast in Sunnyvale, CA where we’ll be hearing some interesting talks by watkinst from Mastercard and Splunk Senior Director of Product Management, Gaurav Agarwal. If you can make it, be sure to visit the SFBA User Group page to RSVP!

Check out this week’s featured Splunk Answers posts:

What happens to my multisite indexer cluster when connectivity between sites dies?

davidpaper shares …

» Continue reading

DevOps Metrics: Measuring Team Productivity – Yes or No?

In my last blog post, I talked about the importance of measuring the business impact of DevOps-driven application delivery. At the DevOpsDays Seattle Open Space discussion on metrics, we also explored measuring DevOps teams’ performance and people productivity. I was glad to see that Nancy Gohring from 451 Research joined our session (check out her insights). Below are some of the key highlights from that Open Space discussion.

For DevOps leaders, knowing if DevOps teams are making progress toward meeting their organizational goals are important. Often these teams seem to have conflicting objectives. And, since DevOps practice involves a cultural shift, in our discussion it was concluded that it is crucial for Dev and Ops teams to …

» Continue reading

Smart AnSwerS #66

Hey there community and welcome to the 66th installment of Smart AnSwerS.

Splunk HQ now has an open room with giant Lego like blocks for Splunkers to take a creative escape from the daily grind. Some folks have already constructed some pretty epic stuff. In the first week, someone built a “conference room” with a fully functional table and bench seating that could be used for gaming, eating lunch, and quick meetings…possibly. When I checked out the space again last week, there was a 30+ foot long bridge and some sort of igloo maze fort of sorts. Who knows what architectural feats people will come up with next!

Check out this week’s featured Splunk Answers posts:

Splunk Add-on for

» Continue reading

One source, many use cases: How to deliver value right away by addressing different IT challenges with Splunk – Part 2

Do you remember this piece of raw data:


I hope so, it was on the blog only last week … 😉

Today, let’s focus on the value we can extract and how we’ll be able to address some of the IT challenges related to the company strategy.

IT Ops

What kind of information would be relevant for the application manager?

I am sure he would be interested by:

  • Number of transactions during the last X minutes and the trend
  • Number of transactions in errors during the last X minutes and if this number is growing compared to the last Y minutes
  • How long a transaction takes to complete for each customer
  • A geographic distribution of the transactions

“What? You said …

» Continue reading