Share Knowledge with Splunk

Animation_00a: Use the users/content/communities icons from the investor pitch with the people sharing in groups but label the three groups teams/organizations/communities.

VO_00a: "Now that you're using Splunk to search, alert and report, I'd like to show you how you can share knowledge with your team and the rest of the Splunk community on SplunkBase."

Storyboard_01: Save and share locally

Setup_01a (no capture): On J2EE demo do a search for 'sourcetype::weblogic_stdout' and ensure that the fields you see are core + eventtype only. Then do the search in the first screencast and delete the eventtype if it already exists before moving on to the capture.

Screencast_01a: Search for "jdbc error failed javax.transaction.xa.XAException" with timerange set to September 25 2007 00:00:00 to 23:59:59.

VO_01a: "You've looking into failed transactions on your site. Researching a number of JDBC errors you learn restarting your server resets the connection pool to your database and solves the issue."

Screencast_01b: Choose "save as eventtype" from search menu and type in the name "XA_JDBC_driver_exception". Don't save yet.

VO_01b: "It's easy to share your knowledge with your team. Just save your search as an event type - let's call it "XA_JDBC_driver_exception." We can use tags to indicate the recommended action for this type of error."

Screencast_01c: Add tags "requires_action restart_weblogic" and save.

VO_01c: "I like to give all events that require an administrator to take action, the tag, 'requires_action', and a tag with the action to take."

Setup_01d: (don't capture) Click on a narrower timeframe and do a search for just "jdbc error".

Screencast_01d: Scroll through results until you see one of the typed events and highlight the event type and tags.

VO_01d: "Now when someone else on your team comes across another one of these JDBC errors they'll know exactly what to do!"

Storyboard_02: Search SplunkBase events

Setup for screencast: Fields to Core Only

Illo_02a: Show the SplunkBase logo.

VO_02a: "You can tap into the knowledge of your team and the larger Splunk community. SplunkBase is where the community connects to share knowledge, tips and tricks. You can access SplunkBase right from your Splunk search results"

Screencast_02b: Search in the last 24 hours for "sourcetype::apache_error"

VO_02b: "You've been reviewing errors from your apache web server and..."

Screencast_02c: Scroll down past events saying "File does not exist" until you get to an event containing "CONNECTION_REFUSED" in the text.

Share_VO_02c: "...notice it looks like a bunch of files are missing... you'll need to follow up with the content team on that... wait... Connection refused... what's that about?"

Screencast_02d: Search SplunkBase using the menu next to one of the CONNECTION_REFUSED events.

VO_02d: "Search SplunkBase right from the event to see if anyone else knows."

Screencast_02e: On landing page, pick 3rd event type "apache_error_connection_refused"

Cleanup needed: Will need to photoshop out the Defined in addon: 'Apache Connection Refused' to remove 'Connection Refused'.

VO_02e: "You find a number of event types that match your event. Let's check out - the apache_error_connection_refused event. It looks like a pretty good match."

(btw I've filed the bug on SplunkBase that the relevancy of event type matches is totally missing.)

Screencast_02f: Show event type

VO__02f: "Oh cool. Here's a good description of this event contributed by one of the community members. The error means the appserver was down or not reachable over the network."

Storyboard_03: How-tos

Screencast_03a: Pan over to the related content boxes to the left of SplunkBase.

VO_03a: "SplunkBase has more than just information on events. I check it out when I'm looking to learn about something new too."

Screencast_03b: Click on related How-to "HOWTO Read apache_error events"

VO_03b: "Here, someone's written a how to on reading the apache error log."

Screencast_03c: Click on "Web Servers" in breadcrumb trail above the howto.

VO_03c: "You'll find questions, answers, how tos and event descriptions all organized by topics. Go up a level to Web Servers to find all the how to's dealing with web servers."

Storyboard_04: Add-ons

Screencast_04a: Scroll down to "related add-ons" on the left. Pick more Add-ons. Highlight the types of add-ons on the left.

VO_04a: "You'll also find add-ons for your Splunk server. Useful searches, alerts, reports, dashboards and predefined fields and event types for common IT data sources. You can download integrations with other tools like Nagios and OPSEC LEA."

Screencast_04b: From the results page pick "web access reports".

VO_04b: "Here's an add on with a number of handy web access searches and reports. You can use this as a starting point to creating your own web access reports."

Screencast_04c: Click the download button on the addon

VO_04c: "Just download the add on and install it on your server."

Setup_04e: (don't capture)Mark has to install this add-on today. Before you do the screen grab run any report and switch the chart to a pie graph then return to the home page.

Screencast_04d: Go to the J2EE demo and click on the search menu, open the list of saved searches

VO_04d: "That was easy."

Screencast_04e: Pick "top-web-file"

VO_04e: "Here's one of the reports you downloaded already working with your data."

Storyboard_05: Conclusion

Tagline: Know Your IT.

VO_05: "Now you've seen why I'm so excited about using Splunk to share knowledge. Save yourself and the rest of your team a lot of time by tagging critical events you've investigated. Tap into the community's knowledge, tips and tricks across a broad range of IT technologies. And download great add ons for your Splunk installation."

VO_05b: *"Sharing is a great way to know your IT.*"