Play It Again, Sam.

Have you ever wondered how to perform load testing and benchmarking in a test or development Splunk environment? How do you know if your searches are working on the latest upgrade of Splunk? Do you wonder—late at night—if your critical production instance will fall over at the push of a search button?

If you've ever wanted answers to any of these questions, you're in luck—we've brought you a new custom command to brighten your day! 

New from SplunkZero: SPL Replay!

Written by Kyle Smith from Aplura (yes that Kyle Smith, the delightfully-bearded SplunkTrust member), this custom command is multi-threaded, search head cluster-aware, and will enhance your development or test environments tremendously.

For instance, taking a result set of searches as input, you too can experience the amazement of self-dispatching and load-balancing searches! This wonderment of modern technology can execute ad-hoc searches on-demand, but it also allows the scheduling of searches to run at specified times, allowing you to mimic the execution of Splunk users (among other things).

Let's see it in action!

Quick Primer on Usage

Downloadable on Splunkbase, the add-on provides a custom search command. This should be installed on any search head where it might be run (all search heads in a cluster, for example). Once you've installed to your search heads of choice, it's as easy as 3 fields and the command.

Full documentation is available on Splunkbase, as well as inside the add-on itself. The earliest, latest, and search fields are required; the earliest and latest fields support both Splunk time-modifiers and timestamps. 

Once you have your search criteria, simply pipe to the replay command. This will immediately dispatch your defined searches (on the search head where the main search is dispatched).

Important Note: For ALL uses of this command, RESULTS or EVENTS are NOT returned to the executing parent search. Only metadata related to the executed searches are returned.

Each search executes with an md5_tracker field, which exposes all the log files related to that execution in the _internal logs. That's it! In just a few minutes, you can be re-executing searches across your environment.

There are many more options available, including search head cluster round-robin load balancing and scheduled-execution searches, so please read the full documentation for more details.

SplunkZero has been using this command internally at Splunk within our own test and staging environments. The ability to replicate production searches—both app level and user level—is invaluable in testing new versions of Splunk!

We here at SplunkZero wish you happy SPL Replays! If you have questions, please refer to the contact information on Splunkbase.

Alex Cain

Posted by



Play It Again, Sam.

Show All Tags
Show Less Tags

Join the Discussion