By Splunk June 07, 2012
This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: underpants gnomes, irony, the more you know, and regexes featuring teen pop idols.
Splunk> find out what phase 2 is
ftk is right, although Splunk tshirts are not the *only* reason to go to .conf:
<ftk> so i had this intermediary forwarder
<ftk> that i finally upgraded
<ftk> from 4.1.7
<ftk> end of story
<duckfez> cool story, brah
<ftk> iknowrite
<ftk> /s/w//
<splunkmas> true story.
<cerby> Am I the only one who doesn’t have any idea what just happened? 
<rayutsw> no
<ftk> we told a cool story bro
<JoeTron> Needs more dragons
<cerby> and tomatoes.
<madscient> step 1) 4.3 forwarder, step 2) intermediary 4.1.7 forwarder, step 3) …..
<madscient> underpants
<cerby> I <3 gnomes
<ftk> madscient: it was working just fine so i never felt the need to upgrade
<cerby> Splunk> Gnoming around in your underpants for more than 5 years
<madscient> saw an old splunk tagline yesterday i hadn’t seen in years. i dont think it was ever used either but i could be wrong. “TMI for your datacenter”
<madscient> cerby: although that one’s better.
<cerby> madscient: I particulary like my home-made splunk shirt that says, “Splunk> It’s magic. You wouldn’t understand”
<cerby> I get a lot of mileage out of that when I wear it to Splunk events.
<splunkmas> I have the ‘looking for trouble’ shirt
<splunkmas> My boss told me it’s really girly.
<splunkmas> 
<ftk>
<ftk> splunkmas: go to .conf there shall be shirts
Irony, thy name is startup message
Sometimes too much information is a bad thing:
<JPres> Splunk> Be an IT superhero. Go home early.
* JPres looks at the clock…
More REST for the wicked
It’s a rare day when Ducky learns something new:
<jtrucks> is there a way to export all the saved searches in a csv or parseable format?
<fezduck> jtrucks: including per-user?
<jtrucks> yes
<fezduck> well, that gets messier
<jtrucks> group alone is fine.
<jtrucks>
<fezduck> I was gonna suggest “splunk cmd btool savedsearches list”
<jtrucks> oooh that is a good idea.
<jtrucks> thanks!
<fezduck> but, to use that further on a per-user basis
<fezduck> it’s more like
<fezduck> bin/splunk cmd btool –user=foo –app=bar savedsearches list
<fezduck> and then you have to loop over for a in apps; do for u in users; do …
<jtrucks> awesome thanks!
<fezduck> (which is the suck)
<fezduck> there may be a better rest api
<_d_1> fezduck: that’s a good idea …./servicesNS/-/-/saved/searches/
<pde> like this: | rest /servicesNS/-/-/saved/searches count=1000 | table eai:acl.owner,
<pde> search, title, cron_schedule, actions, action.script.filename
<pde> (you can make rest api calls from the search language )
<fezduck> _d_1, pde — awesome .. I have learned two things today
<pde> then you’re ahead of the game. go home early.
<pde>
<fezduck> And I’m at home already! w00t
<pde> schweet!
One less lonely rex
Drainy drops the B-bomb:
<BabySplun> Regex help anyone?
<Drainy> BabySplun: shoot
<BabySplun> Drainy : I want to get the data between <txt> and </txt> – see my pastebin.. http://pastebin.com/wnKP9WiN
<@Splunky> BabySplun’s URL: “[XML] BabySplunk – RegEx Help – Pastebin.com”
<Drainy> BabySplun: all into one field? or the data into their own fields from inside txt
<BabySplun> All into one field is fine please.
<BabySplun> I’ve done other extractions before but I’m stumped with the <txt> and </txt> – feeling stoopid.
<Drainy> BabySplun: maybe something like… SEARCHSTUFF | rex field=_raw “<txt>\s+(?<Bieber>[^>]+</txt>”
<Drainy> something ala that?
<Drainy> that’s right, I dropped the B bomb right into that rex
<BabySplun> My girls sing me songs during breakfast each morning.
<Drainy> hah, what a bad way to start the day!
----------------------------------------------------
Thanks!
rachel perkins