SPLUNK LIFE

That happened: episode 14

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: if you love Splunk so much why don’t you MARRY IT, kill-9 the DJ, isolating your data, and typing exercise recommendations.

Convert the masses^Wnumbers!

Nerf and Splunk, sitting in a tree:

<Nerf> Is there an easy way to convert something like “2.5g” into 2684354560?
<Nerf> Like the convert function does with dates
<mlanghor> Nerf: eval
<Nerf> In a way that would automatically handle k/m/g/etc
<cerby> eval GB=$value*1024*1024*1024
<cerby> oh, no idea.
<mlanghor> no shorthand for it
<Nerf> Sure, I can do it once, but I have a field that’s “human readable” and I need to normalize it
<mlanghor> hmm, could you use transform to manipulate it?
<Nerf> memk under convert.  woohoo!
<Nerf> convert memk(field)
<Nerf> Description: Convert a {KB, MB, GB} denominated size quantity into a KB
<mlanghor> nice!
<Nerf> Splunk> Adding features before you need them
<mlanghor> I’ve lost count the number of times someone’s said “it would be cool if Splunk could…” and amrit|wrk said “yea, it’s done that since 3.x
<Nerf> | convert auto(*) <- I think I want to kiss someone

Panic on the (virtual) streets of Splunktown

Murderers in our midst:

<Ayn> duckfez: thanks for the tip about killing vmware machines yesterday. worked like a charm
<duckfez> Ayn: o/
<Ayn> there’s a certain satisfaction that comes with solving a problem by performing a kill -9
<Ayn> \o
<^Brian^> when in doubt, take it out back and shoot it?
* MuS sings out loud  ‘kill the VM’ (Melody from ‘hang the DJ‘ by the smiths)

Poor lonely colddb

Want a sensible answer? Why not Zoidberg?

<JohnFr> I see homePath, coldPath in indexes.conf.  is there any ways to send ONLY warmdb’s to their own path?
<duckfez> JohnFr: nope, hot+warm must cohabitate
<JohnFr> understood, thanks!
<duckfez> JohnFr: cold can live in its bachelor apartment
<JohnFr> lol
<duckfez> JohnFr: has to do with search processes being forked at the same time a bucket is rolled from hot to warm and having open file handles and such (or so I think)
<duckfez> JohnFr: but, because cold buckets aren’t opened until needed, no such problem for them
<JohnFr> ok, that makes sense
<duckfez> <zoidberg> yay, I said something that makes sense </zoidberg>
<JohnFr> lol

Mavis Beacon would approve

Some of us could use the exercise:

<zamba> i have a bunch of dest_ip i’m looking for
<zamba> what’s the most efficient way of writing that search filter?
<zamba> instead of doing dest_ip = “something” OR dest_ip = “somethingelse” OR dest_ip = “somethingwayother”
<Drainy> you can search by subnet
<zamba> Drainy: well.. they’re not in the same subnet at all
<Drainy> or if its the same list of dest_ip’s I guess you could write a macro to include them all
<Ayn> if you’re going to do this lots of times you could create a lookup table that you use for feeding search terms from
<Drainy> oo
<Drainy> +1
<Drainy> or you could just type them all out each time and use it as a typing exercise :)
<zamba> hehe

----------------------------------------------------
Thanks!
rachel perkins

Splunk
Posted by

Splunk

Join the Discussion