That happened: episode 17

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel:

I’ve been waiting

For a nerd like you!

Want a free pass to .conf 2012 (maybe so you can meet some of the folks you’ve seen featured in this silly blog?)? We just launched a Splunk Answers Karma contest–a free pass to the Splunk Worldwide User Conference will go to the winner in each of the following categories:

  • Most upvoted question
  • Most points accumulated from answering questions
  • Most downloaded app from Splunkbase Apps
  • Most points overall

Importantly, even if you don’t have the head start on karma that many of the stars of this blog have, you can still win–we’re basing this contest on the delta in your score starting from today! Winners will also get an invite to the private, invite-only Answers/IRC party at .conf, so get splunking!


Paging Dr. Snuggle:

<Ayn> my ceh exam prep book describing irc channels: “Be careful as many of them are full of bots, lurkers (people not doing anything), or rude people. But not all of them are bad.”
<Ayn> gotta be careful with the lurkers
* @cgales unlurks
* Ayn runs
<ftk> hey! i aint no bot!
<ftk> but i guess i lurk and i _am_ rude
<duckfez> and some of the lurkers are bots
<@cgales> but you’re not all bad!
<ftk> cgales: cuz i m not a bot
<duckfez> DrSnuggle has left the building it seems

Winning at multi-value field extractions:

Trolling in the deep–er, i mean the Amrit:

<wrench_> Mr0nins all!
<duckfez> hey howdy wrench_
<wrench_ > I finally got the multi-value field extraction working woot!
<wrench_> heya
<duckfez> wrench_: do share
<wrench_> want me to pastebin the config?
<wrench_> or just overview?
<duckfez> or at least summarize what the dealy-o was.. is this an auto-kv field or did you have to make a regex for it?
<wrench_> I ended up using the doc example for transforms.conf and making a Regex in there
<wrench_> first time for me to use either props or transforms – so it took some different tries to get inputs/props/transforms right
<wrench_> but worked in the end 😉
<duckfez> swell
<wrench_> it works and I’ve read the relevant section in the doc but I’m not exactly clear on what FORMAT= $1::$2 actually does
<duckfez> I can explain that
<duckfez> $X is the matching groups in the regex, kind-of a precursor to (?<foo>)
<wrench_> what do the two colons mean?
<duckfez> so a regex of  REGEX= ([^\s]+)=([^\s]+)
<duckfez> just a form of assignment
<duckfez> with that regex, the ([^\s]+) to the left of the = is $1, and the other is $2
<wrench_> ah ok
<duckfez> typically, you would have a static field name like “foo::$1 bar::$2”
<wrench_> so Splunk will treat $1 as the field name and $2 as the corresponding value?
<duckfez> but, “$1::$2” makes it derive the field name from the regex’s capture groups
* duckfez nods
<wrench_> ohh cool
<wrench_> good explanation — thanks
<duckfez> now I think the catch here is when you have a more complex expression w/ quotes around it (which autokv handles very well) like  “designated driver”=”not amrit”
<duckfez> mlanghor was fighting w/ this the other day, dunno if he ever beat it
<duckfez> well, his situation was similar but not identical
<wrench_> ah gotcha
<_d_1> more like “designated troller”=”the amrit”


Artist’s interpretation of what happens when you call Splunk Support?

* troj resists “Must. Not. Answer. Red. Phone.”
<duckfez> troj: would you answer if it were a bananaphone?
* troj breaks “Hello, this is Batma…er, troj”
<duckfez> HELLO?  YES, THIS IS DOG
* troj answers the banana phone as well, creating a very confusing conversation.
<@cgales> a plantain is sort of like a red banana….
<@amrit|wrk> ring ring ring ring ring
> o.O
<@hexx0> ring
<@hexx0> ring
<@hexx0> ring ring
<duckfez> amrit|wrk: knock knock
<@hexx0> oh sorry we’ve already done “ring ring ring”
<duckfez> amrit|wrk: I’ll cut to the chase .. “orange you glad I didn’t say banana??”

rachel perkins

Posted by


Join the Discussion