SPLUNK LIFE

That happened: episode 24

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: gang warfare, storage vs search, new weather data input, and new exercise trends:

When you’re a regex, you’re a regex all the way

Solving the gang wars:

<PaulB|wrk> Why didn’t anyone tell me about the field extractor app?
<PaulB|wrk> :)
<duckfez> PaulB|wrk: because … regex ?
<mlanghor> PaulB|wrk: you’ll learn rex/regex and like it
<PaulB|wrk> i have been banging my head with regex.. and there was this easy does it app
<duckfez> hard-core PCRE for life oXo
<mlanghor> still have issues with the app finding the data I actually want
<duckfez> now I need a gang sign for PCRE
<PaulB|wrk> no more gang wars…
<PaulB|wrk> WESTSIDE!!!!!!!!!

SANity is not in the picture

Amrit advises on the core of the matter:

<wrench_> Hey I’m about to pursue the procurement of SAN space for a new Splunk setup.  I will have two servers: A dedicated indexer and dedicated search head.  Will the web services run from the dedicated search head.  Also, the Indexer is the only machine that really needs the high performance SAN space is the indexer — and the search head will just query it correct?
<Ayn> yes, indexer – fast disk. search head – plenty of cpu cores.
<wrench_> Ayn: gotcha — so will the web server for splunk run on the search head?
<@amrit|wrk> the web server can run on both sides, but definitely should be up on the search head if you want users to be able to use the web interface
<Ayn> yes, that’s (most often) the main purpose of the search head.
<Coccyx> wrench_: why would you put it on SAN?
<@amrit|wrk> and keep in mind that the indexer could potentially need a large number of cores too, if your users end up running large numbers of searches where heavy computation needs to be done on the indexer side
<Coccyx> you’re just throwing away money
<wrench_> Coccyx: b/c that’s my only option
<wrench_> amrit|wrk: gotcha willdo
<Coccyx> they stopped manufacturing servers with disks!?!?
<wrench_> they stopped listening to what I said
<wrench_> and said “SAN”

The weather, it’s been weird

#splunk denizen and .conf 2012 presenter alacer has authored a great new input add-on for the WeatherUnderground API, check it out here on Splunkbase!

Have you lifted a duck today?

Ducky may be in even more demand than usual:

<hexSOWFSD> derkferz: PLS EXPLAIN – http://i.imgur.com/gOLMY.jpg
<firebus> we’ve got an obesity epidemic in this country, and lifting ducks while prone has been clinically proven to reduce the incidence of diabetes
<hexSOWFSD> oh
<hexSOWFSD> right

----------------------------------------------------
Thanks!
rachel perkins

Splunk
Posted by

Splunk

Join the Discussion