This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: Splunk Singles, they always come back in the end, what happens when users set their own schedules, and the nature of Batman’s poop:
#splunk can help you get a date
Knowledge is always attractive:
<trakz> Man…. decent field extractions in splunk are really hard for complex log types. Wish someone had a cookbook for that.
<alacer> trakz: explain.
<trakz> For example anything windows based (IIS, Event Logs) seems to follow somewhat random formatting.
<alacer> I’m working on an IIS TA for Splunk.
<trakz> are you dating anyone?
<alacer> I’m married.
A prodigal son returns
Joe440_ (aka jgedeon) returns to #splunk after a long absence and proves his commitment to sparkle motion^W^WSplunk:
<joe440_> duckfez: http://www.snortrecon.com/2013-02-28_16-35-42_829.jpg A little over the deep end? lol
<cerby> joe – NICE
<cerby> someone is a Lincoln fan (x2)
<joe440_> Bosses think I am a little crazy.
Scheduled searches gone wild
The bane of the Splunk Admin:
<rayutsw> I just had to put the smack down on people doing scheduled real time searches
<^Brian^> just remember – setting up a search head to do nothing but saved searches is a good thing
<pnkflyd> I had a guy I worked with who set up ~15 real time searches to populate a dashboard… they ran every minute
<mlanghor> pnkflyd: lol
<rayutsw> i might look into that, brian. expecting three more search heads soon.
<Nerf> rayutsw: I just went through and changed a bunch of those
<jspears> how do you segregate scheduled searches like that? manually?
<Nerf> No talking, just change
Guano aggregation methodologies
Because one needs an intellectual excuse to discuss a heatmap of Batman’s poop:
<hexx0> re: earlier discussion about timechart and data points. One thing I sometimes do if i want to sample instead of aggregate is “… | timechart first(field)”
<hexx0> that way, i pick one sample per time slice, instead of using an aggregation method
<hexx0> sometimes, that’s sufficient
<madscient> hexx0: on that note I suppose you could also get *some* aggregation with | timechart values(foo) as foo | mvexpand foo
<hexx0> of course, best not to do that when a given time slice contains thousands of data points
<madscient> in that at least you wouldn’t be download 100 rows to render a single pixel the same color 100 times…
<hexx0> interesting idea
<hexx0> i never tried that
<hexx0> it sounds a bit evil
<madscient> me neither. maybe it’s evil!
<madscient> to the batcave
<hexx0> did batman poop his pants again?
<madscient> well, it is evil cause if you have 99,999 values of 1.2, and 1 value of 9.8, it draws two points – one at 1.2 and one at 9.8. which is, some might say the very definition of evil.
<madscient> the correct approach is to generate as accurate a heatmap as possible, of the poop in batman’s pants.
<madscient> rather than trying to simply splatter it all across the screen.
<madscient> as it were.
<TheBeege> the most intellectual conversation about poop i have ever heard