That happened: episode 40

This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: Ducky drops some wisdom, the #splunk buddy system in action, some things never get old,  sharing the Splunk clue:

Interested in Splunk performance as it relates to kernel filesystem caching?

Check out this awesome blog post from resident #splunk genius duckfezhttp://duanewaddle.com/effect-of-kernel-filesystem-caching-on-splunk-performance/

The family that upgrades together…

…might also need a tetanus shot:

<Degann> catalan you upgrade to 6.0.3?
<catalan> yep
<Degann> we can be upgrade buddies, I just finished
<Degann> :)
<catalan> awwww
* catalan cuts her thumb and holds out the knife

Is there nothing regex can’t do?

Almost as good as typing 5318008 into your calculator:

<cerby> I have a really strange question
<cerby> Has anyone had to obfuscate the values in a legend on a chart?
<cerby> IE, I need to take a dynamically create list of series, like: cerby, dagryph, baconesq
<cerby> and make them look like: c–y, d–h, b–e
<cerby> *I* know what those values really are, but if you don’t then those values are worthless to you.
<duckfez> cerby: first thought, custom search command
<duckfez> especially if well hidden in your dashboard so they can’t see the search it is running
<duckfez> quick and dirty is a series of renames … | rename cerby AS c—-y
<duckfez> a custom search command in the right spot could do many of those at once, basically give it configuration of “here is what to NOT munge”, and let it munge the name of every other field
<cerby> duck – I thought about that, but the list of possibilities stretches to about 60 now, and grows every week or so. Need something that’ll figure it out dynamically
<cerby> hmmm
<duckfez> (leaning me toward the custom command)
<cerby> I haven’t played with custom search commands.
<duckfez> so you blacklist the munging of things like host/sourcetype/_time/etc
<duckfez> it is basically a python script called as a filter .. csv-ish data in, csv-ish data out
<cerby> I wonder if I could do something like (paraphrasing here): eval new_name=left(name,1) . “–” . right(name,1)
<cerby> where left/right are functions that grab the number of characters (in this case, 1) from the field
<cerby> i need to see if there is a function like that.
<duckfez> on a dynamic, variable number of fields … difficult
<cerby> well, teh chart is built as … | timechart count by name
<cerby> … | timechart count by new_name
<cerby> ah ha!
<duckfez> hum, that’s possible, catch it before it gets split out into columns
<cerby> ltrim() and rtrim()
<cerby> I think that’s what I need.
<cerby> going to try.
<cerby> worse comes to worse, I burn a bunch of CPU cycles and get nowhere.
<duckfez> nah it has legs
<duckfez> nicely done
<duckfez> !cerby++
<@karr> Karma for cerby is now 12.
<DaGryph> very cool.
<cerby> oh, ltrim/rtrim won’t do it. looks like maybe substr()
<duckfez> cerby: worse to worse | sed field=name “s/^(.).*(.*)$/\1—–\2/”
<duckfez> err | rex mode=sed field=name “s/^(.).*(.*)$/\1—–\2/”
<duckfez> cerby: with an obvious concern that you don’t have name collisions over the reduced space
<cerby> yeah, that’s a concern, but one I can live with.
<cerby> that sed line ….
<cerby> man I really do not know regex as well as I’d like to.
<cerby> either that, or you very subtly just tossed some ascii boobies into the channel 😉
<duckfez> well
<duckfez> it should work, but splunk sed is slightly different from standard unix sed
<cerby> rex mode=sed field=orgid “s/^(.).*(.)$/\1—–\2/”
<cerby> that works nicely.
<cerby> dropped the * in the 2nd set of ().
<cerby> too greedy matches didn’t work, but one does.
<duckfez> I just noticed that bug
<duckfez> so, look at this this way … I just sent you some useful ascii boobies
<cerby> you sure did!

#splunk likes to help!

(Although our methods are sometimes unconventional and may involve time travel):

<Baconesq> This place is pretty helpful to anyone who asks a coherent question.
<Baconesq> And, our standards for “coherent” are pretty low.

<portes> sover: no prob. this is my first time here and already helped somebody. i feel nice. :)

<duckfez> yay, referring to my own Answers post from 2010 to help myself
<halr9000> duckfez: i love that :) I’ve solved my problems with a 5 yr old blog post of mine before :)
<DaGryph> Hahaha
<halr9000> “wow, whoever wrote this link I’m about to click on must be really smart!”
<halr9000> “oh.”
<halr9000> “Yup, he is.”

<automine> is there a word for when you give someone two options, asking them to choose, and they just respond with “yes”?
<lisa`> yes
<automine> lol

<cerby> I do <3 SPLANK.
<cerby> in 80 minutes, I completed some customer support interactive views that the OBI folks said would take them two weeks.
<sedlid> is splAnk 3rd party support?
<cerby> yes and no. 1st party support is here in #splunk, 3rd party support is also here in #splunk
<cerby> 2nd party support is drinking at the bar.
<mlanghor> lol
<sedlid> #splunk is all night 900 party hotline
<cerby> sedlid: mlanghor is 4th party support. he knows everything. Ask him anything.

rachel perkins

Posted by