This week in “That happened: notes from #splunk” a blog about the goings-on in the Splunk IRC channel:
What has Splunk done for you lately?
jspears encourages us to share the love (and shares what he learned):
<jspears> there needs to be a place for public submissions of “Splunk solved this for me today”
<@piebob> jspears: that sounds cool, what did you have in mind?
<wrench_> that does sound cool
<jspears> I don’t know really, I just think I would easily have one a day
<jspears> today I found a performance issue in our syslog infrastructure that was delaying lots of messages by 10 minutes or more
<jspears> thanks to _time and _indextime
<jspears> and that’s why you don’t setup swatch on your syslog archive machine and forget about it for 8 years
No backreference check required
duckfez invites wrench_ to join him at the grownup table with the other rex mode=sed users:
<wrench_> is there a way to use the replace command and capture something from the first string and use it in the replacement string? Example:
<wrench_> | replace “*Chrome/(\d)\.*” with “Chrome$1” in useragent
<wrench_> in perl the $1 would be replaced with the digit captured
<duckfez> wrench_: step up to | rex mode=sed
<duckfez> then you can backreference to your heart’s content
<wrench_> ah cool thanks duckfez
The Meme Is Strong With This One
Excitable dorks on the line:
<duckfez> THIS IS DOG
<@piebob> YES I’LL HOLD
A bargain at twice the price
Drainy adds value, Dutchy provides grist for the Splunk Answers karma machine:
<Drainy> anyone fancy upgoating this -> http://splunk-base.splunk.com/answers/43666/single-value-change-font-size
<@Splunky> Drainy’s URL: “Single Value change font size – Splunk Community”
<Drainy> if you haven’t already 😛 It’s turned into a long list of CSS advice
<Dutchy> reading it
<Dutchy> indeed a bit listy
<Drainy> a bargain at 10 karma points if you ask me
<Dutchy> btw…do you know if everything in appserver\static dir based is just picked up?
<Drainy> no restart is needed
<Drainy> although sometimes you have to clear your cache or force it with CTRL+F5 (browser dependent)
<Dutchy> ah thats why i have missed things…i made a folder within for -org edits
<Dutchy> so have 2 application.css’s
Perhaps not our finest startup message
But at least no one has asked us for an option to remove it, yet:
<jspears> just seen on restart: Splunk> Like an F-18, bro.
<jspears> do what now?
<jspears> omg googled and lol