Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
This week in “That happened: notes from #splunk” a blog about the goings-on in the Splunk IRC channel: a videogaming twofer, creative uses of automation for managing up, and an extended discussion of deploying apps with highly specific whitelists ending in a surprisingly simple solution.
Couples counseling in Skyrim:
<@edrabbit> I’ve put off the main quest and am running around with Lydia, Esbern, and Delphine wreaking havoc across the land
<Drainy> edrabbit: haha, ahh I might have to crack it out again
<pie|home> edrabbit: skyrim is like gta for sensitive people
<@edrabbit> I don’t think they meant for me to run around with 3 people. Occasionally Lydia and Delphine start attacking each other. Since neither can die it’s entertaining
<Drainy> I think I had Lydia die on me fairly early on
<Drainy> twas a sad day, tried to drag her off a cliff for a burial at sea but ended up falling to my own death
<@edrabbit> lol
<snowmizer> did you at least take her with you?
<@edrabbit> ever since I told my wife that you can actually marry characters in-game she’s been asking if I married Lydia yet.
<Drainy> snowmizer: aye, at least we were kind of buried together
<snowmizer> destined to spend eternity together…at least until you reverted back to the save before that point
<Drainy> edrabbit: 😀
<Drainy> snowmizer: hah, pretty much. Till “load last save” do we part
<Drainy> the best part of the marriage is she just brings the coin in while you go out and set stuff on fire
<Drainy> if only life was as simple..
<@edrabbit> sounds like my life on occasion.
<@edrabbit> just lacking in dragons
<Drainy> heh, everything is better with dragons
<Drainy> I predict a 50% increase in dragon related fun through 2012-2013
<Drainy> think minecraft is getting/has dragons too
<pie|home> hahaha edrabbit
<pie|home> <3
<@edrabbit> we should have gone with a dragon mascot for Storm
<@amrit|wrk> lol edrabbit
<@edrabbit> every time someone signs up a flame effect goes off in the office*
*When Splunk Storm first launched its Beta, the soundsystem in the office was rigged to play a thunderclap every time someone signed up. It was awesome, in a distracting kind of way
But I’d buy a Kinect if it means I get to say “I’m Commander Shepard and this is my favorite store on the Citadel”:
<@Coccyx> http://arstechnica.com/gaming/news/2012/04/bethesda-adding-over-200-kinect-powered-voice-commands-to-xbox-360-skyrim.ars
<@Splunky> Coccyx’s URL: “Bethesda adding over 200 Kinect voice commands to Xbox 360 Skyrim”
<@Coccyx> seriously, who is going to play games that way?
<@Coccyx> i tried it on mass effect, it was dumb
<JPres> SHOOT DADRIC ARROW AT BLOOD DRAGON!
<^Brian^> FUS RAH DO or however it goes
<JPres> it goes: ‘pull R2 and hold”
Cron is good for many things:
<Nerf> I’ve set up a schedule to email my boss (and his boss) every other week about .conf
<pie|home> what does it say, Nerf?
<Nerf> Oh, it’s going to be different each time
<Nerf> This time it just talked about what’s going to be there and mentioned University
<^Brian^> heh
<pie|home> oh so it’s not just a cron job that sends a NERFIE WOULD LIKE TO GO PLZ email
<Nerf> pie|home: Nah. I’m thinking they are going to let me go, it’s just a matter of reminding them
<Nerf> As time gets short I’ll get more shout-y
Nerf cuts through the Gordian knot like a modern-day Connor MacLeod:
<JPres> heh, weird question…
<JPres> is anyone aware of a doc that explains how the whitelist attribute works in inputs.conf (within the monitor stanza)
<JPres> I see examples in other configs where whitelist.0 whitelist.1 etc is used, and I’m wondering if I can use other than numeric values to the right of the ‘.’
<duckfez> in inputs – no
<JPres>
<ftk> JPres: i’ve never user anything but digits
<duckfez> … the (white|black)list.<n> is integer only, and to my knowledge, not supported for monitor://
<duckfez> !spec inputs
<@Splunky> http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf
<JPres> So, here is what I am trying to do. Maybe I’m looking at it from the wrong angle.
<JPres> I have a deployment server set up, and, the way it makes sense, I could end up with dueling apps on a given UF with the same monitor stanza, but differeing whitelists
<duckfez> highlander rules are in effect
<JPres> and, I’d like the end result to be that the whitelists are all in effect
<JPres> but, that is not the case today
<ftk> the quickening!
<duckfez> if you have Aapp and Zapp, with the same monitor:// stanza, only one whitelist= will take effect
<JPres> yes
<JPres> so I see.
<duckfez> (and I think it’ll be Aapp’s, but I’m not sure)
<JPres> yes, whichever is first alphanumerically
<JPres> not impossible to overcome in my case
<duckfez> obviously, to stay sane one should only let a single app configure a given monitor stanza
<duckfez> even if it means making small ‘inputs-only” apps
<JPres> and that’s what I do.
<duckfez> but then you wind up with permutations, which also suck
<JPres> so, for instance, I have one serverclass ‘cap’ or customer access point, and it could contain an imapserver or a popserver, or both.
<duckfez> is there anything inherently bad about always looking for both imap / pop files?
<JPres> or, maybe I want to monitor a certain log file for a short amount of time on a given server type, would be nice to just enable that app for a short time, rather then edit the existing app.
<JPres> duckfez: always looking for imap/pop files on all caps, nothing wrong with it.
<JPres> but on my platform there are background processes that log to the same directory, and I don’t necessarily want to always be indexing those logs.
<JPres> and editing an existing app to do so is just inviting fat fingers to gum up the works. But that’s job security I suppose. heh
<Nerf> You could also be more specific about which apps get sent to which servers
<Nerf> Hav a pop app and an imap app and send either/both to the servers you want
<JPres> Nerf: that’s where I’d like to be. But it doesn’t work if they both contain the same monitor stanza in inputs.conf
<Nerf> Make the apps discrete enough and they won’t
<JPres> heh
<Nerf> We have dozens of apps. Many of them with just one monitor entry in inputs.conf
<Nerf> Some more complex, obviously
<JPres> Same here, and I can work around this by modifying my plan for forwarder apps. It actually makes the initial set of apps a bit cleaner.
<JPres> but in the future, if I want to shoot logs for, say, my configuration server to splunk, on all hosts, it’s a bit dirtier of a job than just giving one app to the UF_all serverclass
<JPres> that said, this is still far better than grep/sed/awk over 9TB of logs.
<JPres> on a 1Ghz sparc box
<Nerf> JPres: I don’t see how it’s any harder.
<Nerf> You have some app that only go certain places and other that go everywhere
<JPres> because to do so, now you have to go edit 19 apps.
<JPres> Nerf: when you have the same monitor stanza across multiple apps, only one whitelist will be in effect….
<JPres> and since I roll logs, like most folks do, I have to monitor the log directory, and whitelist a set of file names.
<Nerf> JPres: But each app has a whitelist of who it goes to
<Nerf> And I’m still not clear why you would have overlapping monitor statements
<JPres> ok, I’ll pastebin it
<JPres> http://pastebin.com/rZ0pYrnG
<@Splunky> JPres’ URL: “$ cat UF_imapserv/default/inputs.conf [monitor:///imail/log/] whitelist = ima – Pastebin.com”
<JPres> If both of those apps are deployed to the same UF, then the resulting interpreted inputs.conf will have what is listed under ‘result’
<Nerf> Why not use [monitor:///imail/log/imapserv.*]
<Nerf> And then the whitelist can be the endings you want
<JPres> brilliant
<JPres> this is why 2 minds are better than 1
<JPres> thanks Nerf
----------------------------------------------------
Thanks!
rachel perkins
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.