This week in “That happened: notes from #splunk”, a blog about the goings-on in the Splunk IRC channel: slow learners, how not to get dizzy when configuring props and transforms, bureacracy in action, and Good Guy Splunk:
If you build it, they will (eventually) come
(But you might have to disable their ssh access to the production hosts first):
<mlanghor> ahh, the joy in your co-worker coming by with advanced Splunk questions, “how can I use that rex command you talked about a few weeks ago to extract something?”
<troj> mlanghor: I don’t get those kind of questions
<troj> I get more of the “I want to see just regular old log files, so how do I do that?”
<mlanghor> oh I still get those. of ‘course I still struggle with the “I’ve got ssh access to the host, why would I use that?”
<mlanghor> since management still hasn’t cracked down on user accounts
<troj> In test and prod we have cracked down, so Splunk is all they get to see of their logs
* troj cheers!
<troj> They get over the PlainOldLogFiles attachment when they discover, as I have repeatedly stated to them, that they can search for stuff using Splunk
<troj> And at that point I say nice things to them when I want to say mean things 😉
It might not be pretty but it works
<wrench_> Can someone help me understand the relationship between props.conf and transforms.conf? I’m not sure what the difference is.
<^Brian^> transforms defines things that modify results / events / extractions. Props applies those transforms stanzas to sources / sourcetypes
<wrench_> So you define the source/sourcetype in props.conf and then reference it in a stanza inside transforms.conf to make modifications?
<^Brian^> so, say you set up a transforms stanza. Call it [my_awesome_stanza].
<^Brian^> and in that stanza, lets say you define some extractions for IIS log
* puercomal finds multiple layers of redirection delightfully intuitive
<^Brian^> in props.conf, you would set up a stanza like this: [my_awesome_iis_sourcetype]
<^Brian^> and under that you would apply the [my_awesome_stanza] by a line like this: REPORT-myreport = my_awesome_stanza
<wrench_> ^Brian^: ah gotcha — thanks for the example
<puercomal> props — DO_THING-mything = thing_that_is_mine. transforms — thing_that_is_mine “code”… regular expressions, mainly, but could also be a lookup referral as in things_lookup.csv
Hassling your boss makes the world go ’round (check that .conf link for ways to justify a trip to Splunk’s Worldwide User Conference):
* troj makes progress on .conf request
<troj> Supervisor says OK, 665 layers of bureaucracy to go!
Splunk sees if you’ve been bad or good
But your coworkers don’t have to:
<Nerf> Sooo, if I see “Sending email” in python.log does that mean that it was successfully sent? I just want to make sure there weren’t any local errors before I start bugging the email admins
<Nerf> NEVERMIND! NOTHING TO SEE HERE! IT CERTAINLY WASN’T A FAT-FINGERD EMAIL ADDRESS!
<^Brian^> Nerf: i had that issue earlier
<Nerf> On the plus side I was able to snoop the logs via Splunk without bothering the email admins 😀
<^Brian^> Nerf: i set up my new indexer, was trying to get it to register as a slave of the license master.
<^Brian^> It kept failing and I”m like wtf..i fire off an email to our network admins saying I need these ports opened between our Springfield and Wilmington data centers
<^Brian^> they said it’s already done..so i’m looking at what I’m typing, can’t see anthing wrong..then it dawned on me..i wasn’t pointing to the license master
<Nerf> Yeah, I was bringing up a new indexer and at one point was trying to figure out why I couldn’t reach it. I had switched ports 8089 and 9997 and who need to get there