SplunkTalk – #62 – Going off the Rails

Today’s SplunkTalk is a chat about a few recent experiences with folks we’ve been helping. First up, SplunkNinja was working with someone who had a production Rails app. This user had some challenges getting a universal forwarder to work as they weren’t aware that the Splunk Command Line Interface (CLI) is a great way to make changes to the forwarder without monkeying around with config files such as “outputs.conf”. “splunk add forward-server” and “splunk list forward-server” are two of my favorite. Fast, easy, reliable. Next up, adding data. Editing inputs.conf? Bah Humbug! use “splunk add monitor (file/directory)”. No restarts needed! But sometimes how and where splunk stores user created objects (inputs, searches, fields) is unclear–we cover that in this week chat as well. Maverick spawns a discussion on “files that look the same in the first few lines”, some challenges, how to see what splunk is doing while its eating, and a bit of a reveal on how Splunk works. Did you know there was a “Splunk for Ruby on Rails” created with the help of John Berry (Lumos Labs) and Simeon Yep (Splunk)? Some other new apps appears on Splunk Base as well (SiteScope Health, RSA SecureID, Splunk Mobile). Big shout out to SplunkTalk listener William Che at ABC!

Episodes are recorded live every Friday at 11AM Central Time – Email us at to ask questions and have them answered on air!

Michael Wilde

Posted by