SplunkTalk

SplunkTalk - #70 - New, Improved & Back for the Attack!

Ok... we're officially never again going to say "we're back". Except for right now. We're back. At Splunk's 2013 User Conference, (a.k.a. ".conf"--get it... dot conf.. our configuration files :P ) a number of listeners came up to us and said "Yo... when's the podcast coming back?!?!?!?" To that we replied, "well, how about now". So with out further adieu, I, Michael Wilde, your faithful Splunk Ninja would like to introduce an amazing new co-host of SplunkTalk, Hal Rottenberg. (That's long o in Rottenberg, as in O my gosh he's great). This episode of SplunkTalk returns with an overview of our favorite features in the newly released "Splunk 6.0", and a question about a Splunk 6.0 search head on a 5.0 indexer infrastructure and how to do it. Also, Wilde proves his naiveté in the "What did we learn this week" segment. Enjoy and we're glad to be.. uh, well, we can't say "back".. how about.. we're glad to be here!. Episodes are recorded live every thrursday at 10am Central Time - Email us at splunktalk@splunk.com for feedback or suggestions and to have your questions answered on air, ask them on Splunk Answers and add the tag "splunktalk".

SplunkTalk is back for its third season. Our apologies for the latency between episodes, but we're trying to fix that. For season three we've got some new segments for our listeners (including stuff for brand new Splunk users) and a new host, Support Manager and Zombie Defense Force General, Corey McClure. This weeks episode highlights a few of our favorite features of Splunk 5.0. Wilde covers Clustering/Index Repication, Maverick chats about Report Acceleration (a.k.a - automatic summary indexing), and Corey gives us some detail around the "bunny rabbit button" in the UI. A new segment debuts this week for "new splunk users". Some of you more seasoned Splunk users might *not* know about the hotkeys and mouse clicks you can use in the Splunk Search UI, but for the new users this will help speed up your searching. Wilde is in LOVE with DeployButton.com as he's been learning python and building some lookups. DeployButton and GitHub make it really easy to push code and configs from your desktop to a server. Awesome! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

Maverick? Splunk Ninja? Where are you guys? Is this the end of SplunkTalk? Rest assured fine feathered listeners, it is not. This is really the end of what feels like the second season of SplunkTalk. After Splunk's User Conference 2012 (Sept 10-12 in Las Vegas at the Cosmopolitan), we'll be starting a new season with an enhance format, some more personalities and a whole lot more Splunkin!. On this episode, Maverick and Wilde talk about some interesting things they've learned lately. Maverick presents an interesting challenge with using the "Transaction" search command with Windows Security Event Logs and the way fields appear. Wilde discovers that even though you might be awesome at regex for making fields, there are some times you just can't actually find your field--and we'll show you how to overcome that. A few more nerdy tidbits and the usual silliness. SplunkTalk, comin back in October 2012 - Season 3. Tell your friends. Tell us what you'd like to hear about as well!! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

The lost episodes have been found! This episode was recorded in January 2012 and its a fun, healthy conversation by Michael Wilde, Splunk Ninja and Eric "Maverick Garner. Some of y'all aren't on the cutting edge, upgrading your whole production environment every 15 seconds Splunk releases new code--If you are.. rock on!--If not, then this episode will give you a great overview of some of the cool features in Splunk 4.3. Even if you are using Splunk 4.3 there's a chance you don't know about a lot of the cool new features in there. Give it a listen and check out. We're gettin the backlog of episodes out and new ones comin up right around the corner. Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com.

As we say, "Splunk Eats Everything", but can you overfeed it? Yep. Splunk Ninja was working with a user recently who was noticing the "splunkd" process was crashing on Windows. Upon further inspection, this user "ate his whole C:\ drive". OMG WTF BBQ? We figure out how that happened on the show this week, and also talk about the sweetest diagnosis app for Splunk built by our support team called "S.o.S" or "Splunk on Splunk". Hop over to the App Catalog up on SplunkBase and download it. S.o.S is very helpful! Maverick discovered some interesting challenges with configuration needs for his forwarders. Wilde is a HUGE fan of the iOS/Android app called "Voxer", check that out as well. Add him as a friend on Voxer and use it to send in questions! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

Today's episode brings Maverick and Wilde one main question: What's the next action? Serious! If you have ever wondered what people do right after they do what they do.. wait, that didn't make sense. In mobile apps that might use several api's a user might search, friend, like, lookup, map, etc. Developers may need to know what the most popular "next action" is. We're gonna describe how that's done along with a few other cool topics and some of our favorite search commands like "streamstats" and "eventstats". Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

Yes yes yes… I know, its been a while--not because we've been silent, but we've been super busy and low on editing time. I've got a pile of them i'm about to release week by week so we're all caught up. This episode, aptly titled "Strange things happen after midnight" has been waiting to get out of the gate. It's been saying "Wilde! Edit me". So I have. Pay attention to your clocks my friend! Splunk Ninja answers a question (and helps diagnose) an issue where realtime search "seemed to not be working" when the real culprit was a forwarder whose time was ahead of the indexer--and thus, realtime isn't the "future". Well, it will be event-ually :). Maverick gives us some insight on the best ways to share whats in your splunk server with other users in your company. Taking a cue from Gregg Woodcock, Splunk customer at MetroPCS--who presented at SplunkLive--we've got some great tips worth sharing.. about sharing! Splunk Ninja and the crew will be at Interop this year Wooo-hoo, in Las Vegas and NYC as a part of the Interop NOC (a.k.a nerd camp). Finally Maverick reveals what strange things happen right after midnight in Splunk (during an extremely rare situation). Note: Check out our Developer Portal and send your vendors or developers over to the Logging section so they can learn how to better design log output so you can use it better! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

Today's SplunkTalk is a chat about a few recent experiences with folks we've been helping. First up, I was working with someone who had a production Rails app and had some challenges getting a universal forwarder to work. They weren't aware that the Splunk Command Line Interface (CLI) is a great way to make changes to the forwarder without monkeying around with config files such as "outputs.conf". "splunk add forward-server" and "splunk list forward-server" are two of my favorite. Fast, easy, reliable. Next up, adding data. Editing inputs.conf? Bah Humbug! use "splunk add monitor (file/directory)". No restarts needed! But sometimes how and where splunk stores user created objects (inputs, searches, fields) is unclear--we cover that in this week chat as well. Maverick spawns a discussion on "files that look the same in the first few lines", some challenges, how to see what splunk is doing while its eating, and a bit of a reveal on how Splunk works. Did you know there was a "Splunk for Ruby on Rails" created with the help of John Berry (Lumos Labs) and Simeon Yep (Splunk)? Some other new apps appears on Splunk Base as well (SiteScope Health, RSA SecureID, Splunk Mobile). Big shout out to SplunkTalk listener William Che at ABC! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

So there are 80+ search commands. Every so often we run across one we've never used. This week, "we" is Wilde. Maverick holds a CLINIC on the "set" search command. Not so fast, listener/reader--we're not talking about setting a variable or field (Which you can do with "veal"). This is more about working with two "sets" of results and looking for differences, union, intersection to use them to make some interesting decisions about your data. Rumor has it there's a "Splunk Book" being written. Wilde is gaga about Splunk 4.3 (coming soon!). Maverick hosted the inaugural Dallas Splunk Users Group. One user has 32 indexers. Yeah. THIRTY TWO INDEXERS. Like a boss! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

When you hit sixty, isn't that time for a mid-life crisis? Perhaps, but not this crew. We've been SplunkTalk'in for sixty episodes now. One might say its our "diamond anniversary". Why not. This week we've got a few questions for ya and some learning even mid-episode. Splunk Ninja answers a question that new users might have around re-enabling the web interface on a "light or heavy" forwarder. Maverick answers a really neat question around reporting on top 5 daily java exceptions and how to dynamically generate dashboard panels--and Wilde learns about the "accum" search command in the context of Mav's answer. In the "What did we learn this week" segment, Ninja discusses a bit about the forthcoming MySQL lookup plugin to make massive lookup tables more scalable than CSV's in the context of an interesting use case. You'll just have to press play! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

Greetings friends! Its time for another cozy chat with (maybe) your favorite nerds, Maverick Garner and Michael Wilde, the Splunk Ninja. On this week's episode we have a chat about using Splunk's Deployment Monitor app to take a gander at nodes not reporting in when you hope them to be. Setting up alerts might be the answer--perhaps? Maverick answers a question on access control based on information in a lookup (which may not be totally possible) but the discussion is interesting. The real fun part about this episode is in the title "Schooled by the n00b". One of our favorite Splunker's supern00b Jesse Miller schools us by teaching Wilde a little thing about field extraction. Jesse's not really a n00b anymore--after all he's been at Splunk for 7 months and rocks!!!! Simon Shelston wrote a sweet blog post about how to detect anonymous proxies hitting your servers. We highly recommend you check this out as the technique is quite good!. We're looking for feedback on how to make the Splunk community much better. Feedback please!

Greetings to all fine feathered SplunkTalk listeners. Maverick and SplunkNinja are back in the saddle again. A few vacations, user conference, travel and other stuff has kept us from releasing some episodes--but thats all in the past now. Episode 58 returns to our traditional Q&A format. On the docket for this episode is a discussion around disk sizing, I/O (IOPS), disk performance and some recommendations on storage. Wilde asks Maverick a question on High CPU usage on Splunk startup due to massive file monitoring and some recommendations on dealing with that challenge. In our "what did we learn this week" segment, Wilde learned about a really cool OS X app called "FlashFrozen" that monitors the Flash process and warns/kills when it gets over 30% CPU usage--a.k.a (CPU Low Power Mode). All sorts of nerdy Splunky stuff including outputlookup, xpath, xmlunescape and the usual ridiculousness is back on schedule! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

From a series of live on camera interviews at Splunk's User Conference 2011 comes an interview two epic Support Splunkers Octavio DiScuillo and Mick Shanaghy. Always a hoot, Mick and Octavio give us a great overview on the Splunk on Splunk or "S.o.S" app available on SplunkBase.com right now. S.o.S is an app that our support team built to help diagnose issues in your splunk deployment. Now, you get to have that very tool. I love it! Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!

From a series of live on camera interviews at Splunk's User Conference 2011 comes an interview with founding SplunkTalk personality Jeff Blake and his buddy Sparky from Splunk Partner Forsythe. With the original three (Wilde, Maverick & Blake) and anyone name Sparky is guaranteed to be an awesome time. Episodes are recorded live every Friday at 11AM Central Time - Email us at splunktalk@splunk.com to ask questions and have them answered on air!