splunk

I don't work at Splunk anymore, but I still do some freelance consulting, and so I thought I would share one of my old side projects, Trunk.

I am providing a couple of Github repos so that you can create and run your own Splunk instance with Trunk preconfigured to index Trello webhooks in your own AWS account. When the container starts, it subscribes to open Trello boards that are accessible with the Trello credential you provide.

The Trunk app, which provides status report dashboards.

I needed to list the lookup tables and their sizes using Splunk Web. Here's a query to do just that!

| rest splunk_server=local /services/data/lookup-table-files/
| rename eai:acl.app as app 
| table app title 
| search NOT title IN (*.kmz) 
| map maxsearches=990 search="| inputlookup $title$ 
| eval size=0
| foreach * [ eval size=size+coalesce(len('<<FIELD>>'),0), app=\"$app$\", title=$title$ | fields app title size]" 
| stats sum(size) by app title
| sort - sum(size)

The Splunk foreach SPL command is pretty useful for building powerful queries. Here are some examples that I've created as a reference for how to use this powerful command.

Suppose that you have a Splunk query that returns a result set with some duplicate fields. Would you like to remove the duplicate fields so that you can quickly identify the differenes between each result? Here's a macro to do it!

If you have a Splunk query that returns empty fields, you can use this query to programatically remove these blanks.

As I've worked on many large-scale Splunk environments, a common problem I've noticed is that Splunk forwarders phone home to the deployment server (DS) too frequently. When a forwarder phones home to the DS more often than necessary, it wastes resources on the DS, and can prevent the DS from deploying apps to forwarders correctly.

As a Splunk administrator, have you ever needed to list out your saved searches in some way? Perhaps you need to know which searches might be accelerated, scheduled, or even real-time scheduled? Here's a quick dashboard to show this information.

The dashboard is available in this GitHub repo.

When you're working with the stats command, it's often nice to rename the fields to drop the aggregatation type:

| makeresults count=3 
| streamstats count 
| eval foo="bar" 
| stats latest(foo) as foo latest(count) as count

This gets annoying because of all the extra typing involved, and it violates the DRY principal.

Instead, try this next time:

When you create an extraction in props.conf (a search-time field), you specify the name of the new field through a named capture group in the regular expression. For example:

EXTRACT-foo =  (?P<foo>\w+)

This configuration will create a field "foo" with a value of the first word found in the _raw field. You can also specify a field besides _raw in your extraction:

EXTRACT-foo =  (?P<foo>\w+) in host

This is a simple request, but the official docs are out of date.

1. Create a file: $SPLUNK_HOME/etc/apps/search/local/ui-prefs.conf
2. Create a search stanza like this:
   
   [search]
   dispatch.earliest_time = -7d@d
   dispatch.latest_time = now

Restart Splunk and you're good to go!