Blogs: Developers
Here are the most recent developer blog postings.Syslog, Syslog-ng, and Splunk Forwarders
I often get asked, which is better for Log Management; Syslog, Syslog-ng or Splunk Forwarders... The answer is nearly always the same. "What are you currently running in your infrastructure? Do you have a log archive? What are you comfortable configuring?" Most, if not all systems come with syslog built in. Setting Splunk up to handle syslog inputs is trivial. If you only deal with single line events then syslog is fine. You would just configure Splunk to use the Monitor input and point it to the target directory that you are storing your syslog log files in. Often this is /var/log or /var/adm… Read More »
inputcsv to restrict a search by a list of field values
A customer asked about a complicated search that could be vastly simplified by using inputcsv to input a list of values from a file, a feature added for 3.3.x. It's documented as an internal search command here: http://www.splunk.com/doc/latest/user/UnsupportedCommands#inputcsv We are talking about promoting it to public, so while it says unsupported it does work. Here's how: I've got events from my webserver for my new domain and I want to see what real hits it's getting and not my own. They look like this: 66.249.70.86 - - [23/Oct/2008:01:42:21 -0700] "GET /category/admin/ HTTP/1.1″… Read More »
Enabling debug messages
Splunk spits out an astounding number of its own internal log messages, some I've already described. This post is how to get more of them, in case you have spare disk space lying around and need something to fill it with. Or you have some problem with Splunk and need debug logs. Sometimes Support will ask for this to diagnose an issue. splunkd log messages go in the file splunkd.log. (Note that if you move the existing file out of the way, a fresh one is created on startup if you want to work with only the messages from the current run.) They are controlled by the log.cfg file located in… Read More »
3D Photosynth of New Splunk Office
I made a photosynth of the new Splunk office in SF, which automatically linked 104 photos in 3D space. It mostly worked. Hit the "play" button, sit back, and have a tour of the Splunk office. Click the button with 3 dots on it to jump to the next 3D space… Read More »
Index ICU: Assertion `_sourceMetaData != __null’ failed, part 1
There you were, merrily going along and Boom! Somebody kicks the power switch, your filesystem goes off the deep end, something Very Bad happens. You start to understand why fsck is a four-letter word. After using some additional four-words, you get things up and running. But what's with Splunk? It won't start!? You only get some cryptic error and "Splunkd appears too be down." Welcome to the world of WordData. You had a backup, right? Yeah, thought so. Buried deep in the index are a bunch of *.data files: www.feorlen.org[feorlen]:/Applications/splunk/var/lib/splunk/defaultdb/db$ ls -lr… Read More »
