There has been a lot of talk about the Splunk Platform of late, but what exactly does it mean when we say we have a platform? I figured this would be an interesting question to spring upon unsuspecting members of the development team, and here’s what they (and I) had for our answers:

Browsing over on Wikipedia, one excerpt states that “a platform describes some sort of hardware architecture or software framework”, and the description for a software framework, says it “may include support programs, code libraries, a scripting language, or other software to help develop and glue together the different components of a software project”.

I have a Google alert set up to email me news of the extraordinary concerning Splunk. Most of them are press releases by either us or our agency, which are all well and fine (this is how most companies seed stories anyway), but one caught my eye this morning by Charlie Schluting over on Enterprise Networking Planet.

Two things struck me interesting about Charlie’s post.

First, he noticed the changes in the UI we’ve been slowly making over the last few releases. If you’ve ever done UI design, you know how much sweat goes into every little detail, and how much momentum a design carries over time. That someone noticed the new changes *and* liked them is a HUGE win for the UI team. It’s even better how fast someone noticed!

Second, he actually spends quite a bit of time explaining the security workaround in the free product - one that I covered earlier, coincidently enough. I figure if someone goes to the time and trouble to figure out how they can keep using the product in a secure, legitimate way, then they must really, really like it. You simply can’t argue with an evangelist like this.

If anyone here is a gem, it’s Charlie.

With the new release of Splunk Preview out, I’ve run into a problem keeping the different versions straight on my laptop. I have the free version, the Preview, the official release, and a version of current running - often times simultaneously. It’s getting messy.

What you really want to do is refer to them with different subdomain names, where something like http://splunkpreview.mydomain.com/ would bring up Splunk without having to remember the port number.

If you are running Apache, (like I am on Leopard) you get a reverse proxy server for free. With just a few lines of configuration, you can alias subdomains (or domains for that matter) to your heart’s content.

You also get the ability of putting content behind some basic authentication provided via Apache’s HTTP auth methods. This comes in handy if you’d like to link to your Splunk install from a publicly facing page, but don’t want people to know what type of content is behind the authentication. It also works for limiting access to a particular IP address group or domain.

I’ve put together a screencast covering how to do this from OS X’s version of Apache. Click on the thumbnail below to play the screencast.

Ruby on Rails is a popular programming framework for quickly creating web applications. It provides its own web server for development testing, and ships with OSX, which means the tools are now widely available to a broad group of programmers/coders/hackers. Coupled with the fact that most Rails developers use either Linux or OSX, and Splunk runs great on both of those platforms, it seemed obvious that we should come up with some sort of solution for mashing the two together.

I mentioned this in passing to one Sean Dick who is a developer friend of mine in Oklahoma City. What follows is a nearly identical post to the one he made over at his self-named blogpost on Blogger on how to get Rails to integrate with Splunk. “There’s plenty left to do.”, he said, but I’m convinced it’s worthy of mentioning here. Thanks for hammering this out Sean!

Serious Material from Sean Begins Here

As per the norm, this post assumes you’ve downloaded Splunk for your particular platform. It also requires a newer install of Ruby on Rails. Come back when you’ve completed both these tasks.

Get Splunk started now:

> sudo export SPLUNK_HOME=/opt/splunk/
> sudo ./opt/splunk/bin/splunk start


You need to drop the Splunk on Rails plugin into your Rails app’s lib folder and then call it with require ’splunkbase’ Note: If you’re running Splunk remote or on a non-standard port, don’t forget to change the SERVER variable in the plugin file!

Now let’s say you want to make sure your rails application is running bug-free, and when one does pop up, you need to know it pronto. You’ll create a new controller into which we’re going to put some splunk goodies. I named mine SplunkController, but you can be more creative.

[source:ruby]
class SplunkController < ApplicationController
require 'splunkbase'
@@foo = SplunkBase.new
def index
end
def reports
@document =" @@foo.splunkSearch('q' => params[:query])
end
end
[/source]

This is really nothing more than making available the response

Mark Cohen posted a while back about enabling syslog on the iPhone for the sole purpose of logging to a Splunk instance on your laptop. This hack is a follow up to that post, and extends it slightly to include logging of the pages browsed by Safari on the phone. WARNING: If you brick your phone, you can still use it as an ergonomic pot-scraper. Splunk won’t be responsible for you going off and getting your $600 $400 piece of joy stuffed, but we’ll be happy to log the event.

Let’s get dirty. Go into settings..general..auto-lock and set locking to ‘never’. This will keep the phone on while you hack around on it. Keeping the phone on and connected to the network will drain your battery like nobody’s business, so make sure you plug in the charging cable.

Now install AppTap. Follow the instructions, and come back here when you are all done.

Using the AppTap installer on the phone, install the Community Sources, BSD Subsystem, Term-vt100, OpenSSH, Tinyproxy, and UIctl apps, in that order. UIctl will let you stop and start sshd on the phone. Launch it now to see if sshd is running. Click on the ‘load’ button if it’s not.

Ping your phone from your computer with its IP address. You can use the terminal on the phone to grab the IP address:


# ifconfig en0
en0: flags=8863 mtu 1500
inet 10.0.1.194 netmask 0xffffff00 broadcast 10.0.1.255
ether 00:1c:b3:f0:0b:a6
#


Ssh to the phone from your terminal. The default root password is ‘dottie’.


foobar:~ kord$ ssh root@10.0.1.194
root@10.0.1.194's password:
Last login: Wed Oct 10 13:45:22 2007 from 10.0.1.191
# hostname
Kord's iPhone
#


Now add a syslog.conf file to /etc/:


bash-3.2# echo "*.* @10.0.1.191" > /etc/syslog.conf
bash-3.2# cat /etc/syslog.conf
*.* @10.0.1.191


Obviously, you’ll want to use the IP address of the machine

This is an easy-to-follow tutorial for charting battery usage on your Mac laptop with a small shell script and Splunk. Watching your battery charge is as exciting as watching paint dry, but analyzing it over time is pretty interesting. You may discover a few things about the software you run - like it eats your battery’s amps for desert.

A friend of mine, Sean Dick, showed me a version of this idea using Splunk on Linux and a program called ‘apci’. As I’m a Mac fanboy of sorts, I dug up a shell script for the Mac that will print out a single logfile-like line containing laptop battery information, including amp draw, amp-hours left, and more. It’s aptly named ‘battery’, and you can download it here.

I suggest you put battery in a directory under your home directory, say something called ’scripts’. Head into ‘terminal’ to start the dirty work.

Here’s an example output line from ‘battery short’:

G4:~ kord$ ./scripts/battery short
2007-10-07 18:34:27 1 _________i__ 11.232V -1.454A 2.788Ah of 4.720Ah (59.1%) of 4.400Ah (107.3%) 13 cycles

The line of underscores with an ‘i’ in it are the battery flags set. ‘i’ means my battery is installed. Duh. Other flags include whether the lid is closed, the battery is on fire, or it’s just on the charger. See the battery.rtf file for more information on the flags. I have a G4 laptop, but just got my battery replaced for free! Only 13 cycles on it so far!

Splunk eats logfiles, so you’ll need to get a logfile rolling on your battery output. I’m going to assume you know how to use vi (text editor) do the rest of this work.

You’ll need to set up a cronjob to create the logfile and continue logging to it every so often. Switch to

Rob Das gives us the skinny on Splunkd’s use of various pipelines and processors. This is the first pass at Splunk’s tech talks, so the screen caps of the terminal are a little blurry on the smaller versions. We’ll be re-filming this particular piece again this week, except this time the beer guy is going to do it.

More video formats are available from Splunk’s Tech Talks section.