fighting the lack of good ideas
The Splunk command fieldsummary is amazing – I use it quite frequently to explore more “new” (to me) sourcetypes, and to find out about more fields than I’ve previously used in the sourcetypes I work with most. But sometimes you want to be able to delineate more granularly than fieldsummary will allow. Maybe you have…
A couple weeks ago some folks in the splunk-usergroups.slack helped me using accum and calculating with a modulus to make a grid menu from a list. My original search had been along the lines of: | inputlookup mylookup| stats count by type| fields – count| transpose| fields – column Which was great … until my list grew…
Data Models are one of the major underpinnings of Splunk’s power and flexibility. They’re the only way to benefit from the powerful pivot command, for example. They underlie Splunk Enterprise Security (probably the biggest “non-core” use of Splunk amongst all their customers). Key to achieving peak performance from Splunk Data Models, though, is that they…
continue “a poor user’s guide to accelerating data models in splunk” »
Had a Splunk use-case present itself today on needing to determine if the value of a field was found in another – specifically, it’s about deciding if a lookup table’s category name for a network endpoint is “the same” as the dest_category assigned by a Forescout CounterACT appliance. We have “customer validated” (and we all…
I recently had cause to do an extensive trellised timechart for a dashboard at $CUSTOMER in Splunk. They have a couple hundred locations reporting networked devices. I needed to report on how many devices they’ve reported every day over the last 90 days (I would have liked to go back further…but retention is only 90…
continue “how-to timechart [possibly] better than timechart in splunk” »
I had a decent library of documentation, templates, hand-offs, slide decks, etc in my pre-Splunk consulting life (technically, I still have them). It’s nice to be finally getting a decent collection to draw from for my customers in my post-automation consulting life.
Had a customer recently ask about to disaggregate a Splunk search that had aggregated fields because they export to CSV horribly. Here’s the thing. You can’t disaggregate aggregated fields. And there’s a Good Reasonâ„¢, too: aggregation, by definition, is a one-way street. You can’t un-average something. Average is an aggregation function. So why would you…