splunk – Warren Myers' Merikebi

finally starting to get some good docs amassed

Posted on 28 July 2018by merikebiCategories:technical, work

I had a decent library of documentation, templates, hand-offs, slide decks, etc in my pre-Splunk consulting life (technically, I still have them). It’s nice to be finally getting a decent collection to draw from for my customers in my post-automation consulting life.

you can’t disaggregate

Posted on 26 July 2018by merikebiCategories:insights, technical

Had a customer recently ask about to disaggregate a {{Splunk}} search that had aggregated fields because they export to CSV horribly. Here’s the thing. You can’t disaggregate aggregated fields. And there’s a Good Reason™, too: aggregation, by definition, is a one-way street. You can’t un-average something. Average is an aggregation function. So why would you …
Continue reading you can’t disaggregate

stats values vs stats list in splunk

Posted on 24 July 2018by merikebiCategories:technical

{{Splunk}}’s | stats functions are incredibly useful and powerful. There are two, list and values that look identical…at first blush. But they are subtly different. Here’s how they’re not the same. values is an aggregating, uniquifying function. list is an aggregating, not uniquifying function. “Whahhuh?!” I hear you ask. Here’s a prime example – say …
Continue reading stats values vs stats list in splunk

don’t use symlinks unless you know you can

Posted on 26 April 2018by merikebiCategories:technical

I first ran into this on Solaris in the context of [then] Opsware SAS (then HP SA, now owned by Microfocus). Bind mounts might be OK … so unless the tarball has symlinks included, don’t use them – they get traversed differently than “real” directories. In short, when directory traversals are done, sometimes it looks …
Continue reading don’t use symlinks unless you *know* you can

more thoughts on `|stats` vs `|dedup` in splunk

Posted on 8 March 2018by merikebiCategories:insights, technical

Yesterday I wrote-up a neat little find in {{Splunk}} wherein running stats count by … is substantially faster than running dedup …. After some further reflection over dinner, I figured out the major portion of why this is – and I feel a little dumb for not having thought of it before. (A coworker added some …
Continue reading more thoughts on `|stats` vs `|dedup` in splunk

splunk oddity #17681 – stats vs table

Posted on 7 March 2018by merikebiCategories:hmmm, technical

It’s fairly common to want to table the data you’ve found in a search in {{Splunk}} – heck, if you’re not prettying the data up somewhy, why are you bothering with the tool? But I digress. There are two (at least) ways of making a table – you can use the |table <field(s)> syntax, or …
Continue reading splunk oddity #17681 – stats vs table