LogQL: A Primer on Querying Loki from Grafana This article introduces newbies to writing search queries in LogQL. It should help you get started with building Grafana dashboards based on log data in Loki. Read more
Splunk Search Results: JSON to HTML Table Conversion in PowerShell Splunk search results can be exported from the UI as CSV, JSON, and XML, but not as HTML. This article presents a PowerShell script that converts exported search results from JSON into an HTML table for use with documentation, blogs, etc. Read more
Splunking the Aspect Ratio Distribution of National Flags When I tried to align the Union Jack and the flag of Germany on a presentation slide I noticed that I couldn’t – their aspect ratios are different. A quick search led me to this list of aspect ratios of national flags on Wikipedia. Apparently, national flags are far from standardized. A broad range of […] Read more
Troubleshooting Splunk Error “Search Process Did Not Exit Cleanly” When Splunk displays an orange warning triangle instead of a chart or table it is time to investigate. Start by clicking the triangle to bring up a dialog with the error message. In my case that looked like this: Finding the Root Cause In many cases, the best resource for troubleshooting Splunk searches is Search […] Read more
Splunk Accelerated Data Models – Part 3 This article is based on my Splunk .conf 2015 session and is the second in a mini-series on Splunk data model acceleration. Make sure to read parts 1 and 2 first. Searching Accelerated Data Models Which Searches are Accelerated? The high-performance analytics store (HPAS) is used only with Pivot (UI and the pivot command) and […] Read more
Splunk Accelerated Data Models – Part 2 This article is based on my Splunk .conf 2015 session and is the second in a mini-series on Splunk data model acceleration. Make sure to read part 1 first. Under the Hood HPAS Population The high-performance analytics store (HPAS) is populated by scheduled searches that run every 5 minutes. The HPAS spans a user-defined time […] Read more
Splunk Accelerated Data Models – Part 1 This article is based on my Splunk .conf 2015 session and is the first in a mini-series on Splunk data model acceleration. Why Accelerate? Have you ever seen this? Splunk is great and very fast with needle in a haystack searches, e.g. find a specific keyword in millions of events. It is not so fast […] Read more
Splunk Scripted Input Secrets Splunk’s Universal Forward has the neat capability of executing arbitrary scripts while capturing their output and sending that to Splunk. This feature allows you to turn any executable, batch file or PowerShell script into a Splunk data source, making the data collection options basically limitless. This post explains a few tricks that are difficult to […] Read more
Turning Splunk into a Systems Management Tool Despite its great power, Splunk is relatively static with regards to the data it processes. You cannot instruct it to simply run a script on all endpoints and index the results. The app HK Systems Management changes that. It turns Splunk into a kind of PsExec on steroids. Read more
Splunk Revolution Award I am more than happy to announce that I won a Splunk’s Revolution Award in the category developers. The winners were presented on the big screen during the keynote. My slide reads: Helge showed thought leadership with a series of blog posts and ecosystem participation with the availability of the uberAgent for Splunk app. Happy […] Read more
What Is Splunk and How Does It Work? You have probably heard of Splunk, but can you describe what it does to a colleague in a few sentences? That is not easy. Splunk does not belong in any traditional category but stands apart from the crowd. That makes it interesting, but also the explaining harder. Here is my attempt. Read more
Splunk App Development Tips – Working with Splunk This is a collection of useful tips and resources for developing Splunk apps. For an explanation of the available app types please see my earlier article on the topic. Read more
Splunk App Development Tips – Which App Type to Choose When you start with developing apps for Splunk the first big question you hit is a bit unexpected: which technology do you work with, which app type do you choose? Read more
Some of the Best Splunk Marketing Slogans Extracted from Splunk.exe If you have ever been to a conference with a Splunk booth you will have noticed their t-shirts. They are all black with a cool slogan printed in white. When you have been working with Splunk for some time you will notice that it has a very powerful commandline tool, splunk.exe. You can use that […] Read more
How to Send Data from C# to Splunk via the REST API Splunk has a very extensive REST API – which is just a fancy way of saying that many of its capabilities are accessible via standard HTTP(S) requests. While much of the API is well documented, submitting data from C# to Splunk is kept a bit vague. Since I had to do that recently in order […] Read more
How to Process Terabytes – per Day (or: my account of Splunk .conf 2013) Processing several terabytes of data per day is not too uncommon and easily possible with Splunk – that is one of the many things I learned at .conf 2013 in Las Vegas. Read more
Boot IO Analysis with uberAgent for Splunk 1.5 Analyzing slow boots is a difficult task. You need to install software like XPerf and master its far-from-intuitive command-line options to generate a trace file that you can then analyze. Once you find a possible cause for the long startup duration you never know if it is specific to the machine you analyzed or if […] Read more
How-to: XenApp/RDS Sizing and Capacity Planning with uberAgent for Splunk Do you know the maximum number of users each of your terminal servers can host with acceptable performance? You may have found out the hard way how many are too many – but how many are just right? Farm sizing and server capacity planning are typical tasks for consultants who often have a hard time […] Read more
Monitoring Browser Performance per Site with uberAgent for Splunk The days are long gone when a browser was just another application. Modern websites are applications of their own, and the browser is their operating system. That has consequences for monitoring. It is no longer sufficient to gather performance data for the browser as a whole. When, for example, Internet Explorer’s CPU usage is high, […] Read more
