Splunk examples

dashboard.xml

<?xml version="1.0"?>
<form>
  <label>The Battle Overview</label>
  <searchTemplate><![CDATA[
    index=thebattle | rex field=uri "/battle/(?<thing>[^?]+)(\?color=(?<color>\w+))?" | eval color=if(isnull(color), "", color) | eval strategy=color.thing | stats count by date_hour, bytes, clientip, strategy
    ]]>
  </searchTemplate>
  <fieldset>
    <input type="time">
      <label/>
      <default>All time</default>
    </input>
  </fieldset>
  <row>
    <chart>
      <title>What it is.</title>
      <searchPostProcess><![CDATA[chart sum(count) by strategy]]></searchPostProcess>
      <option name="charting.chart">pie</option>
      <option name="height">200px</option>
    </chart>
  </row>
  <row>
    <chart>
      <title>How it happened.</title>
      <searchPostProcess><![CDATA[chart sum(count) over date_hour by strategy]]></searchPostProcess>
      <option name="charting.chart">line</option>
      <option name="height">200px</option>
    </chart>
  </row>
  <row>
    <table>
      <title>Stats</title>
      <searchPostProcess><![CDATA[stats avg(bytes) by clientip]]></searchPostProcess>
      <option name="showPager">true</option>
      <option name="count">20</option>
    </table>
  </row>
</form>

inputs.conf

[default]
host = m13725.pinnacol.com

[monitor:///abs/path/to/rails/log]
index=main
sourcetype=rails

[fschange:/abs/path/to/dir]
index=main
sourcetype=projectdata
recurse=true
pollPeriod=60
fullEvent=true

props.conf

[source::.../bundle.txt]
sourcetype = bundle

[source::.../rcov.txt]
sourcetype = rcov

[source::.../rdoc.txt]
sourcetype = rdoc

splunk.txt

# search time field extraction
sourcetype=rails | rex field=_raw "Processing(\s)(?<controller>\S+)#(?<action>\S+)(\s\(for\s(?<client>[\d.]*).*\)\s\[(?<method>\S+)\])?" | top action

# multiple extractions, concatenation, basic stats
sourcetype=rails 
| rex field=_raw "Processing(\s)(?<controller>\S+)#(?<action>\S+)(\s\(for\s(?<client>[\d.]*).*\)\s\[(?<method>\S+)\])?"
| rex field=_raw "Completed.*in\s(?<request_time>[\d.]*)(ms)?(\s\((?<req_per_sec>\d*)\sreqs/sec)?"
| rex field=_raw "((ActiveRecord:)|(DB:))\s(?<db_time>[\d.]*)"
| rex field=_raw "((Views:)|(View:)|(Rendering:))\s(?<render_time>[\d.]*)"
| fields request_time render_time db_time controller action
| eval controller_action=controller."#".action 
| stats avg(request_time),avg(render_time),avg(db_time) by controller_action

# use of sed rex to reformat into a table, then multikv to split into multiple events
sourcetype=bundle 
| rex mode=sed "s/Gems.*/GEM VERSION/"
| rex mode=sed "s/  \* ([[:alnum:]_-]{1,}) \(([[:alnum:]. ]{1,})\)/\1 \2/g" 
| multikv 

  # versions of each gem
  | chart values(VERSION) by GEM

  # list of projects using each gem version
  | rex field=source "/(?<project>[\w_-]+)/\w+/bundle.txt" 
  | eval gem_name=GEM."-".VERSION 
  | chart values(project) by gem_name

  # number of distinct gems
  | eval gem_name=GEM."-".VERSION
  | stats distinct_count(gem_name)
 
  # number of distinct versions per gem
  | eval gem_name=GEM."-".VERSION
  | chart count(gem_name) by GEM

  # number of gems per project
  | rex field=source "/(?<project>[\w_-]+)/\w+/bundle.txt" 
  | chart dc(GEM) by project

summary_index.txt

search: index=thebattle | sistats avg(bytes) by clientip
start: @h
stop: +1h@h
run: hourly
fields:
  report: avg_bytes_by_client

sudo ./splunk cmd python fill_summary_index.py -app search -name "Summary Avg Bytes by Client" -et 1320991200 -lt 1321081200 -dedup true -owner admin -auth admin:PASSWORD

index=summary report=avg_bytes_by_client | stats avg(bytes) by clientip