Zohorul Islam Zohorul

How to make fake data in Splunk using SPL

Sometimes, you need to fake something in Splunk. Might be during development and you don't feel like writing a real search, but you really need a number for a dashboard panel to look right. Maybe you are helping someone with a hairy regex, and you don't want to index data just to test it on your instance. Whatever the reason, here are some searches that have helped me out.

Note that when using these techniques, you are not going through the indexing

Splunk Queries

I really don't like Splunk documentation. Why is it so hard to find out how to do a certain action? So this is a cheatsheet that I constructed to help me quickly gain knowledge that I need.

Analysis

Events over time

index="my_log"

Splunk

Helpful tips and tricks for Splunk.

Formatting

Splunk uses the | ("or bar") as a means to break up statements. Instead of using one long string of statements, consider deliminating | [statement] on seperate lines.

Example

Setting Up EC2

Sign into AWS
Open EC2
Click Instances on Left Side
Click "Launch Instance"
Select "Amazon Linux AMI 2016.09.1 (HVM), SSD Volume Type"
Select Free Tier
Click review and launch
Press Launch

DevOps Engineer Interview Questions

	<?xml version="1.0"?>
	<form>
	<label>The Battle Overview</label>
	<searchTemplate><![CDATA[
	index=thebattle \| rex field=uri "/battle/(?<thing>[^?]+)(\?color=(?<color>\w+))?" \| eval color=if(isnull(color), "", color) \| eval strategy=color.thing \| stats count by date_hour, bytes, clientip, strategy
	]]>
	</searchTemplate>
	<fieldset>
	<input type="time">
	<label/>

	CI & CD:
	========
	2 core software development processes
	CI process of automating regular code commits followed by an automated build and test process designed to highlight intergration issues early.
	Additional tooling and functionality provided by Bamboo, CruiseControl, Jenkins, Go and TeamCity etc.
	workflow based
	CD takes the form of a workflow based process which accepts a tested software build payload from a CI server. Automates the deployment into a working QA, Pre-prod or Prod environment.
	AWS CodeDeploy and CodePipeline provide CI/CD services
	Elasticbeanstalk and CFN provide functionality which can be utilized by CI/CD servers.

	# SPL cheatsheet:
	# Additional resource: http://www.bbosearch.com/searches
	########################################################

	- List users and corresponding roles:
	=====================================
	\| rest /services/authentication/users splunk_server=?
	\| fields title roles realname

	- List indexes:

	#!/bin/bash
	mkdir /opt/tomcat
	yum update -y
	yum install java-1.8.0-openjdk-devel httpd24 git -y
	service httpd start
	chkconfig httpd on
	yum remove java-1.7.0-openjdk -y
	# calling the version may ensure that java recognizes 1.8 as the new defaut
	java -version
	echo "JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk/jre" \| \