Archive

Posts Tagged ‘splunk’

Splunk: useful URL

July 11th, 2010 No comments

as you probably already know IRC is good to learn things, here some URL I learn from the splunk channel:

  • http://host:webport/en-US/debug/refresh reload some parts of splunk, including applications’s views. Very useful when developing a new application. No need to restart each time!
  • https://host:8089/services/admin/inputstatus/TailingProcessor:FileStatus display the status of file monitorings. Note the port is the manager one, not the webone, so I guess this interface is available on agents even if splunkweb is not started. You can hit /services/admin/ to find another log of informations.

Categories: Business tools Tags:

How to clone search’s dashboard in splunk

June 14th, 2010 No comments

After few weeks trying to persuade my boss to buy Splunk, I start to put it in production. My first goal was to clone the search application’s dashboard using a dedicated index. Indeed, I have few splunks agent reading some tomcat’s logs and forward them to my splunk instance. All these logs are going to a dedicated index, named rtlnet. Our webdeveloppers want to use splunk to see the production’s logs. While it was easy to create the rtlnet index, I wanted to clone the search’s dashboard to give them an overview of logs by application, or by host. However, while it was easy to add index=rtlnet in the metadata search, I was not able to add the index in the search computed when you click on a result (for example the sourcetype).

Here the original code which produce one of the three panel:

      <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources</param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>
        <module name="ConvertToIntention">
          <param name="settingToConvert">list1</param>
          <param name="intention">
            <param name="name">addterm</param>
            <param name="arg">
              <param name="source">$target$</param>
            </param>
          </param>
          <module name="ViewRedirector">
            <param name="viewTarget">flashtimeline</param>
            <param name="uriParam.auto_pause">true</param>
          </module>
        </module>
      </module>

As I said, adding index=rtlnet in the metadata search is trivial. However, when a user click on a result (in that case on a source), the computed search was only source=$target so there was no result, since it the index is not specified. After spending few hours trying to understand how to add the index in the existing intention, I finally understood I need to nest it into a new HiddenIntention. Here the new module definition:

      <module name="SearchLinkLister">
        <param name="settingToCreate">list1</param>
        <param name="search">| metadata type=sources index=rtlnet </param>
        <param name="searchFieldsToDisplay">
          <list>
            <param name="label">source</param>
            <param name="value">source</param>
          </list>
          <list>
            <param name="label">totalCount</param>
            <param name="labelFormat">number</param>
          </list>
        </param>
        <module name="HiddenIntention">
          <param name="intention">
            <param name="name">addterm</param>
            <param name="arg">
              <param name="index">rtlnet</param>
            </param>
          </param>
          <module name="ConvertToIntention">
            <param name="settingToConvert">list1</param>
            <param name="intention">
              <param name="name">addterm</param>
              <param name="arg">
                <param name="source">$target$</param>
              </param>
            </param>
            <module name="ViewRedirector">
              <param name="viewTarget">flashtimeline</param>
              <param name="uriParam.auto_pause">true</param>
            </module>
          </module>
        </module>
      </module>

As you can notice, I embedded the existing ConvertToIntention module in a new HiddenIntention. Cheers!

Categories: Sysadmin Tags: