Splunk JesusTools

Need to do a "stats" function on a multivalued field or convert a count field to ranks? Now you can!

Comment

Inspiration

JesusTools was created as a result of a months-long survey of un-/incompletely-/inadequately-/inelegantly-answered questions found in Splunk's own Answers.Splunk.com user forum. In some cases (e.g. the "transposeWithTopRowToFieldNames" macro), no solution was ever posited for this intractable question even though the question comes up regularly. In other cases (e.g. the "mvstats" macro), brute-force, "one-off" solutions have been provided but nothing as universal and flexible as "mvstats" has ever been seen even though this question also is frequently asked.

How it works

With a succinct demonstration dashboard powered by "run-anywhere" data (no need to import sample data) that loads completely in under 10 seconds, any user can go from installation to exploitation in just a few minutes! The best thing about this app is that each macro is designed, commented, & presented in such a way that even if a user does not need to use any of the tools, he can still benefit from perusing the dashboard because of the educational benefit and clever exploitation of the SPL command set. Also, the "Manifest" dashboard makes clever use of the REST API to inventory all the utilities that the App provides so that the user never has to go look at the "macros.conf" file directly.

Challenges I ran into

The main challenge that I ran into was that several times when I solved a problem I discovered that Splunk had already released a new command that did the same thing!

Accomplishments that I'm proud of

The 'mvstats' solution is so elegant and powerful, and the question is so common, that I think that macro alone will be super popular and make this app a top download. One of the surprising things is that, the more I refined the macros, the more that they became intertwined with eachother which provides increased clarity and "coolness"! I don't think many judges would dispute that the "mvstats" macro possibly possess the highest "usefulness*elegance" factor of any Splunk macro ever written.

What I learned

DEFINITELY check the release notes and command set for the latest version of Splunk. They add new commands in almost every release and sometimes this exactly what you need (or have been waiting to get)!

What's next for JesusTools

As I create additional beneficial/shareable macros, I will update this app but I have no specific plans on what is next.

Built With

Share this project:

Updates