So there is somewhat of an eclectic mix of drivers going into this post. As I talk with individual Splunk users, Splunk administrative teams, and larger teams that have access to Splunk (security, operations, etc) I sometimes come across a subset of folks who have a tough time trying to figure out how to take advantage of the data they have access to. In some cases it is because they lack imagination, vision, or strategy relative to what they are trying to accomplish. Sometimes it is being so heads down in the daily grind they have trouble 'looking up' so to speak and collecting their thoughts. More often than not though they are wearing multiple hats and could use a hand getting over the Splunk language learning curve. This post is designed to help a bit - some Splunk Processing Language (SPL) exposure mixed with a bit of dialogue on why I made the dashboard/dashboard panels the way I did.
To start with I need data. Turns out I've started playing a mobile game called Darkfire Heroes. It isn't quite in a beta state but isn't available globally quite yet. The other day, Dec 8 & 9 to be exact, they had a 2 day Player vs Player (PvP) contest. Individual match wins were tracked as well as aggregate win total if you belonged to a group within the game; a clan. As a total side note it is interesting to see people's gaming pedigree based on descriptions they use. Are some of the bad guys/monsters you fight creeps, mobs, trash, etc and are you a part of a clan, guild, or alliance? Outside of this mini event there is a clan rewards chest that also gives varying level of rewards based on aggregate PvP wins over a week. PvP matches won during this 2 day event will count towards that reward chest.