Saturday, July 20, 2024

Salesforce data analysis leveraging time-based Splunk lookups

 As a Sales Engineering manager I recently wanted to perform some analysis of customer meeting data from Salesforce - specifically when one of the Architects on the team brought in an overlay. My default tool of analysis is Splunk (he says shocking no one) and while I could write a very long case statement or use a lookup I was left with a challenge. Time. Given a long enough time period, there were Architect to territory alignments that straight up changed OR Architects were temporarily assigned to territories to support gaps in coverage. Regular lookups don't work in this case. What to do?

Saturday, November 4, 2023

CQLing Game Data - The Blog Version

I've been learning CrowdStrike's LogScale platform recently. To help myself learn the CrowdStrike Query Language (CQL) I figured I'd do some analysis of game data I had collected awhile ago. Help me learn and then create this post to perhaps help others who might be learning CQL as well. 

That end, this post is a more written version of the live & somewhat interactive LogScale dashboard located: here

I'm providing the data itself at the bottom of this post if you want to monkey around with it.

It isn't uncommon for users of tools like LogScale to not know where to start from a query perspective. Something unique with LogScale is being able to easily share dashboards outside of the tool itself. This is a pretty cool capability! The other place where I see individuals somewhat struggle is how to create a dashboard. Not mechanically as much as how to lay out data. 

Sunday, August 27, 2023

Splunk to LogScale Cheatsheet

Learning a new language is always fun(?). Many folks start with existing paradigms and look for comparisons. I'm no different while trying to learn LogScale's Query Language or LQL. 

I've looked for various cheetsheets and haven't found much. I'll paste a very rough one I've created below and hope to update it over time. Feel free to pass over anything I should add or tweak! There also has to be a better way to post this other than a pasted image from Excel. I'm a Luddite /shrug

Saturday, July 29, 2023

Finding Log Volume Ingestion Anomalies in Splunk

 

This is for my man Destry who I met recently in person. He was giving me a bit of good-natured fun at not posting more frequently. So Destry, this is for you!

I’m doing a Splunk tips & tricks workshop this week with some folks who, among other things, had asked for a query to identify log volume anomalies. Ahh volume anomalies. So many variations of this. Several apps can be found on Splunkbase which have been developed by the user community. One might ask why Splunk hasn’t incorporated more of this sort of thing in the Monitoring Console /shrug.

My normal recommendation to folks is run a few queries to capture log volume (internal index license log) and event counts (tstats) in a ‘summary index’ for long term retention and quicker analysis. Some of that is likely found in the introspection index but I’ve not done a deep dive there TBH. The workshop I’m doing is with folks in a multi-tenant environment where each would like to do their own quick analysis.

So let’s define a few goals

  • When a host is sending abnormally more or less of a data type compared to other hosts
  • When a host is sending abnormally more or less of a data type compared to itself
  • One query to do both comparisons to keep compute down and not have intermediate steps (like populating or reading from a lookup) for simplicity

Monday, January 2, 2023

New Managers: Hiring Process

The bug to write has bit again. 

There aren’t a ton of quick resources nor do many orgs place a lot of emphasis on training for new managers. I’ve done a good bit of candidate prospecting and hiring over the last year so I’ll write through a bit through that lens across a few posts. I’m no expert but do have some thoughts on the subject.

You’re at a point where you must hire someone. What does that process look like and where do you even start?

I’d begin by contemplating the following

  • Who you hire represents a $500k - $1M investment assuming they will be with you for several years. Make sure you give the process appropriate time & energy.
  • “We hire people based on what they know and fire them for who they are.” Unknown original source but really like it. Don’t be so focused on skills that you miss warning signs of cultural fit and work ethic.  

After giving those a good think, here are some additional framework-y things to do some mental gymnastics on before you start. You will inevitably have to adjust as you go but limit how much of the plane you are building after it is in the air.