Splunk & my Twitter archive

Recently I've been having a great time playing with Splunk. Splunk is a big data platform that allows you to search practically any machine data and present it in ways that will give you insight into what you have. It has practical applications for application management, IT operations, security, compliance, big data as well as web and business analytics.

I downloaded the free trial version, installed it locally and played with some personal data sources including phone bills, bank statements, my personal twitter archive as well as some weather data I downloaded from the Bureau of Meteorology.

Below are a few of the interesting charts that came out of my Twitter archive (@dan_cake), along with the basic search query used to extract and present the data in this way. Click to view a full-sized version.

 

Tweets by month

sourcetype=twitter_csv

Tweets peaked in July 2010 when I sent on average almost 4 tweets per day. The first drop in usage is probably due to the birth of my first child and then the subsequent months where there was hardly any usage is due to just being too busy at work and at home.

Tweets per hour of day

sourcetype=twitter_csv | stats count BY date_hour | chart sum(count) By date_hour

Most tweets were sent between 9am-5pm but there is an dip around lunchtime and an interesting smaller increase in usage between 9pm-11pm. What really surprised me about this was the volume of tweets sent between 1am and 5am. Drilling down into the data is seems that some of these are due to issues with the timezone of the device I was on.

Tweets sent by Twitter client

sourcetype=twitter_csv | rex field=client "<*>(?<client>.*)</a>" | eval client=lower(client) | top client

Also I was surprised by this. I know I have been searching for the perfect client but had forgotten just how many I have been through!

The search query involved stripping some HTML tags from some of the client values with regex as well as matching on lowercase to get around inconsistencies with the same client having different capitalisation.

2 Comments

  1. Ed says:

    Cool stuff! I love using splunk for my own personal data. If you (or anyone else) is interested in poking around your Twitter archives in json you can also dump the files into Splunk Storm. I wrote a quick conversion script to clean them up: https://github.com/edrabbit/twitter_cleaner and Splunk Storm (www.splunkstorm.com) has free 1GB plans which should be more than enough to fit Twitter archives. (Full disclosure: I’m an engineer on the Storm team)

  2. Daniel says:

    Hi Ed,
    Thanks for your comment. I’ve had a brief play with Splunk Storm and found that it was easier for me to manually edit the conf files (inputs, props, transforms etc) on a local install. Splunk Storm seems like a great product but for my personal data I prefer just working locally.
    Cheers

Leave a Reply