Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Hey Splunk community and welcome to the 17th installment of Smart AnSwerS!
Since our Splunk FY’16 Sales Kickoff fell on Presidents’ Day and was a mandatory work event, the holiday was moved to another date that, of course, I didn’t think to keep track of. Good thing I found out accidentally through conversation with another Splunker earlier this week before it was too late! Let it be known that tomorrow, April 3rd, 2015 is officially “Spring Day” for Splunk in America. I would have made my commute to a dark and lonely office, and it wouldn’t have been the first time. Hah!
Check out this week’s featured Splunk Answers posts:
asieira brought up a question that has come up a handful of times on Answers, and it’s great to see how the collaborative conversation unfolded with dsdb_splunkadmin who was also struggling with the same issue. The problem was how INDEXED_EXTRACTIONS, KV-MODE, and AUTO_KV_JSON were configured. In both users’ cases, index-time and search-time extractions were enabled which resulted in the unexpected behavior. If you’re seeing duplicate values for the same field returned from JSON data in search results, then you may be barking up the right tree with this post:
http://answers.splunk.com/answers/223095/why-is-my-sourcetype-configuration-for-json-events.html
Sometimes customers get “lucky” and are suddenly honored with the task of taking over as the Splunk admin at their company. It can be a daunting responsibility and you may not know where to begin. euphvx wanted to start by figuring out how things were set up in the environment, particularly how 2 servers were configured. The ever-so knowledgeable ekost offers some great advice using btool and a step-by-step guide to determine forwarding and receiving configs on the Splunk instances.
http://answers.splunk.com/answers/223145/taking-over-temporarily-as-a-splunk-admin-at-work.html
jgcsco constructed a search to find the count percentage of a value “Status1” in field “Status”, but needed to return the top 3 values of field “State” associated with Status1 if the percentage was over 5%. The problem was figuring out how to combine all of these requirements into one search. sideview answered the question thoroughly, as always, with a search and explanation of how fillnull, stats, and eventstats process the data to get the desired output.
http://answers.splunk.com/answers/225268/how-to-calculate-the-ratio-of-fielda-and-if-the-ra.html
Thanks for reading and have a great weekend!
Missed out on the first sixteen Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.