Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Hey there community and welcome to the 54th installment of Smart AnSwerS.
Next Tuesday, February 23rd, 2016, we’ll be having our SplunkTrust Virtual .conf session #4 from 12:00PM to 1:00PM PST. SplunkTrust member Mark Runals will be presenting his .conf2015 session “Taming your Data”, featuring the data onboarding maturity scoring model and dynamically having Splunk detect mis-categorized sourcetypes. Visit the event meetup page to RSVP and join the 35+ users and counting via Webex next week!
Check out this week’s featured Splunk Answers posts:
flee needed to forward Windows events from about 6000 Windows workstations and was looking for advice on what deployment strategy would make the most sense for ongoing maintenance, especially having to manage universal forwarders using a deployment server. javiergn gives a pretty solid list of pros and cons to consider for going the route of installing and managing universal forwarders on each machine.
https://answers.splunk.com/answers/331926/is-it-recommended-to-install-a-universal-forwarder.html
agoktas had four log files on one host, but only wanted one of those files to be indexed between 6am and 6pm each day. Stopping the universal forwarder service during off hours was not an option because the other three log files needed to be ingested 24 hours a day. SplunkTrust members MuS and rich7717 worked together to come up with just the right configuration in props.conf and transforms.conf on the indexer to filter out all events for this particular file from 6pm to 6am.
https://answers.splunk.com/answers/332983/how-to-index-certain-logs-only-during-a-certain-ti.html
rphillips from the Splunk Support team shared this helpful question and answer with the community as this is a concern brought up by many admins managing a search head cluster. He shows two examples using REST endpoints via CLI to change the owner for a search and a dashboard view that will get replicated across all members in the cluster.
https://answers.splunk.com/answers/295303/how-do-i-change-the-owner-of-a-saved-search-or-vie.html
Thanks for reading!
Missed out on the first fifty-three Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.