Hey there community and welcome to the 71st installment of Smart AnSwerS.
There’s a lot of hustle and bustle going on as Splunkers, partners, and customers are preparing and reviewing presentations for .conf2016 just two months away. As we all wait in anticipation for the annual worldwide user conference, come join the community in a sneak peek of one of the sessions at next week’s July SplunkTrust Virtual .conf session. On Friday, July 29th @ 3:00PM Pacific time, SplunkTrustee Mason Morales will be giving a preview of his .conf2016 talk: Architecting Splunk for Epic Performance. Visit the meetup page to RSVP and access the WebEx link for the event.
Check out this week’s featured Splunk Answers posts:
What causes “Too many search jobs found in the dispatch directory” and should Splunk be handling this on its own?
a212830 was seeing this message appear frequently on a search head, and could not find much material on why this happens. There have been several questions asked on related topics, but these have focused more on how to clean up the dispatch directory. sowings and yannK both contributed answers that addressed the underlying causes of this behavior. They educate the community on what the dispatch directory is, its purpose, the types of search artifacts that get stored there, and why the TTL (time to live) varies for each one.
How does creating a data model affect storage and memory?
packet_hunter was concerned about predicting how much disk space would be consumed by creating and testing different data models, especially with little extra storage or license to work with. shaskell explains how this depends on the type of data model, acceleration, and the period of acceleration. He shares a lot of great resources from Splunk documentation on inspecting acceleration, precautions, differences between ad hoc versus persistent acceleration, and how to limit the amount of disk space used for data model summaries.
Why am I getting less fields returned from a search with the stats command compared to transaction?
Urias was told to use the stats command instead of transaction, but noticed there were fewer fields returned from the search. Stats was recommended for performance reasons, but Urias wasn’t sure if this was still the right way to go if it meant getting limited results. craigv covers the differences between the two commands, how they operate, and whether or not you can get the same functionality using one or the other based on your use case.
Thanks for reading!
Missed out on the first seventy Smart AnSwerS blog posts? Check ‘em out here!