Smart AnSwerS #72

Hey there community and welcome to the 72nd installment of Smart AnSwerS.

The “Where Will Your Karma Take You” contest has been underway for two weeks now on Splunk Answers, and there is just a little over 2 weeks left to go! From July 15 to August 15, the top 3 users that earn the most karma points within this period will each earn a free pass to .conf2016. Best of luck to everyone and finish off strong!

Also, next Wednesday, August 3rd @ 6:30PM, the San Francisco Bay Area user group will be meeting at Splunk HQ. If you happen to be in the area, come join us! Visit the SFBA user group page to see what’s in store for the agenda and RSVP.

Check out this week’s featured Splunk Answers posts:

Are data model summaries linked to the original events? Can tstats access them?

gabriel_vasseur couldn’t access original events from accelerated data models, and even running a tstats search in verbose mode only returned limited results. He found that data model summaries were stored in the same place as indexes, and wanted to know why tsidx files weren’t just pointing to the original events in the index. SplunkTrust member dshpritz gives a clear answer defining accelerated data models, what they contain, and what exactly happens when drilling down from accelerated data to actual events. He also includes helpful links to supporting documentation for additional reading.

How do you manage the content for users’ Splunk apps in a Search Head Cluster?

twinspop was previously running search head pooling, but recently moved over to a new install of a search head cluster and didn’t understand how to manage knowledge objects of users’ apps. SplunkTrustee somesoni2 explains that user created objects need to be stored locally on search heads, and default configurations need to be pushed from the SHC deployer. In addition to these best practices, he shares the folder paths for migration in case other users in the community need guidance on moving from search head pooling to a search head clustering environment.

How to filter out weekdays or weekends in one search while using timewrap?

penguin1725 was trying to use the timewrap command to compare current data to the last 7 days, but needed to figure out how to compare a weekday to only weekdays, and a weekend day to only Saturday and Sunday. somesoni2 strikes again with a search using eval to define both weekdays and weekend days to use as a filter in one search.

Thanks for reading!

Missed out on the first seventy-one Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by Patrick Pablo

Join the Discussion