Hello, Splunk community, and welcome to Smart AnSwerS #96.
According to countless inspirational quote websites, Aristotle once said, “Those who know, do. Those that understand, teach.” Whether that quote can actually be attributed to the ancient Greek philosopher is up for debate, but the wisdom behind the quote is not. It's one thing to be able to do something yourself; teaching someone how to do something, however, is another thing entirely.
Thankfully, the Splunk Answers community doesn't just know how to use Splunk—they're good teachers as well. And that’s why the Smart AnSwerS blog series exists. Every month, we search through the forum to find three solutions that we think you should know about.
There are multiple reasons why a Splunk Answers post gets featured on this blog. We pick some solutions because they're well-explained, and others we pick because the tips they exhibit are super awesome. But there's one thing that all posts featured in the Smart AnSwerS blog have in common: they exemplify our community’s commitment to teaching. So, whether you are brand new to Splunk or you're a grizzled Splunk ninja, here are three solutions from the Splunk Answers forum that we think you should know about.
On a group of Windows server, Answers user chuckcoggins wanted to be able to “disable the administrator account and replace it with a bunch of specific users.” To do that, they needed to be confident that these new users had all the same settings—“services, software, backups, etc”—that were possessed by the admin account.
But a list of settings like that could be long and complicated. Is there an easy way to list every setting that is being run by an admin account, chuckcoggins wondered?
After “banging their head” against the wall for a couple days trying to accomplish this, chuckcoggins was no closer to a working solution.
Fortunately, the Splunk community never leaves one of their own behind. whrg stumbled upon the post and helped chuckcoggins solve their issue. If you follow our monthly karma contest blog, you may remember whrg. He won the Splunk Answers karma contest in December 2018.
According to whrg, to get a list of the processes being run by the administrator account, chuckcoggins needed to monitor the servers’ process creation. whrg said he knew two ways of accomplishing this and described both of them in great detail, which saved chuckcoggins—and any future users with similar issues—a whole lot of time.
If you would like to see whrg’s solution for yourself, you can find the original post here.
There are many ways to extract the fields you need from your data. The generally recommended time to do a field extraction is at search time, especially when you have machine data that—according to Splunk Docs—“does not have structure or has structure that changes constantly.”
However, another way to extract a field is through an indexed field extraction, and as the name implies, these types of extractions occur at index time.
The user MattibergB had a field extraction that executed correctly during search time. However, because they were running into performance issues, they wanted the extraction to occur at index time instead. Unfortunately, their indexed field extraction wasn't working correctly.
SplunkTrust member and Splunk Answers moderator MuS found the post and helped MattibergB fix their problem. MuS, thanks for helping out, and MattibergB, thanks for sharing your issue so that we all could learn from it!
To see what edits MuS suggested to MattibergB’s transforms.conf file, check out the entire Answers post here.
On the Splunk Answers forum, not every fix fits nicely into the green solution box. Sometimes, good Answers posts are more like conversations, continuing into the comment section until a solution can be reached. We love this about Answers—after all, what would a forum be without satisfying conversation?
Splunk Answers user jiaqya had a multisite indexer cluster setup. They had two sites, A and B, on which they each maintained a replication factor of 2. Their goal was to have data forwarded to Site A, and then have replication occur at Site B. They wanted both sites to maintain a copy, but with the primary bucket copy existing on Site A.
However, with Splunk, do you have the capability to choose which site a primary bucket copy exists on? jiaqya wasn’t sure.
Luckily, the user markusspitzli found jiaqya’s question. We thought the conversation that followed was an excellent example of the helpful exchanges that occur on the Splunk Answers forum.
By explaining how to configure the masternode on server.conf, as well as how to set up the universal forwarder to only send logs to one site, markusspitzli showed how to customize the location of a primary bucket copy on a multisite indexer cluster.
But the learning didn’t stop there. Since jiaqya still had some questions, markusspitzli answered them in the comment section, explaining the nuts and bolts of replication factors and search affinity. Because of markusspitzli’s teaching, jiaqya didn’t just learn how to fix their problem—they also learned why the fix worked.
markusspitzli and jiaqya, thanks for sharing your educational journey with the community! So many people are going to learn from your efforts. :)
You can find the entire exchange here.
If you are just discovering Splunk, or just want to get more involved, be sure to check out all of our community programs. Ask a question on Splunk Answers (don't be shy, our users are very friendly), engage with Splunk BucketList, sit in on a user group meeting near you, or jump into a conversation in the Splunk Community chat on Slack.
And, as always, thanks for reading, and see you on the forum!