Smart AnSwerS #86

Hello, community, and welcome to the 86th installment of Smart AnSwerS.

It's exciting to see so many users active on Splunk Answers since the beginning of 2018, and congrats to the winners of the "Where Will Your Karma Take You" contest so far on their very well-deserved wins for contributing their collective knowledge to educate the user community. The results of the March competition will be announced soon, so stay tuned! The contest has been ramping up excitement for the much anticipated .conf18 since each winner earns a free pass to register for the conference. For those of you who want to share an interesting use case, helpful tips or tricks, or any other bucket of Splunk knowledge with the global community, the .conf18 Call for Papers submissions are due by Thursday, April 12th. Get your talk submitted as soon as you can!

Here are this week’s featured Splunk Answers posts:

Why is my map command returning an error when there are no results from the main search?

This question by packland shows that the map command is returning an error when there are no results from the main search and it tries to execute without tokens. Then it throws the error “Did not find value for required attribute ‘siteID’”. elliotproebstel explains how you can add a simple fix to the problem, adding the fillnull command to the search. He also gives helpful advice about the map command since it is making the search inefficient, giving a step-by-step breakdown showing how to expand the search. “I had no idea you could expand searches like that. That is incredibly useful!” - packland.

How can I get the drilldown query working for the SUCCESS piece?

dbcase explains that the drilldown in his dashboard is failing when the user selects SUCCESS because the severity field contains debug or warning. niketnilay is a SplunkTrust member and a great asset for the community! He helps dbcase solve the issue by providing the eval command to set the token for drilldown in the first panel and the corresponding search using the token in the second panel. He further explains that applying a filter to the base search is inexpensive as you won’t be running the same transaction twice in the same dashboard.

Here is some more information about Drilldown on event details from Splunk documentation.

How to get the top 10 values using timechart?

dbcase wanted to get the top ten values produced from the eval command in a search using timechart. mayurr98 came to the rescue with the syntax “where max in top10” in the search which produced the expected results. He also includes a link to the Splunk documentation on “timechart where clause” examples for reference. Several of our most active community members learned something new and were impressed by this easy and useful tip.

Thanks for reading! To see more featured Splunk Answers posts, check out previous Smart AnSwerS blogs in the series.

You can learn more about Splunk and socialize with other users in the community by contributing to the Splunk Answers forum, joining discussions in our Slack community chat, attending a Splunk user group meeting, or reading through our Community manual.

Anam Siddique

Posted by


Show All Tags
Show Less Tags