By Splunk June 19, 2018
Hello, community, and welcome to the 88th installment of Smart AnSwerS.
Congrats to the winners of the Where Will Your Karma Take You contest so far. We recently announced the winner for the month of April, elliotproebstel! This is a very well-deserved win for him since he has been consistently active with enabling our community of users to get value out of their data for the past year. It’s from answers by him and many of our other top contributors that we’re able to draw content from to feature on our @splunkanswers Twitter feed. There is a plethora of great solutions posted there throughout the week to expand your knowledge on a variety of topics and use cases. Follow us to get your Splunk clue on :)
Here are this week's featured Splunk Answers posts:
How can I calculate column differences when column names are unknown?
c_wsleem had a JSON data source and was using a search that produced two records with different timestamps in separate columns. The user wanted to create a third column containing the difference between the two values in each row, but didn't know how to edit the current search to get the expected result. There were no set names for the columns containing timestamps, so c_wsleem was unsure what field names to use for the calculation. One of our awesome SplunkTrust members, somesoni2, comes to the rescue by providing a solution that uses eval in a way to calculate the difference without the need of specific field names. elliotproebstel, one of our other very active contributors and moderators on Splunk Answers, acknowledged somesoni2's unique approach by commenting, "Hey, that's clever!". This is definitely a trick worth checking out.
Read the post on how to calculate the difference between values in different columns when column names are unknown.
How to create a case statement with NOT LIKE option?
zacksoft had a search to display students with grades ‘A’, ‘B’, and ‘C’ in a pie chart, but needed to update the eval statement to display students with failing grades as well. niketnilay, one of our top contributors and a SplunkTrust member, gave a perfect solution to zacksoft’s problem. He mentioned that along with the “case condition,” you can use “true()” or “1==1” to get the unmatched events which were the failing grades. niketnilay provided the updated search syntax, and zacksoft replied, “Absolutely brilliant. Thank you very much. The solution you provided does exactly what I wanted.”
Read the post on how to create a case statement with NOT LIKE option.
How can I show/hide panels dynamically with tokens?
surekhasplunk asked how to show or hide the panels on a dashboard dynamically with a checkbox, radio button, or multiselect form. One of our users, thiagodede, answered the question by providing code for all three options to choose from. He explained that using the “change” setting allows which panels can be shown, but it will be a problem for checkbox and multiselect forms because the order the user selects the options will change the value of the token. Going with radio buttons is easier, but all options would need to be written out. It’s good to be educated on the pros and cons of various form options to find which best suits your needs.
Read the post on how to show panels dynamically with tokens.
Thanks for reading! To see more featured Splunk Answers posts, check out previous Smart AnSwerS blogs in the series.
You can learn more about Splunk and socialize with other users in the community by contributing to the Splunk Answers forum, joining discussions in our Slack community chat, attending a Splunk user group meeting, or reading through our Community manual.
----------------------------------------------------
Thanks!
Anam Siddique