By Splunk August 01, 2018
Hello, community, and welcome to the 89th installment of Smart AnSwerS.
We had an extended summer break over the 4th of July week here at Splunk. Having those few extra days off was much needed to recharge and dive into the second half of the year in full force, especially with everything ramping up for .conf18 happening October 1-4 in Orlando. The last winner for a free pass to the conference through the "Where Will Your Karma Take You" Contest will be announced in the coming weeks.
Though the 2017-2018 contest season ended July 31st, recognition of awesome contributors in the community doesn’t end there. There are several programs leading up to .conf18 to identify and award users for being positive influences in the world of Splunk. The 2018 Splunk Revolution Awards nomination period was announced earlier this summer and comes to a close on August 10th, and the SplunkTrust application period for the 2018-2019 cohort is open until August 20th. If you work closely with colleagues who inspire you in all things Splunk and that you think fit the bill for any of the seven Revolution Award categories or the SplunkTrust, make sure to get your nominations in before the deadline!
Here are this week's featured Splunk Answers posts:
What are some of the best practices for scheduled searches?
yanlajeunesse is new to Splunk and wanted to know how to schedule a search for the entire year and run it everyday, giving users the option to choose between the last 24 hours, last 30 days, last 90 days, or the last year. SplunkTrust member somesoni2 came to the rescue by sharing Splunk documentation with yanlajeunesse on accelerated data models. He explained that accelerated data models would be the ideal approach as it generates data for a specific period of time. He also shared Splunk documentation on summary indexing and explained how that could work as a second option for generating a daily report. skoelpin, one of our other active contributors in the community, seconded somesoni2’s answer. This was exactly what yanlajeunesse needed.
Read the post to check out the suggested alternatives for scheduled searches.
How to Timechart for only the 10 highest counted values?
dsitek was monitoring access logs for various endpoints and wanted to create a timechart to monitor the max transaction times for the most called endpoints. The search dsitek came up with resulted in max transaction times for all endpoints, but needed guidance on how to only show the 10 most common paths. kamlesh_vaghela, a winner of our Splunk Answers karma contest this year, explained that using the “where” clause should solve the problem with the right arguments and also shared supporting Splunk documentation. SplunkTrust member DalJeanis commented that he also learned something new from the syntax of the search.
Read the post to learn how to timechart the top 10 values.
How do you change the background color for Trellis visualization by label (not by value)?
User jacruzs wanted to know how to change the background color of a single value visualization for each trellis dependent on their label. niketnilay, a SplunkTrust member and one of our best contributors in the Splunk Answers community, suggested that doing a CSS override should solve the problem. Using a run anywhere example with data from Splunk’s _internal index, he gave a detailed explanation how this can be done, along with the sample Simple XML and CSS code for the dashboard.
Read the post on how to change the background color for trellis visualizations by label.
Thanks for reading! To see more featured Splunk Answers posts, check out previous Smart AnSwerS blogs in the series.
You can learn more about Splunk and socialize with other users in the community by visiting the Splunk Answers forum, joining discussions in our Slack community chat, attending a Splunk user group meeting, or reading through our Community manual.
----------------------------------------------------
Thanks!
Anam Siddique