By Splunk September 26, 2018
Hello community and welcome to the 91st installment of Smart AnSwerS.
With October fast approaching, .conf18 is just around the corner! Some new releases and latest features will be covered in the Foundations track to help people get started with their Splunk journey, along with a set of Splunk Ninja sessions to cater to technical audiences around real-world best practices with Splunk. Customers and partners will also be showcasing how have they been using Splunk to transform their organizations and careers. Read more about what to expect from Splunk Foundations but don’t forget to check out the other tracks that might be up your alley based on your role. If you're already registered for .conf18, be sure to build your agenda using the session scheduler ASAP to secure a spot in the talks you’re interested in!
Here are this week’s featured Splunk Answers posts:
How to show Splunk log ingestion availability by sourcetype in a dashboard?
Kieffer87 was trying to build a dashboard Splunk log ingestion availability by sourcetype, but needed help with updating the search he crafted to create a time chart for his requirements. Rather than reinventing the wheel, Splunker mmodestino recommended checking out the existing Meta Woot! App which uses the power of tstats and summaries to efficiently report on host, sourcetype, and index metadata. He also suggested taking advantage of built-in functionality with the Monitoring Console views on Forwarder Management, as well as putting the summaries through the Splunk Machine Learning Toolkit for comprehensive analysis.
Read the post to learn more about reporting on sourcetypes with the Meta Woot! App.
Timeline - Custom Visualization: How to hide the legend?
Guitaraholis wanted to know how to hide the legend for the timeline custom visualization in a dashboard since it was requiring users to scroll to view the entire panel. They solved their own question using custom CSS styling to hide the legend and limit the width of the panel, but another user, agoyal, stumbled upon the same problem and was interested in seeing the exact syntax to make this possible. Top contributor and SplunkTrust member, niketnilay joined the thread to explain that adding IDs to the timeline panel and using CSS style does the trick. He also pointed out that clearing out the browser history helps in case they were observing cached output. agoyal was very thankful for the explanation and replied, “You are always a savior for me. Clearing Chrome's browser history worked…”
Read the post to learn more about how hide the legend in a timeline custom visualization using CSS.
How can I sort a field alphabetically and then by total?
jwalzerpitt was trying to sort their search first alphabetically and then by total, but one of the fields were not sorting as expected with two attempted searches. SplunkTrust member somesoni2 came to the rescue, explaining that a multivalued field cannot be sorted using the sort command. He provides a search that can sort the field, alphabetically, but points out that the values will be sorted lexicographically because of variations with upper and lower case values. jwalzerpitt modified the search provided by somesoni2 to fit their solution by making all values lowercase with eval first and thanked him for his help.
Read the post to learn more about sorting a multivalue field.
Thanks for reading! To see more featured Splunk Answers posts, check out previous Smart AnSwerS blogs in the series.
You can learn more about Splunk and socialize with other users in the community by visiting the Splunk Answers forum, joining discussions in our Slack community chat, attending a Splunk user group meeting, or reading through our Community manual.
----------------------------------------------------
Thanks!
Anam Siddique