Smart AnSwerS #13

Hello Splunk Community, and welcome to the 13th installment of Smart AnSwerS!

Some exciting stuff is under way this year with Splunk User Groups worldwide…but wait, what’s a Splunk User Group? Well I’m glad you asked! It’s a group of folks who use Splunk products who are interested in connecting with other users in their geographic region. Whether it’s building your networks, bouncing around ideas and use cases through discussion, sitting in on some interesting talks by subject matter experts, you name it. Learning all there is to know about Splunk might seem daunting, but what better way to learn and grow than from other users with different backgrounds of experience?

So what’s the exciting news? Right now we’re using the public Meetup.com platform to enable user groups, but piebob, the Sr. Director of Community, is currently in the process of getting a Splunk-specific user group site developed to increase opportunities for you to connect with other Splunk users wherever you live, across the globe. I hope you’re all looking forward to the potential of engaging with Splunkers of all things as much as I am, so keep on the lookout for updates on this project! Until then, check out some awesome content produced by you, the community, in this week’s featured Splunk Answers posts:

How to send an alert email the first time (since the beginning of time) an event with a particular value appears?

BorrajaX had a set of hardware devices in his environment sending data to servers. Since each device is identified by its MAC address, he needed to figure out a search that would alert if data was indexed from a newly installed device. His original approach was to use a real-time search, but dwaddle introduces a different approach using a scheduled search with lookups which proved to be much more effective and efficient. As jhupka points out in a comment under the question, this post is a prime example of how a question should be asked and answered. BorrajaX described his environment, desired output, research he has done, and what he has attempted. dwaddle not only answers the question, but goes through the thought process and reason behind each step so the community does not miss out on a great learning opportunity. Upvotes for all!

How to compare current data with data from 24 hours ago, calculate the percentage change and alert if the change exceeds a threshold?

abajracharya needed help constructing a search to find a percentage change in data compared to 24 hours ago and trigger an alert if this percentage exceeded a certain threshold. The content and desired outcome was very well focused and received an answer equally well composed. lguinn wrote up a search that can prove useful for several use cases and can be edited to fit different users’ needs. She also breaks down how the syntax for time modifiers work to achieve the end goal.

What do I do if rebuilding a bucket fails?

wrangler2x unfortunately had to recover from a power outage which resulted in a corrupt bucket of data. After running ‘splunk rebuild’ to rebuild the bucket, he received the message “Rebuilding bucket failed”. He was at a loss because there were no documented follow up steps to this worst case scenario. Through some grit and testing, wrangler2x figured it out and answered his own question to share what worked for him with the Splunk community. What’s great is another user cbowles commented and verified that this solution worked for him too.

Thanks for tuning in and have a great rest of the week!


Missed out on the first twelve Smart AnSwerS blog posts? Check ’em out here!

Posted by