Smart AnSwerS #16

Hey Splunk community and welcome to the 16th installment of Smart AnSwerS.

It seems like there’s a national holiday for almost everything now, and corn dogs fortunately made the cut! National Corn Dog Day was this past Saturday, March 21st, but we celebrated at Splunk HQ last Thursday. Boiling hot oil was at the ready for frying up corn dogs and tater tots all afternoon? I’m sold!

Check out this week’s featured Splunk Answers posts:

How does indexer acknowledgement work with indexer clustering replication to guarantee that no data is lost?

Glenn wanted to fully understand how indexer acknowledgement worked from start to finish in an indexer cluster. He was concerned about possible data loss if the acknowledgement was sent back by the receiving indexer before the data was replicated to other cluster peers. If this indexer crashed, how do you account for data that has been corrupted before successful replication, and the forwarder has already forgotten the event? This process is actually already well documented, and Steve G from our very own Splunk documentation team guided Glenn to the right page covering the topic for peace of mind.

How to get the timestamp of each peak that occurs in a sparkline?

When I first saw this post by ltrand go live on Answers, I thought it was a question that would be of interest to many users and would feature it if it got just the right answer. Luckily, sideview stepped in for the job and unleashed his SPL skills, not only providing the search, but also explaining the purpose of every single search command used and how each operates to tackle this question’s use case. This is definitely a great answer to keep in your back pocket.

How to write a search to return “PASS” if all search results for a field are PASS or PARTIAL_PASS, but return “FAIL” if at least one result is FAIL?

milande only needed one result in the statistics table: PASS or FAIL. The tough part was building a search that would return an accurate result based on several dependent conditions. This called for the stats and eval commands to do the proper analysis. ramdaspr and dwaddle provided spot on searches with different approaches that both answered the question. If you’re looking to improve your search fu, then this will be a good read.

Thanks for tuning in and have a good one!


Missed out on the first fifteen Smart AnSwerS blog posts? Check em out here!

Posted by