By Splunk April 02, 2015
Hey Splunk community and welcome to the 17th installment of Smart AnSwerS!
Since our Splunk FY’16 Sales Kickoff fell on Presidents’ Day and was a mandatory work event, the holiday was moved to another date that, of course, I didn’t think to keep track of. Good thing I found out accidentally through conversation with another Splunker earlier this week before it was too late! Let it be known that tomorrow, April 3rd, 2015 is officially “Spring Day” for Splunk in America. I would have made my commute to a dark and lonely office, and it wouldn’t have been the first time. Hah!
Check out this week’s featured Splunk Answers posts:
Why is my sourcetype configuration for JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue with duplicate values?
asieira brought up a question that has come up a handful of times on Answers, and it’s great to see how the collaborative conversation unfolded with dsdb_splunkadmin who was also struggling with the same issue. The problem was how INDEXED_EXTRACTIONS, KV-MODE, and AUTO_KV_JSON were configured. In both users’ cases, index-time and search-time extractions were enabled which resulted in the unexpected behavior. If you’re seeing duplicate values for the same field returned from JSON data in search results, then you may be barking up the right tree with this post:
http://answers.splunk.com/answers/223095/why-is-my-sourcetype-configuration-for-json-events.html
Taking over temporarily as a Splunk admin at work, how do I figure out how our 2 Splunk servers are configured in our environment?
Sometimes customers get “lucky” and are suddenly honored with the task of taking over as the Splunk admin at their company. It can be a daunting responsibility and you may not know where to begin. euphvx wanted to start by figuring out how things were set up in the environment, particularly how 2 servers were configured. The ever-so knowledgeable ekost offers some great advice using btool and a step-by-step guide to determine forwarding and receiving configs on the Splunk instances.
http://answers.splunk.com/answers/223145/taking-over-temporarily-as-a-splunk-admin-at-work.html
How to calculate the ratio of fieldA, and if the ratio is greater than 5%, list the top 3 fieldBs associated with fieldA?
jgcsco constructed a search to find the count percentage of a value “Status1” in field “Status”, but needed to return the top 3 values of field “State” associated with Status1 if the percentage was over 5%. The problem was figuring out how to combine all of these requirements into one search. sideview answered the question thoroughly, as always, with a search and explanation of how fillnull, stats, and eventstats process the data to get the desired output.
http://answers.splunk.com/answers/225268/how-to-calculate-the-ratio-of-fielda-and-if-the-ra.html
Thanks for reading and have a great weekend!
Missed out on the first sixteen Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo