Smart AnSwerS #22

Hey there community and welcome back to Smart AnSwerS, the 22nd installment of its kind.

I just got back to the office from a two week vacation to find my desk surrounded by a jungle of plants, my chair wedged horizontally on the side of my desk, an inflatable giraffe with a St. Patrick’s Day hat, and a cardboard cutout of a snooty waiter. Somehow, I wasn’t surprised with the number of pranksters surrounding me, so it was expected haha. I also came back to 800+ posts that have gone live on Answers since my departure! I’m glad the community is as lively as ever, though, it will take me some time to sift through all that content, so bear with me :)

Check out this week’s featured Splunk Answers posts:

Is there any disadvantage to keeping certain events in separate indexes?

nk-1 wanted to move from keeping all data in the main index to separating certain types of data into different indexes. Usually people will recommend doing this separation to help filter through data and run more efficient searches, but nk-1 wanted to know if there was a downside. dwaddle confirms why it’s preferred to keep events in separate indexes, but also cautions that, as with many things, more isn’t necessarily better and explains why. It comes down to finding the right balance of indexes based on your data.

Why is a token to filter a saved search not working in a report?

vtsguerrero was trying to filter data with radio button and text input forms on a dashboard, but the token from the radio button based on a saved search was not producing results for the text input search. Working with tokens and getting them to work is tricky business, and this is seen on Answers very often. vtsguerrero found that using tokens with double quotes was the culprit, but dolivasoh and dfoster_splunk also share some helpful tips and tricks when dealing with tokens and proper syntax.

When is Cheryl’s Bday?…According to Splunk

Many of you may have come across this math problem that went viral just a little over month ago which involved finding out the birthday of a hypothetical girl named Cheryl. The answer required the process of elimination with each clue given in the scenario, and aalanisr26 decided to break this solution down using Splunk search language and shared it with the community :)

Thanks for reading and have a great rest of the week!

Missed out on the first twenty-one Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo

Posted by