Smart AnSwerS #23

Hey there community and welcome to the 23rd installment of Smart AnSwerS!

This morning was filled with *drilling noise…more drilling noise…even more drilling noise* as several standing desks were installed for folks all around me. I sit here among towering giants, burning calories faster than me in my sedentary chair. Guess I should go take a walk! (after this post of course)

Check out this week’s featured Splunk Answers posts:

How to retrieve the latest related event from one sourcetype based on a common identifying field from another sourcetype?

arnol229 had 2 sets of events that shared common ID field values, but different field names, and needed to get a table of the latest event from one sourcetype for each ID from the other sourcetype. acharlieh graces the post a search based on arnol229’s sample data and dissects how each key search command operates line by line. But wait, there’s more! He also includes suggestions for other ways to tackle this scenario for a very well-rounded answer, opening doors and ideas for other folks in the community.

How to extract multivalue fields from XML data at search-time?

andra_pietraru provided a sample XML event showing the fields that needed to be extracted, but was only able to capture the first match. Gilberto Castillo points out that a regular expression is not necessary in this case since Splunk already has the capability to automatically extract fields from XML events at search-time with the right configuration. He shows an example of an inputs.conf monitor stanza, how to reference KV_MODE = xml in props.conf, and a screenshot showing the expected search result.

Why are files in a monitored directory being skipped?

demondo configured a directory to be monitored in inputs.conf, but noticed that not all files in the directory were being indexed. tom_frotscher notes that this is a common question posted on Splunk Answers (it’s true) and gives a concise explanation as to why this problem happens most of the time. He describes how Splunk uses a hash value to determine if a file has already been indexed and that files with large headers tend to be the culprit without the right configuration.

Thanks for reading and have a great rest of the week!

Missed out on the first twenty-one Smart AnSwerS blog posts? Check ‘em out here!

Posted by