Smart AnSwerS #28

Hey there community and welcome to the 28th installment of Smart AnSwerS!

This just in! The .conf 2015 Where Will Your Karma Take You Contest has officially launched this month. If you happen to get the most karma points on Splunk Answers for the month of July or August, you will win a free pass to Splunk .conf 2015 in Las Vegas, September 21 – 24, 2015. You earn karma points by being an actively engaged contributor in the community forum by asking interesting questions, posting well informed answers, and leaving constructive comments. Doing all of that with a positive, respectful, and playful attitude is a nice bonus and very much appreciated. Be sure to look over the official karma contest rules to learn more.

Once you’re done with that, check out this week’s featured Splunk Answers posts for some inspiration:

Difference between renaming a field within STATS vs using RENAME command

lstewart presented the community with this very interesting question. She wanted see if there were any performance pitfalls or limitations in later pipes of a search string by renaming a field with “stats” versus using “rename”. alacercogitatus the almighty bestows his knowledge on the matter by showing the difference between using the rename command on an extracted field and a generated field. He demonstrates how certain fields can no longer be referenced in later pipes under certain circumstances.

Is it normal behavior for Splunk to block queues and stop forwarding data when one of two remote ports is closed?

jeromep83 had a heavy forwarder sending data to a remote server through two ports and noticed that closing one of them blocked all queues and forwarding had stopped for both. He wasn’t sure if this was expected, but acharlieh comes in to explain how the data pipeline works to confirm that this is indeed normal. He also references some great resources such as a previous .conf 2014 session “How splunkd works” and a community wiki doc on how indexing works for others to take a dive into understanding how your data moves from point A to point B.

Is there a way to limit memory usage of the stats command?

marcusnilssonmrgreen wanted to limit the amount of memory used by running a search with the stats command and have it switch to disk at a certain threshold. Sometimes Splunk documentation can be your best friend without even realizing it. MuS highlights the section on the max_mem_usage_mb attribute from the limits.conf spec file documentation. It covers the possibility of limiting memory usage, but there are a couple bullet points of caution to consider.

Thanks for reading!

Missed out on the first twenty-seven Smart AnSwerS blog posts? Check ‘em out here!

Posted by