By Splunk July 15, 2015
Hey there community, and welcome to the 29th installment of Smart AnSwerS.
SplunkLive! is currently in session in San Francisco, CA where current and potential customers get to hear from Splunkers and other fellow customers on how various Splunk products are used to gain valuable insight from their machine data. It’s a great space to learn what Splunk can bring to your organization through the many use cases that have been applied successfully, and also network with other users to share knowledge and discover new possibilities. If you missed out on attending SplunkLive! today, you can always stay tuned to our Upcoming Splunk events and webinars to see if there are opportunities near you.
Check out this week’s featured Splunk Answers posts:
How can I search a list of users with all the roles and indexes assigned?
cdo needed to return a list of users with all assigned indexes and roles. She already had a search she was working with, but a particular role was missing and couldn’t figure out what changes needed to be made to get an accurate list. Search guru martin_mueller jumped in to help cdo construct just the right search to reach the desired result. After some trial an error and information gathering, martin successfully reached a solution that can prove useful for other users as well.
http://answers.splunk.com/answers/260126/how-can-i-search-a-list-of-users-with-all-the-role.html
A host reported in the metadata doesn’t seem to have sent any event. Why?
henrit used the metadata command to generate a list of hosts for a particular index, and the result included a total_count field which he thought was a host’s number of events for the current day. However, when running a search against a particular host from that list, no data was returned which led him to ask this question. acharlieh highlights the description of the metadata command to show that it gives information about an index as a whole and not for a particular timeframe. He introduces henrit to the metasearch command an alternative option to retrieve metadata from raw for a desired time range.
http://answers.splunk.com/answers/243944/a-host-reported-in-the-metadata-doesnt-seem-to-hav.html
How to group calculated unique values by another field without using a subsearch?
vitorvmiguel needed to count unique values for a field and group these counts by another field without using a subsearch to prevent search performance issues. sideview demonstrates how and why the eventstats command is more ideal than stats for this particular scenario. Improve your search fu and check out how he breaks down each step to give not only the original poster an awesome answer, but an educational opportunity for the rest of the community to learn from.
http://answers.splunk.com/answers/241656/how-to-group-calculated-unique-values-by-another-f.html
Thanks for reading!
Missed out on the first twenty-eight Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo