Smart AnSwerS #32

Hey there community and welcome to the 32nd installment of Smart AnSwerS.

The SF Bay Area Splunk User Group met up this week at Splunk HQ which opened up a lot of great discussion between fellow Splunkers and customers alike. Octavio Di Sciullo, Principal Supportability Engineer at Splunk, covered a presentation on the Distributed Management Console and also facilitated a discussion between everyone present. It was a great opportunity to pick their brains on how they currently manage and monitor their Splunk deployments, but also hear their woes with current built-in features, including the DMC. The takeaways from the meeting were constructive and helpful in how to improve the long term supportability of the product, making the lives of Splunk admin easier to ensure their environments are up and running with as little hiccups as possible.

If you’re interested in joining a Splunk User Group near you to network with fellow users, or want to start one of your own in your area if it currently doesn’t exist, visit the Splunk User Group Meetup page for more information. We’ll be moving to our own splunk.com user groups site in the fall, but this is where to find most people in the meantime. If you can’t find a group in your area, email community@splunk.com and we’ll help you out!

Check out this week’s featured Splunk Answers posts:

How to split a JSON array into multiple events with separate timestamps?

p_gurav had a sample JSON array from a REST API with values that were being indexed into a single event with only the first timestamp taken as the event time. Gilberto Castillo took the sample data, concocted a props.conf configuration using SEDCMD regular expressions to remove unnecessary characters, and included a screenshot of the expected output, clean and simple.

How to use a dashboard time range picker to reference a time column in a CSV file generated by an inputcsv search?

ishaanshekhar had a CSV file and was using the inputcsv command to pull data from it. Since the file wasn’t indexed, it didn’t have a _time value by default, but ishaanshekhar needed the time range picker to reference a column in the CSV file as _time. martin_mueller replaced a part of the search with a combination of where and if conditions to meet the original requirement, but another issue came to mind with special cases of varying time formats. Martin suggested using eval functions such as case and relative_time to adapt to this.

How to calculate Splunk search concurrency limits for historical, scheduled, and real-time searches based on CPU cores?

rbal has found that many users don’t realize how to optimize concurrent searches relative to resources in their Splunk environments, particularly with CPU cores. Pulling from a combination of her own experience and limits.conf documentation, she decided to share with the community some valuable information on the limitations of various types concurrent searches among different Splunk versions and how to calculate the maximum limits based on CPU with some examples.

Thanks for reading!

Missed out on the first thirty-one Smart AnSwerS blog posts? Check ‘em out here!

Posted by