Smart AnSwerS #34

Hey there community and welcome to the 34th installment of Smart AnSwerS.

An exciting announcement just went out earlier this week, and that was the launch of the Community MVP Program, the SplunkTrust. The Splunk community is full of amazing leaders that are passionate about our various products and actively share their knowledge with other users to grow and learn, whether that be through active participation on Splunk Answers, Splunk User Groups, writing blogs, and many more avenues. These helpful leaders are what being a SplunkTrust member is all about. Read through the SplunkTrust blog announcement by Rachel Perkins, the Sr. Director of Community, to learn more about the program, the awesome perks of being a member, and how to apply or nominate a possible candidate. Only a select few will be chosen, so cheers and good luck!

Check out this week’s featured Splunk Answers posts:

Splunk infrastructure: Is it possible to have a staging environment search head that is tied to production indexers to feed staging data for accurate testing?

chawagon03 was planning out the Splunk infrastructure at his company to set up multiple environments (dev, staging, and production), but wanted to know if it was possible to only have a search head in a staging environment and have it connected to production indexers to feed it data for actual testing. rsennett and martin_mueller share their concerns and recommendations from their own experience setting up different types of architecture. They take into consideration what is absolutely necessary and what factors would translate accurately from one environment to another, making for a very insightful read.

Why is the frozenTimePeriodInSecs setting only executed once after restart?

marplatense was testing the frozenTimePeriodInSecs setting in indexes.conf by specifying a low value of 180 seconds. After restarting Splunk, the splunkd.log showed data had been rolled to frozen, but only once. marplatense thought new logs would no longer be searchable after 180 seconds had passed, but this was not the case. acharlieh gives a very nice overview on additional parameters in indexes.conf, how data is written to hot buckets, when buckets roll to another state, and how all of these elements come into play to explain this unexpected behavior.

How to export results from a saved search by name and not by job_id using Splunk’s REST API?

shacham had a saved search running every day and wanted to pull the results via REST API using the name of the saved search, not the job_id as this would change frequently. jacobwilkins explains how to do this by first hitting the history endpoint for the particular saved search by name to get the SID, parse this response, and use the results endpoint for the corresponding SID. shacham confirmed that this process got the job done as expected and shared how to identify the SID and remove the limit on the number of results returned.

Thanks for reading!

Missed out on the first thirty-three Smart AnSwerS blog posts? Check ‘em out here!

Posted by