Smart AnSwerS #37

Hey there community and welcome to the 37th installment of Smart AnSwerS.

martin_mueller asked me if I ever Splunk the Smart AnSwerS blog posts for a score board, and I knew exactly where this was headed. Both him and acharlieh made a fun afternoon of it, using wget to download the blog posts, and grep to search how many times certain users were featured for their awesome answers. acharlieh got the raw data to use for searching in Splunk to generate a list of how many times each user appeared among all blog posts, and another list showing mentions of users by post. This mini project of theirs is just one of the many reasons why I am always impressed with what these guys are capable of, and it’s no surprise that they are some of the top, and most helpful, contributors among the Splunk community. :)

Check out this week’s featured Splunk Answers posts:

Why is the sourcetype specified in inputs.conf on the universal forwarder not being applied to forwarded data?

lyndac had set up a universal forwarder to monitor a directory, but couldn’t figure out why the sourcetype in inputs.conf was not being applied to events. acharlieh noticed that lyndac had set INDEXED_EXTRACTIONS = csv in props.conf on the indexer and recommended placing that same configuration on the forwarder. He includes useful links for reference on the data pipeline and explains how the universal forwarder takes on more parsing responsibility for events in files with headers. This is important as the field names contained in the header row are needed before fields can be written at index-time on the indexers.

How to tell Splunk which fields are numbers in an uploaded .txt file?

HeinzWaescher created a sourcetype for uploading .txt with headers as field names and values as strings, but needed to figure out how to get Splunk to recognize which fields were numeric. Suggested by tom_frotscher in a comment, and expanded as a comprehensive answer by lguinn, the best workaround for this case was the use of calculated fields. Since Splunk determines if a field is alpha or numeric based on values returned at search-time, defining a calculated field using the eval function tonumber on the target field was the way to go.

If I have servers with a host name format of host_1, host_2, host_3, etc, how can I search a range of hosts by hostname?

idab had 25 servers with the same prefix name of “host_” followed by a number 1-25, and needed a way to search a certain range of hosts by hostname (ex: search host_7 to host_15). richgalloway dishes out a clear cut search using rex to extract the numbers from the hostnames into a new field for later filtering with the where command. One and done.

Thanks for reading!

Missed out on the first thirty-six Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion