Smart AnSwerS #38

Hey there community and welcome to the 38th installment of Smart AnSwerS.

It’s almost time for .conf2015, Splunk’s worldwide user conference in Las Vegas in t-minus 4 days! Unless, of course, you’re going to Splunk University to level up your Splunk skills, then the action starts for you in less than 48 hours :) This will be my very first year attending, so it’ll be great to finally put faces to usernames I see on Splunk Answers all the time. If you happen to be around the Answers booth, gamer lounge, or other community spaces where I’ll be hanging out with support folks, don’t be a stranger!

Check out this week’s featured Splunk Answers posts:

How can I assign the day of the week to my events?

Support team folks matt and Flynt share a nifty trick with the Splunk community: how to assign the day of the week to events to show users whatever happens on a certain day of the week, say, Monday for example. Flynt writes up a nice search using stats and the power of eval to manipulate and create fields to make this possible, as well as how to adapt it according to your needs.

Why I am unable to accelerate this report?

IRHM73 had created an accelerated report before, but was stuck figuring why he was unable to accelerate the current search he was working on. Luckily, a second pair of eyes came along to pinpoint the issue, and lguinn found the sort command was used which is neither transforming, distributable, nor streaming. She edited the search to use the stats command to get the same sorting functionality, and shared a link to the docs as reference for what search commands qualify for report acceleration.

How can I split an event into two or more events according to two multivalue fields?

caili presented sample raw data to show a relationship between two multivalue fields, and needed help splitting two sample events based on each value of the fields, one event per value. acharlieh graced the question with his Splunk search fu in a well-crafted answer. Learn how to use multivalue eval functions to split, zip, and expand values to create separate events with your multivalue fields.

Thanks for reading!

Missed out on the first thirty-seven Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion