Smart AnSwerS #39

Hey there community and welcome to the 39th installment of Smart AnSwerS.

Playing catch up with work after .conf2015 last week in Las Vegas has been hard, but well worth it. It was great getting to meet many Splunk users for the first time in person, and I have to say, you’re pretty awesome ;D The folks I had the chance to speak to were excited to see old faces, network with other users passionate about our various products, and learn everything and anything possible. Even just overhearing conversations over meals at the same table or in passing, I could feel good vibes all around as the community of users got value not only from the content of the sessions and everything else offered, but from each other. *big thumbs up*

Check out this week’s featured Splunk Answers posts:

How will the S.o.S – Splunk on Splunk app impact my license usage in a distributed search environment?

shahneel wanted to use the S.o.S – Splunk on Splunk app system health check to monitor the various instances in a distributed search architecture, but was concerned about license usage in collecting this performance data. The author of the app hexx himself took on the question to confirm there are only two scripted inputs that ship with the app that are disabled by default, but only 50-75MB per instance would be counted against the license if enabled. However, there has been a general theme going on with every post about S.o.S on Answers, and that’s the promotion of the shiny Distributed Management Console as of Splunk 6.2. This is a built-in feature that hexx has also been working on to provide better visibility of your deployment than S.o.S without counting against your license.

How to display search DEBUG messages in the Job Inspector UI?

tsunamii wanted to know how to enable the DEBUG messages displayed at the top of the Search Job Inspector. splunkIT shows where to find the settings for this in limits.conf to control both the number of messages and severity level. He shows an example configuration that resulted in DEBUG messages being displayed in the Job Inspector. This can be useful for immediately seeing errors in executing a search once it is completed.

Why does using time range “today” for timechart make it separate into 30 minute intervals?

alanxu noticed running a timechart search with a time range of one week showed data day by day, but running the same search for “today” separated data points in 30 minute increments and wanted to understand this behavior. martin_meuller shed some light on how timechart uses predefined steps to split the selected time range up to the default number of buckets. rich7177 joins in and tag teams with Martin in the comment thread to lay out the various SPL options that make the most sense for different cases.

Thanks for reading!

Missed out on the first thirty-eight Smart AnSwerS blog posts? Check ‘em out here!

Posted by