Smart AnSwerS #40

Hey there community and welcome to the 40th installment of Smart AnSwerS.

The San Francisco Bay Area Splunk User Group met up last week at Splunk HQ, and we had some great topics covered. With the latest release of Splunk 6.3 during .conf2015, jcoates presented an on-the-fly overview of new and improved features, spuchbauer gave an awesome demo of new custom alert actions and other dashboard improvements, and lstewart gathered feedback on syntax for search documentation to create better consistency with content. frobinson & smoir tag teamed to provide live updates on happenings during the presentations on the SFBA UG Slack chat channel, in case folks who couldn’t make it out wanted to stay in the loop. We had customers and partners visiting from all geographic regions, so if you happen to be in the area for the first Wednesday of the month, you’re always welcome. Hopefully we’ll get to see YOU at a future meeting :)

Check out this week’s featured Splunk Answers posts:

Is there a limit / best practice to how many data inputs Splunk can monitor?

jwquah wanted to know if there were recommended guidelines on what would be the optimal amount of data inputs a single Splunk instance could monitor without seeing degradation in indexing performance. lguinn gives recommendations based on her own experience, as well as other considerations such the retention policy of logs to ensure Splunk is only monitoring live log files. khourihan_splunk also adds the tip to check ulimits for*nix indexers to determine the maximum number of files that can be monitored.

What are my options in Splunk for monitoring NetOps, IP traffic flows, and port congestion?

mdonnelly_splunk received this question from a customer who wanted to find solutions for analyzing traffic flows between several network devices, and decided to share this with the community on Splunk Answers in case other users would find it helpful. He covers several several apps and add-ons from Splunkbase that could be helpful, but particularly recommends using Netflow Integrator with the Netflow Analytics for Splunk App, and explains how it works to capture and analyze flow data.

What is the best way to combine a License Master, Distributed Management Console, Deployment Server, and a SHC Deployer on 2 dedicated Splunk servers?

mfrost8 was planning on redoing his existing Splunk infrastructure to use two dedicated servers to run various deployment management roles: License Master, Distributed Management Console, Deployment Server, and SHC Deployer. However, he wasn’t sure what would be the best practice in dividing these functions between the two servers. Trustworthy supportability engineer hexx provided his two cents (or maybe two dollars. His opinions are incredibly valuable), recommending one instance per server with one running the cluster master, deployer, and DMC, and the other solely dedicated to the deployment server.

Thanks for reading!

Missed out on the first thirty-nine Smart AnSwerS blog posts? Check ‘em out here!

Posted by