Smart AnSwerS #46

Hey there community and welcome to the 46th installment of Smart AnSwerS.

Last quarter, I started presenting to each cohort of Splunk new-hires every month about all the various Splunk Community programs and spaces to show how our awesome users from around the world connect with one another. One part of the presentation involves bringing up the Splunk User Group Slack channel live on screen for the community to give our brand new Splunkers a warm welcome and hello. This has turned into one of the biggest highlights as customers, partners, and fellow employees alike demonstrate why they are what make the Splunk community so successful, lively, and hilarious…and this includes sharing an old MySpace profile photo of me dug up from my college years ;P Gotta love em!

Check out this week’s featured Splunk Answers posts:

In Search Head Clustering, what splunkd.log entries will show when an instance may have been the captain or member?

Ellen from Splunk Support asked and answered this question to share a useful tip with the greater community. She shows what splunkd.log entries identify the sequence of the dynamic captain change over time in search head cluster instances for debugging purposes. Supportability engineering liason hexx adds that the Distributed Management Console has Search Head Clustering views that show a history of recent captain elections as well. Choose your flavor!

How to get a complete list with descriptions of correlation searches in the Splunk Enterprise Security app?

mjuhasz needed to present a list of Splunk Enterprise Security correlation searches and their descriptions to some stakeholders, but saw that not all of the searches were listed in documentation. Luckily ES tech writer ekost shares a clean and simple answer using a rest search on the correlation searches endpoint with the commands and fields to list out everything mjuhasz was looking for.

How to edit my search to track transactions that start yesterday that continue up to the time the report starts the next day?

KolGr001 shared a search he was using to track invoice transactions, but needed help figuring out how to tweak it to account for batches of invoices that were started before 12AM and finished processing the following day as they were being considered as failed or stuck. However, he also needed to exclude any transactions that started after 12AM. SplunkTrustee somesoni2 saves the day by making a change to the latest time modifier and suggested adding a condition to the where clause in the search to make sure next day transactions were not included.

Thanks for reading!

Missed out on the first forty-five Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo

Posted by