Smart AnSwerS #48

Hey there community and welcome to the 48th installment of Smart AnSwerS.

First off, Happy New Year! I hope everyone had a great past couple of weeks and welcome back to the grind. Splunk HQ was on holiday for most of the last two weeks, though Team Support (and their hearts of gold) were around making sure you were all A-OK just in case. We’re all fully back in action this week, but looking forward to our annual company holiday party this coming Saturday. We have to gradually wean ourselves off the holiday vibe apparently 😛 Good luck with all things Splunk this year and enjoy the first set of Smart AnSwerS for 2016.

Check out this week’s featured Splunk Answers posts:

How to get Splunk sendemail command to send multiple emails based on search results?

flle needed the sendemail command to send multiple emails based on receiver information in a search result. If there were 10 events and each one contained an email address, 10 different recipients needed to receive information from each event. MuS answers away by first referencing the documentation on the sendemail command showing how to send emails to multiple recipients. He then uses this in combination with eval in a run everywhere search example for flle and other users to adapt to their needs.

What information do we need from respective server and application owners for installing and configuring Splunk forwarders to collect event logs?

kapuralasharad needed all events to be logged and sent to indexers, but wanted to know what questions to ask server and application owners first to gather all necessary information before installing and configuring forwarders. jimodonald and miteshvohra shared some awesome answers from their experience that may be useful for new Splunk admins out there. If you have other thoughts and points to contribute to the thread, especially things you wish you knew yourself before deploying Splunk for the first time, please share!

What is the disadvantage of having a lot of small buckets and rotating them frequently?

ltrand thought having a lot of smaller buckets would imply less searching and better performance, but has seen more guidance on having a smaller number of larger buckets instead. lguinn brings some insightful advice and examples on how both scenarios would realistically work with regards to search performance. She explains how Splunk identifies the number of buckets based on the time range before examining X number of sets of tsidx files, and overall, this is also dependent on search patterns of users in the environment in terms of most common time ranges used, scheduled versus adhoc searches, and other factors.

Thanks for reading!

Missed out on the first forty-seven Smart AnSwerS blog posts? Check ‘em out here!

Posted by