By Splunk January 13, 2016
Hey there community and welcome to the 49th installment of Smart AnSwerS.
This just in! The next SplunkTrust Virtual .conf session is this Friday, January 15th @ 11:00AM PST. Come learn a thing or twenty with SplunkTrust members Duane Waddle and George Starcher as they cover their popular talk “Through the Lookups Glass”. Join the 30+ users on the event meetup page and RSVP to get your Splunk clue on!
Check out this week’s featured Splunk Answers posts:
Is there a way to know which fields were extracted at index-time vs search-time?
pduflot wanted to know if there was a search or something to look for in internal logs to determine if fields in search results were extracted at index-time or search-time. Lowell explains that this unfortunately isn’t easy, listing just some of the many sources each individual field could come from. The good news is, it’s not impossible with some patience and looking at certain fields in question. He shows different options such as using the tstats command, certain key-value search syntax, and methods to examine .conf and .tsidx files.
https://answers.splunk.com/answers/339034/is-there-a-way-to-know-which-fields-were-extracted.html
Has anyone created a scheduled search that notifies you if an app/add-on installed on search peers has an updated version on Splunkbase?
banderson7 needed a search to periodically check if any apps or add-ons installed on search peers in a distributed environment had a new version released on Splunkbase. Lo and behold, SplunkTrust member martin_mueller shared a nifty search that can be scheduled on any Splunk instance as often as needed and saved as an alert to be notified of available updates.
https://answers.splunk.com/answers/336868/has-anyone-created-a-scheduled-search-that-notifie.html
Why are events not returned for a search on a search-time extracted field?
rsgage had a search-time field extraction defined in props.conf, but couldn’t understand why a straightforward field=value search wasn’t returning certain events as expected. Take a crash course in segmentation with an awesome answer by jeffland (with some behind the scenes help from martin_mueller. He’s everywhere!). jeffland uses simplified examples to break down how Splunk fetches events from disk based on segments to demonstrate why no events were returned for the defined field extraction to work.
https://answers.splunk.com/answers/340027/why-are-events-not-returned-for-a-search-on-a-sear.html
Thanks for reading!
Missed out on the first forty-eight Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo