Smart AnSwerS #5

Hey there Splunk community, welcome to the 5th installment of Smart AnSwerS and the first of 2015!

Just when I thought the first work week of the year was going to slowly ease me back in, Splunk Answers and, well, you all have been busier than ever and have gotten me to hit the ground running. What does that mean? Why, more material for me to work with for this blog series of course 😉 – Check out this week’s featured posts:

Why is syslog right into Splunk so bad/wrong?

I already had this post lined up to be featured and coincidentally, this topic actually came up at last night’s SF Bay Area Splunk User Group Meeting in the discussion on disaster recovery and high availability. How appropriate! dshpritz brought this question (and answer) to the community to explain why you should be wary of sending data to Splunk on a UDP port and dives into more detail on best practices. Also, alacercogitatus graces the post with prose from the land of Splunktonia. A must read.

What are best practices for creating a dashboard of saved searches without hitting the concurrent search quota per user?

This is definitely a topic that concerns many Splunk users. Proper capacity planning in terms of hardware requirements is part of the battle with handling concurrent searches, but how you create dashboards is essential for the next step. bruceclarke was concerned about users hitting concurrent search quotas and wanted to know best practices for preventing different scenarios in their environment. vasanthmss brings up a couple suggestions, one of which was covered by nfilippi_splunk on post process searches for re-usability, also at last night’s UG meeting. Stars are aligning in the world of Splunk. If you have other recommendations to add to the post, by all means throw in your two cents :)

How to write a search and set up an alert using the metadata command to find hosts that are not reporting in?

Many users on Answers have asked this exact, if not similar question. hartfoml wanted to find hosts that were not reporting in after a certain period of time, but in this particular case, using the metadata command which is great for search performance to gather information on hosts. somesoni2 helped pull the picture together with a search I think many users out there should save and tweak to your needs.

Thanks for reading folks and Happy New Year!


Missed out the first four Smart AnSwerS blog posts? Check em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion