Smart AnSwerS #50

Hey there community and welcome to the 50th installment of Smart AnSwerS.

For the past year, Splunk User Groups were organized on meetup.com, but as of the end of 2015, we’ve now moved over to our very own shiny new site! Visit https://usergroups.splunk.com to explore the various groups currently established worldwide and meet fellow users that love all things Splunk in your local region. Log in with your splunk.com credentials, then learn and connect with the best community of folks around :)

Check out this week’s featured Splunk Answers posts:

Should I increase search head specs, add a new search head, or migrate to search head clustering for our growing Splunk environment and user base?

awendler was looking for advice on how to scale a Splunk environment with a growing user base, and eventually adding Splunk Enterprise Security. Rich7177 offers a lot of useful suggestions, emphasizing boosting specs for search heads and indexers before adding more machines, and getting help from Splunk Professional Services to set up ES on a separate dedicated search head. martin_mueller also adds that search performance would get a boost from adding indexers as most searches cause more load on indexers than search heads.

Why am I no longer able to access SSO and Echo debug pages with 403 errors in Splunk 6.3?

mkolkebeck could not access SSO and Echo debug pages with an out-of-the box install of Splunk 6.3, getting 403 Forbidden errors and the message “Unauthorized to access this resource.” This wasn’t an issue in previous versions and mkolkebeck wanted to know what needed to be enabled to view these pages. A lot of other users were experiencing the same problem, but luckily jcrabb responded with just the right answer. He explained what capability needed to be added to the user’s role definition in authorize.conf, what parameter to enable in web.conf, and shared the URL explaining this new access requirement as of Splunk 6.3.

How do I create an alert to trigger when a transaction with 2 events is not complete?

proylea had a real-time alert set up to trigger when a transaction was missing an end event. However, the alert was firing false positives since the start event would appear 5 seconds before the end event. emiller42 constructed a search without use of the transaction command at all and explains how each line of the search operates to get an accurate alert trigger. Of course, emiller42 also includes sound advice on being cautious with real-time searches and processing delays.

Thanks for reading!

Missed out on the first forty-nine Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion