Smart AnSwerS #55

Hey there community and welcome to the 55th installment of Smart AnSwerS.

Next Wednesday, March 2nd @ 6:30PM, Splunk HQ will be hosting our monthly SF Bay Area User Group meeting. Since it’s during RSA, topics covered will be related to *drum roll*…SECURITY! If you happen to be local or visiting from out of town for the conference, come join fellow users over pizza and beer and listen to a talk from Monzy Merza, Chief Security Evangelist at Splunk. Be sure to visit the user group event page to RSVP and stay updated on the tentative agenda. Hopefully see you next Wednesday!

Check out this week’s featured Splunk Answers posts:

How to combine my two searches to get the duration of completed jobs with start/end events and display a list of incomplete jobs?

dpoloche had two searches that individually returned expected results, but needed to combine both into one, preferably without the transaction command for performance reasons. wpreston admits it is an expensive command, but reminds how powerful it can be by simply adding the keepevicted=t argument and using the closed_txn field in dpoloche’s existing search to get the job done. He also suggests using the fields command to improve performance by reducing field extractions. Runals provided an answer with a working search as well, using stats and eval without transaction for users to see how both approaches can work.

How to search how much bandwidth a forwarder is using?

sbattista09 wanted to show how much bandwidth a forwarder was using by host in a timechart, but wasn’t sure where to start using _internal data. jbsplunk shows how this can be done, pulling an example search from S.o.S – Splunk on Splunk using metrics.log to calculate the outgoing thruput. sowings added that this can also be found through the Distributed Management Console.

Why is my rex statement unable to extract the field?

This question by jsiker is a topic that comes up often, but usually only has an answer that is useful for the original poster as everyone’s data will be formatted differently. However, the accepted answer by MuS has a comment thread with useful tips on testing out regular expressions by him and his fellow SplunkTrust members, somesoni2 and Runals. Learn how you can test your syntax directly from the Splunk CLI, in a search in Splunk Web, or external sites with tools for leveling up your regex fu.

Thanks for reading!

Missed out on the first fifty-four Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion