Smart AnSwerS #63

Hey there community and welcome to the 63rd installment of Smart AnSwerS.

With Splunk HQ officially more than two times larger, and Splunkers now spread out across more square footage, things have gotten eerily quiet around here as everyone is adjusting to their surroundings, getting to know new neighbors, and figuring out where all the new conference rooms are. Slowly, but surely, we’re getting comfortable in our new home, and once we’re completely settled in, we’ll find ourselves back into the groove of things with a nice balance of work and play :)

Check out this week’s featured Splunk Answers posts:

How to call a Python script from an HTML view?

dsollen had an HTML dashboard and wanted to call a Python script, but even though a success message was returned, the actual script wasn’t called. SplunkTrust member alacercogitatus explains why dsollen’s approach won’t function as expected. However, with his usual Splunk sorcery, he provides a well-crafted tutorial to make this work, breaking down how to create and enable a custom Splunk endpoint that can be called from an HTML view.

How can I find duplicate scheduled searches running in a search head clustering environment?

sat94541 teams up with her identical twin sister rbal to share some helpful troubleshooting tips if you suspect duplicate scheduled searches running in your search head clustering environment. rbal shows a search to use from the distributed management console to find any scheduled searches that were run multiple times. You can further narrow down your investigation on any duplicate saved search sids produced in these results to find any culprits.

Why am I getting different count results using “chart count by field” versus “chart count(field) by field”?

Splunk SPL and how it functions can be hard to grasp, especially when we expect seemingly similar searches to produce the same results. sistemistiposta didn’t understand why he was getting different count results for two searches using the chart command with a slight variation in syntax. SplunkTrustee and search ninja sideview decided to take on this challenge, explaining what “count” and “count(foo)” are actually counting in your data, making this another useful lesson for the community as this can make all the difference in the accuracy of your reports.

Thanks for reading!

Missed out on the first sixty-two Smart AnSwerS blog posts? Check ‘em out here!

Posted by