By Splunk May 19, 2016
Hey there community and welcome to the 64th installment of Smart AnSwerS.
One of the Splunk Cloud support engineers left on vacation last week, so in true Splunk fashion, his desk is getting a complete makeover by the time he returns! yannK has been putting on his creative hat this week to transform the desk into a Star Wars TIE Fighter which has been coming together incredibly well. If it were my desk, I’d leave it as a permanent installation because it looks that cool and is still completely functional as a work station…not that I’m jealous or anything ;P
Check out this week’s featured Splunk Answers posts:
How would one correctly configure DATETIME_CONFIG for an app that could be installed in either an indexer cluster or standalone Splunk?
SplunkTrust member acharlieh needed to know how to configure DATETIME_CONFIG in an app relative manner. Users were developing and testing apps on local standalone Splunk instances, but he wanted to make sure these apps could also be deployed across production indexer clusters from a cluster master with the same settings. lguinn provides a clear example of where to store the custom datetime.xml and how to configure props.conf in the same app to deploy consistent settings in both types of environments without making manual changes on each indexer.
https://answers.splunk.com/answers/270337/how-would-one-correctly-configure-datetime-config.html
How to search for fields that cross correlate with a specified field?
zeophlite graphed a field and knew how to add additional fields to manually compare and find similarities in patterns, but wanted to know a way to have Splunk search and return fields that cross correlate based on results. jeffland gives an excellent answer showing various options like using the kmeans command, computing correlations by hand through an example search, and some Splunk out-of-the-box solutions such as the R Project or Machine Learning Toolkit and Showcase apps.
https://answers.splunk.com/answers/374184/how-to-search-for-fields-that-cross-correlate-with.html
Can a search macro have a default value for a parameter?
dsollen was curious to know if it was possible to create a search macro where some of the fields are predefined with a default value that would be used based on the number of arguments provided. SplunkTrustee sideview strikes again with a solution he uses for cases like this: defining two macros. He uses the examples from dsollen’s question to show how the logic between the two definitions would work to use a default value if a user only provides one argument.
https://answers.splunk.com/answers/373040/can-a-search-macro-have-a-default-value-for-a-para.html
Thanks for reading!
Missed out on the first sixty-three Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo