Smart AnSwerS #65

Hey there community and welcome to the 65th installment of Smart AnSwerS.

We have a couple back-to-back community events happening right after the upcoming long Memorial Day weekend! The next SplunkTrust Virtual .conf Session is scheduled for Tuesday, May 31st at 12:00PM PDT. SplunkTrust member rich7177 will be teaching nOObs the basics of navigating Splunk Web and, time permitting, how to build reports, visualizations, and dashboards. For those of you in the San Francisco Bay Area next week, the SFBA User Group will be on Wednesday, June 1st @ 6:00PM PDT at Splunk HQ in our brand new building next door! Come join us in the shiny new space as Sr. Engineering Manager mszebenyi, original author of the Splunk App for Minecraft, will discuss Splunking game data, and Staff Engineer rsennett will be talking about various experiences doing cool things with Splunk.

Check out this week’s featured Splunk Answers posts:

Is there a way to dynamically assign chart labels using a search?

mszebenyi had a search to pull values from the data to use as labels, but needed a solution to dynamically assign these to charts on a dashboard. somesoni2 provides a run anywhere sample of Simple XML code for a dashboard, demonstrating how to set tokens in the search element to dynamically rename column names.

Why does Splunk continuously attempt to find a user in LDAP after the user has been removed from Active Directory?

Before a user was removed from Active Directory, RJ_Grayson changed all of the user’s public objects in all Splunk apps’ local.meta files and disabled all privately owned searches and objects. However, Splunk kept attempting to find the user in LDAP and was reporting “Could not find user…” errors. Jeremiah shared a clear and concise process he uses to clear up these LDAP errors in his environment. He suggests replacing the username for ownership on all shared knowledge objects with the new owner’s username in metadata files, back up the user’s home directory by moving it out of the $SPLUNK_Home/etc/users directory, and restart Splunk.

Tour Creation App for Splunk: How to search which users already completed the tours?

fabiocaldas needed to search which users completed tours created using the Tour Creation App for Splunk. MuS explains how a ui-tour.conf file will be created for a user with the option viewed=1 once a tour is finished. He then shows how to search this .conf file using the rest command in Splunk Web to get a table of the app name, tour name, and the users that have completed it.

Thanks for reading!

Missed out on the first sixty-four Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion