Smart AnSwerS #66

Hey there community and welcome to the 66th installment of Smart AnSwerS.

Splunk HQ now has an open room with giant Lego like blocks for Splunkers to take a creative escape from the daily grind. Some folks have already constructed some pretty epic stuff. In the first week, someone built a “conference room” with a fully functional table and bench seating that could be used for gaming, eating lunch, and quick meetings…possibly. When I checked out the space again last week, there was a 30+ foot long bridge and some sort of igloo maze fort of sorts. Who knows what architectural feats people will come up with next!

Check out this week’s featured Splunk Answers posts:

Splunk Add-on for Blue Coat ProxySG: Why am I getting error “Page not found!” trying to launch the app?

gdavid was trying to figure out why he was getting this error trying to display the UI for the Splunk Add-on for Blue Coat ProxySG. Senior technical writer rpille pointed out that this is an add-on, not an app, clarifying that the purpose of the add-on is to help parse and index data. There are no UI or setup configuration screens; however, she provided documentation on how to access prebuilt panels that are included for some add-ons that can be added to existing dashboards.

Why is Splunk not parsing JSON data correctly with my current sourcetype configuration?

rusty009 wanted to index JSON objects in Splunk and configured a sourcetype for this, but the indexed data was not parsed as expected. After taking a look at rusty009’s configuration, Yorokobi identifies a couple issues and recommended several best practices on sourcetype naming, stanza syntax, and relevant props.conf to be placed on the universal forwarder, search head, and indexers.

Why is date_hour inconsistent with %H?

yuanliu read in documentation that the date_* fields are extracted from an event’s timestamp, but found that the automatically extracted date_hour field was inconsistent with the %H value extracted using the eval function, strftime. sideview and lguinn teamed up to explain the instances where these inconsistencies can occur and promote the best practice of not relying on date_* fields for accuracy in time based reporting. Instead, they recommend extracting specific time fields using strftime.

Thanks for reading!

Missed out on the first sixty-five Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion