Smart AnSwerS #68

Hey there community and welcome to the 68th installment of Smart AnSwerS.

It’s the week of LGBT Pride in San Francisco, so SplunQers and fellow allies came together yesterday afternoon for our second party ever in the new building at HQ. The courtyard was set up with rainbow themed decorations, treats, and libations (of course) to celebrate the many identities that make up the diversity of our company. The turnout was amazing as we filled the courtyard with lively energy and blaring music in true Splunk fashion. Big thanks to the SplunQers, Fun Council, and Facilities for organizing and promoting an open culture.

Check out this week’s featured Splunk Answers posts:

How to speed up LDAP / Active Directory searches, specifically Asset or Identity lookups?

SplunkTrust member rich7177 is always finding nifty solutions to make things more efficient in his environment, and when he finds one that could benefit the greater Splunk community, he generously shares his knowledge. Find out how he improved the speed of an Active Directory search for asset and identity lookups from 400 seconds to 40 seconds.

Why are the counts inconsistent for metadata under Data Summary after using Delete?

jakewalter used the delete command to remove some data from being searchable, but didn’t understand why the metadata under Data Summary in the Search & Reporting app showed a count that sometimes included the deleted events, but other times not. Just over 1.5 years later, somesoni2 highlighted a snippet from documentation that explains this inconsistency, clearing up a common misunderstanding brought up on Answers that more folks should be aware of – an event’s metadata is still searchable until it has gone past its retention period.

Punct… good god ya’ll – what is it good for?

jplumsdaine22 had ANNOTATE_PUNCT disabled in his Splunk deployment to save disk space for several years, but was thinking of turning it on since more resources had become available. He was curious to know benefits of the punct field, and how to estimate disk space and performance issues if he re-enabled the setting. jkat54 gives his experience using punct to find anomalies in data, and suggested using a Splunk search to calculate the number of bytes used based on the number of characters the field adds per event.

Thanks for reading!

Missed out on the first sixty-seven Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion