Smart AnSwerS #69

Hey there community and welcome to the 69th installment of Smart AnSwerS.

Time has been flying by with Splunkers working incredibly hard and adapting to new changes in our office space. It’s hard to believe that we’re halfway through 2016 already, but that’s what happens when you’re constantly focused and pushing through the daily grind. Luckily, HQ and other Splunkers in the US are getting a nice 5 day Summer break starting tomorrow for the 4th of July weekend. This is our chance in the middle of the year to refresh and recharge before finishing off strong with the next couple quarters ahead. Cheers!

Check out this week’s featured Splunk Answers posts:

How to add upper and lower boundaries to a sparkline?

Dohrendorf_Consist was using a sparkline to display a bar graph based on percentage values, and needed to know how to set fixed upper and lower boundaries in Simple XML to fix an issue with the visualization. A constant value of 100 was not displayed as expected as there were no changes or parameters set to determine the range. After a day’s research, Dohrendorf returned to answer the question with chartRangeMin and chartRangeMax, two undocumented options that rendered the sparklines properly. Senior Technical Writer frobinson caught wind of this Q&A and added the two parameters to the sparkline options in the Simple XML Reference documentation.

When adding an indexer to a distributed environment, is there a configuration that makes indexers exchange events to auto load balance them?

adamguzek wanted to know if indexers could exchange events to balance the load automatically when a new indexer is added to an existing distributed search environment instead of making configuration changes to all syslog sources and forwarders. SplunkTrust member dwaddle gives a very comprehensive and concise answer, explaining that non-clustered indexers are not aware of one another, and although indexers in a cluster are given knowledge of each other, it is only for replication, not migration. In both cases, changes would still need to be done on forwarders, however, the indexer discovery feature introduced in Splunk 6.3 allows the cluster master to be a single point of communication with forwarders to know which indexers to connect to.

Why are search results cut off at 10,000 in Splunk Web and 10,000 or 20,000 results via REST API?

sjodle was getting a limited number of events when searching a large data set in Splunk Web and through the REST API, but didn’t know what was causing this or how to return all results. SplunkTrustee woodcock pinpoints the sort command as the culprit since he has dealt with search command result limits in his past experience.

Thanks for reading!

Missed out on the first sixty-eight Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion