Smart AnSwerS #72

Hey there community and welcome to the 72nd installment of Smart AnSwerS.

The “Where Will Your Karma Take You” contest has been underway for two weeks now on Splunk Answers, and there is just a little over 2 weeks left to go! From July 15 to August 15, the top 3 users that earn the most karma points within this period will each earn a free pass to .conf2016. Best of luck to everyone and finish off strong!

Also, next Wednesday, August 3rd @ 6:30PM, the San Francisco Bay Area user group will be meeting at Splunk HQ. If you happen to be in the area, come join us! Visit the SFBA user group page to see what’s in store for the agenda and RSVP.

Check out this week’s featured Splunk Answers posts:

Are data model summaries linked to the original events? Can tstats access them?

gabriel_vasseur couldn’t access original events from accelerated data models, and even running a tstats search in verbose mode only returned limited results. He found that data model summaries were stored in the same place as indexes, and wanted to know why tsidx files weren’t just pointing to the original events in the index. SplunkTrust member dshpritz gives a clear answer defining accelerated data models, what they contain, and what exactly happens when drilling down from accelerated data to actual events. He also includes helpful links to supporting documentation for additional reading.

How do you manage the content for users’ Splunk apps in a Search Head Cluster?

twinspop was previously running search head pooling, but recently moved over to a new install of a search head cluster and didn’t understand how to manage knowledge objects of users’ apps. SplunkTrustee somesoni2 explains that user created objects need to be stored locally on search heads, and default configurations need to be pushed from the SHC deployer. In addition to these best practices, he shares the folder paths for migration in case other users in the community need guidance on moving from search head pooling to a search head clustering environment.

How to filter out weekdays or weekends in one search while using timewrap?

penguin1725 was trying to use the timewrap command to compare current data to the last 7 days, but needed to figure out how to compare a weekday to only weekdays, and a weekend day to only Saturday and Sunday. somesoni2 strikes again with a search using eval to define both weekdays and weekend days to use as a filter in one search.

Thanks for reading!

Missed out on the first seventy-one Smart AnSwerS blog posts? Check ‘em out here!

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

Join the Discussion