By Splunk August 11, 2016
Hey there community and welcome to the 74th installment of Smart AnSwerS.
A Splunk Paper Aircraft Association was started up at HQ a couple weeks ago where each participant creates and launches their own paper aircraft every Friday afternoon. Weekly awards are given for longest distance traveled and duration in flight. There’s also a Splunker’s Choice Award for the most unusual, interesting, creative, or fun design. Last Friday, Director of Documentation ChrisG won top prize for his aircraft, winning in both categories of distance and duration. Congrats to the all-star!
Check out this week’s featured Splunk Answers posts:
Large lookup caused the bundle replication to fail. What are my options?
Support engineer rbal shared this Q&A with the Splunk community because it was a common issue seen in cases she had worked on with customers. Several users have asked about this problem on Splunk Answers throughout the years, so rbal posted this almost a year ago for others to easily search a find her troubleshooting guidelines. She has since added updates on caveats with distributed search and search head clustering environments to cover more ground.
https://answers.splunk.com/answers/302532/large-lookup-caused-the-bundle-replication-to-fail.html
How to match an IP address from a lookup table of CIDR ranges?
glenngermiathen was trying to search for events where a destination IP, but not the source IP, is found in a lookup table of CIDR ranges. lguinn from the Splunk Education team points out that the argument for cidrmatch is a string, not a list of subnets. To get something like this to work, she shows how to do this with the lookup command by configuring certain options in transforms.conf and the required format for the lookup file. lguinn created an example search and explains how it works to get the expected filtered results.
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Where should I check for python.log error messages about generating pdf of scheduled reports?
Skender27 was getting “An error occurred while generating the PDF” while receiving some scheduled reports, and wanted to know what to look for in python.log to figure out the underlying cause. ronogle had the same problem and found out how to track and pinpoint the issue. He suggested looking in splunkd_access.log for a 400 status code with a corresponding time value, and see if this status code is also found in python.log and pdfgen.log. If all things check, then the splunkdConnectionTimeout in web.conf would need to be increased to a value greater than the time value found in splunkd_access.log to prevent this error from happening again.
https://answers.splunk.com/answers/339920/where-should-i-check-for-pythonlog-error-messages.html
Thanks for reading!
Missed out on the first seventy-three Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo
----------------------------------------------------
Thanks!
Patrick Pablo