Hey there community and welcome to the 81st installment of Smart AnSwerS.
The San Francisco Bay Area user group will be meeting tomorrow, Wednesday, November 2nd @ 6:30PM PDT at Yahoo! HQ. Gregg Daly from the Children’s Discovery Museum of San Jose will be speaking on how the nonprofit has been using the free Splunk Enterprise license donated by Splunk4Good to monitor IT and security operations. Jason Szeto, principal software engineer at Splunk, will be giving a talk and live demo on a new Splunk feature currently under development. If you happen to be in the area, you’re welcome join us! Please visit the SFBA user group event page for more details and to RSVP.
Check out this week’s featured Splunk Answers posts:
Why is my cluster master reporting “Cannot fix search count as the bucket hasn’t rolled yet”, preventing me from meeting my Search Factor?
LiquidTension’s cluster master was reporting 18 pending fixup tasks that were preventing both search and replication factors from being met, and this was an issue affecting several other users as well. Luckily, cluster master rbal from Splunk support answers the question, explaining why these messages occur in an indexer clustering environment, where to investigate in Splunk Web, and how to resolve the issue right away.
https://answers.splunk.com/answers/217020/why-is-cluster-master-reporting-cannot-fix-search.html
How to monitor changes made to the inputs.conf file?
With inputs.conf getting updated periodically, agoyal needed a way to keep track of any changes made to the file. lukejadamec provides the steps for monitoring changes on an inputs.conf file, noting that there may be several Splunk instances that should be taken into account for complete coverage of all changes in a deployment.
https://answers.splunk.com/answers/448625/how-to-monitor-changes-made-to-the-inputsconf-file.html
How to write a search to only keep a certain type of value for a multivalue field?
dmacgillivray had a table with a multivalue field, and was looking for an SPL solution to filter out any values that did not match a certain format, but still maintain the same number of rows. New SplunkTrust member sundareshr provides two search solutions using eval and regex to get the same expected result.
https://answers.splunk.com/answers/447730/how-to-write-a-search-to-only-keep-a-certain-type.html
Thanks for reading!
Missed out on the first eighty Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo