Smart AnSwerS #82

Hey there community and welcome to the 82nd installment of Smart AnSwerS.

Have you ever wondered what makes the Splunk community so special, and why many people from various backgrounds are so engaged in all things Splunk? Well, look no further! alacercogitatus, aka Kyle Smith of the SplunkTrust, posted this awesome heartfelt blog post from his experiences engaging with users in the community on and offline, emphasizing how the culture plays an essential role in the success of users stepping into the world of Splunk. You’re not simply learning how to use the products – you’re entering a community of users that are incredibly supportive, passionate, and willing to share their knowledge to help you meet the goals you hope to achieve adopting Splunk. Enjoy the read, and we hope to see more of you around. We’re an open and friendly bunch :)

Check out this week’s featured Splunk Answers posts:

Are there any Splunk training materials for new users?

SplunkTrust member skoelpin needed to create training sessions for new Splunk users in his organization, and rather than reinventing the wheel entirely, he reached out to the rest of the Splunk community on Answers for any existing resources available. The community answered strong with a collection of videos, blogs, and a variety of other helpful avenues for learning. Big thanks for contributions to the question from woodcock, somesoni2, cbreshears, and Melstrathdee. If you have other ideas you don’t see listed yet, feel free to add to the thread!

How to use LINE_BREAKER from one source with multiple sourcetypes?

sassens1 had logs coming from a single source for FireEye and Palo Alto sourcetypes, and wanted to use LINE_BREAKER and SHOULD_LINEMERGE in props.conf to properly parse both data formats. lquinn commented that LINE_BREAKER would apply before sourcetype transforms, and SplunkTrustee acharlieh seconded this note in his answer with a link to understanding how the indexing pipeline works. He suggested two options to get the expected outcome: having both logs sent to different TCP ports to assign different sourcetypes at input time, or following best practices with syslog to have a universal forwarder monitor and assign sourcetypes based on host.

How can I see the search peer that a forwarder is connected to when using indexer discovery?

Lucas K wanted to know how to find out which indexer in a cluster a forwarder is currently sending data to when using indexer discovery. After Lucas K provided additional _internal logs for debugging, and a helpful comment by garethatiag pointing out a connection issue with the forwarder, mmodestino shared follow up troubleshooting steps to check which set the thread in the right direction. Lucas K realized the forwarder was not communicating with the cluster master because of an incorrectly set password. After getting that fixed, he was able to list forwarders and view “Connected to idx=…” messages in splunkd.log.

Thanks for reading!

Missed out on the first eighty-one Smart AnSwerS blog posts? Check ‘em out here!

Posted by