TIPS & TRICKS

Smart AnSwerS #83

Hey there community and welcome to the 83rd installment of Smart AnSwerS.

After a dry spell, Splunk HQ is finally experiencing a good amount of rain in the San Francisco Bay Area. As per usual, people have forgotten how to navigate around the city, both on the roads and sidewalks. On the plus side, we can finally see rain water get collected above the courtyard and flow into a huge basin that distributes the water to surrounding plants. Splunkers have been taking breaks to check out the recycled water system in action as a serene escape, making rainy days at the office something to look forward to.

Check out this week’s featured Splunk Answers posts:

Why is the host name I set in a monitor stanza on a universal forwarder not showing as expected for indexed events?

ejwade had an rsyslog server collecting syslog from various devices, and even though he was assigning host names in inputs.conf for each monitor stanza, not all expected host values were found in indexed events. He found a solution by using specific sourcetypes for firewall logs, but didn’t understand why this worked. lguinn helped fill in the gaps by explaining the default behavior for syslog sourcetypes, and how to override the host value if needed.
https://answers.splunk.com/answers/451421/why-is-the-host-name-i-set-in-a-monitor-stanza-on.html

How to enable and disable scheduled searches using Splunk REST API in PowerShell?

vivekriyer was required to disable and enable scheduled searches, but limited to using Powershell for this task. SplunkTrust member acharlieh may not be a PowerShell user, but he’s great at doing research and found a page from another resource that actually had an example POST request using Splunk’s REST API with PowerShell (how convenient!). With some changes to the arguments, this was just what vivekriyer needed to get the job done.
https://answers.splunk.com/answers/453294/how-to-enable-and-disable-scheduled-searches-using.html

SplunkJS/HTML Dashboards + map command + $foo$ substitution

SplunkTrust member alacercogitatus shared this question and answer for the latest 6.5.x release as an update to the same Q&A posted by fellow SplunkTrustee martin_mueller almost 3 years ago. He shows how you can set tokens to a string on dashboard initialization that can then be replaced when a search is executed in a panel.
https://answers.splunk.com/answers/464453/splunkjshtml-dashboards-map-command-foo-substituti.html

Thanks for reading!

Missed out on the first eighty-two Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo

Patrick Pablo
Posted by

Patrick Pablo

Born and raised in Los Angeles, Patrick made his way up north for college and fell in love with the Bay Area, making it his second home. After working 5 years for a non-profit as a college & career counselor in San Francisco public high schools, he stumbled across a new career opportunity himself! Patrick found a new way to apply his community organizing background in a way he didn’t know was possible at Splunk.

TAGS

Smart AnSwerS #83

Show All Tags
Show Less Tags

Join the Discussion