Smart AnSwerS #2
Hey there Splunk community! Welcome to the 2nd installment of Smart AnSwerS!
We’re in the last month of the year and entering prime holiday season, but big data waits for no one ;D — Check out this week’s featured Splunk Answers posts:
Is there a guide or map to understand Splunk’s internal indexes and their log content?
This topic is a great read and points you in the right direction to a better understanding of what Splunk logs about itself. ChrisG references a helpful page from the Splunk Troubleshooting Manual that contains a list of the various internal logs and a description of each one. However, the poster of the question (feickertmd) needed to dig a bit deeper into what fields were contained within these logs. halr9000 shines light on a not so obvious, but nonetheless, very relevant solution to this inquiry. He points out the sample data models in Splunk 6+ covering Splunk’s internal audit and server logs. Well played Chris and Hal!
What is more efficient for performance: eventtypes, lookups or calculated fields?
hoiby wanted to know what route to take for their search architecture to improve performance and efficiency. Certified Splunk Architect martin_mueller gives a short and sweet explanation of the different approaches presented in the question. What’s expecially great is that the poster tested and confirmed the performance points which made for a thorough and insightful post!
Is it possible to use wildcards in tag definitions?
HeinzWaescher attempted to use a wildcard in a tag definition for a field value pair, but found that it didn’t work. This brought up the question: Is it even possible to use wildcards in tag definitions? Thee alacercogitatus had to bear the unfortunate news that this set up would not work, however, they provided a great workaround using event types to get the desired functionality and outcome.
Thanks for reading folks and have a great rest of the week!