Smart AnSwerS #3

Hello Splunketeers and welcome to the 3rd installment of Smart AnSwerS!

We’ve been in quite a drought here in California and we’ve all been waiting and hoping for some rain to come on by…aaaand we got it, flooding our HQ basement floor! Good thing that hasn’t dampened our spirits or stopped us from the daily grind 😉 – Check out this week’s featured Splunk Answers posts:

Why searching for a string with comparison operator “!=” returns the same source file name as “=”?

Have you ever asked yourself this question? jBoynton and I certainly have (no shame). This topic has come up several times and has left many to scratch their heads..and further scratching. The Search Processing Language struggle is real, even with what seems like the simplest of logic! Luckily, you’ve got some awesome search gurus floating around to not only provide solutions, but detailed explanations giving Splunk users more clarity and peace of mind. somesoni2 and kristian.kolb get into the nitty-gritty with great examples to show why you get expected, or in this case, unexpected results. The more you know *insert flying star here*

How to find the average of daily indexed data by host for a given time range and show all hosts on a timechart, not just the top 10?

Splunk user jodros already had a search using timechart to sum the total amount of data indexed by host with a 1 day span, but needed help with two more requirements. By default, timechart only displayed the top 10 hosts and lumped the rest into “OTHER”.  They also needed to find the average of the daily sum per host. martin_mueller drops two useful searches: one to find the daily average per host and another showing how to append the daily average to the timechart, in case you all wanted to save these in your pockets for later. As quoted by jodros in the post, “You the man!” Martin.

How can I break a yearly total into months?

This post is similar to the previous question, but needed to manipulate the data in a different way. User pipegrep already had a search to find the indexing volume by host, but wanted to break down the totals by host per month. With the ever so slight tinkering of the search by MuS and pointing to relevant documentation on _internal index retention for this use case, the world made sense again. pipegrep was so grateful that they graced us with thee very first (well the first that piebob and I have ever seen) animated gif on Splunk Answers! *gasp* A whole new ballgame in our book, and yours as well :) Happy animated giffing! (but don’t get crazy)

Thanks for reading folks and good luck with the winter weather wherever you are!


Missed out the first two Smart AnSwerS blog posts? Check em out here!