Smart AnSwerS #5

Hey there Splunk community, welcome to the 5th installment of Smart AnSwerS and the first of 2015!

Just when I thought the first work week of the year was going to slowly ease me back in, Splunk Answers and, well, you all have been busier than ever and have gotten me to hit the ground running. What does that mean? Why, more material for me to work with for this blog series of course 😉 – Check out this week’s featured posts:

Why is syslog right into Splunk so bad/wrong?

I already had this post lined up to be featured and coincidentally, this topic actually came up at last night’s SF Bay Area Splunk User Group Meeting in the discussion on disaster recovery and high availability. How appropriate! dshpritz brought this question (and answer) to the community to explain why you should be wary of sending data to Splunk on a UDP port and dives into more detail on best practices. Also, alacercogitatus graces the post with prose from the land of Splunktonia. A must read.
http://answers.splunk.com/answers/144357/why-is-syslog-right-into-splunk-so-bad-wrong.html

What are best practices for creating a dashboard of saved searches without hitting the concurrent search quota per user?

This is definitely a topic that concerns many Splunk users. Proper capacity planning in terms of hardware requirements is part of the battle with handling concurrent searches, but how you create dashboards is essential for the next step. bruceclarke was concerned about users hitting concurrent search quotas and wanted to know best practices for preventing different scenarios in their environment. vasanthmss brings up a couple suggestions, one of which was covered by nfilippi_splunk on post process searches for re-usability, also at last night’s UG meeting. Stars are aligning in the world of Splunk. If you have other recommendations to add to the post, by all means throw in your two cents :)
http://answers.splunk.com/answers/188644/what-are-best-practices-for-creating-a-dashboard-o.html

How to write a search and set up an alert using the metadata command to find hosts that are not reporting in?

Many users on Answers have asked this exact, if not similar question. hartfoml wanted to find hosts that were not reporting in after a certain period of time, but in this particular case, using the metadata command which is great for search performance to gather information on hosts. somesoni2 helped pull the picture together with a search I think many users out there should save and tweak to your needs.
http://answers.splunk.com/answers/180536/how-to-write-a-search-and-set-up-an-alert-using-th.html

Thanks for reading folks and Happy New Year!

 

Missed out the first four Smart AnSwerS blog posts? Check em out here!
http://blogs.splunk.com/2014/12/30/smart-answers-4
http://blogs.splunk.com/2014/12/18/smart-answers-3
http://blogs.splunk.com/2014/12/03/smart-answers-2
http://blogs.splunk.com/2014/11/24/smart-answers

Actually, on that last one, I’ve JUST created an app that’s got those searches pre-canned, and populates over all time with limited system impact using the tstats command instead.

https://apps.splunk.com/app/1935/

January 8, 2015

Ironic that I also posted this about syslog and Splunk last night.
http://www.georgestarcher.com/splunk-success-with-syslog/

January 12, 2015

@Jade That’s great! tstats for the win!
@Starcher That’s an awesomely comprehensive post on the topic. Thanks for sharing that! It’ll be useful for a lot of folks so feel free to share it as an answer on the Splunk Answers post. I’ll be sure to upgoat it if/when you do and definitely share it on IRC #splunk if you haven’t already done so :)

January 13, 2015