Smart AnSwerS #7

Hello Splunk community and welcome to the 7th installment of Smart AnSwerS!

This past Monday, Martin Luther King Jr Day, was a holiday for the Splunk offices in the US, but I decided to come in anyway to get some work done since Splunk Answers never seems to take a day off 😛 All the lights were off and alas, neither I nor the security guard knew how to turn the lights on. I worked in the dark for a good 2 hours, but just when I was about to give up and save my eyesight, another splunker came by, showed me the light (switches) and saved the day! *confetti drop* Check out this week’s featured Answers posts:

Does Splunk remember the last reading position of a monitor file and how do you find this?

daniel_splunk both posted and answered this question for you to understand the nitty-gritty of how Splunk monitors a file and how you can further investigate. You can find out the monitoring status of the file and where this information is stored. He provides a great step by step process for you to try out yourself. Give it a whirl!
http://answers.splunk.com/answers/208409/does-splunk-remember-the-last-reading-position-of.html

Are there any search and performance pitfalls with keeping data in hot buckets for 1 month and moving it from hot to cold directly?

KomalSharma had a scenario for data retention they were considering, but wanted to get a temperature check from the Answers community if this was ideal and why or why not. somesoni2 warns that there should be a performance impact when searching historical data older than 1 month and lguinn takes it from there with a very great response. She thoroughly covers the risk of data corruption and poor search performance impact that will come along with this setup.
http://answers.splunk.com/answers/205125/are-there-any-search-and-performance-pitfalls-with.html

How to create a scheduled search to find if any alerts have been set to disabled?

jamesy281 wanted to track if any alerts were being set to disabled in their environment by setting up a scheduled search, but didn’t know what endpoint or fields to pull this information from. Luckily, with some useful input from acharlieh on where to look in Splunk’s REST API, jamesy281 was able to use this direction to find exactly what he needed to write up a successful search.
http://answers.splunk.com/answers/206360/how-to-create-a-scheduled-search-to-find-if-any-al.html

Thanks for reading!

 

Missed out the first six Smart AnSwerS blog posts? Check ’em out here!
http://blogs.splunk.com/2015/01/15/smart-answers-6
http://blogs.splunk.com/2015/01/08/smart-answers-5
http://blogs.splunk.com/2014/12/30/smart-answers-4
http://blogs.splunk.com/2014/12/18/smart-answers-3
http://blogs.splunk.com/2014/12/03/smart-answers-2
http://blogs.splunk.com/2014/11/24/smart-answers