Smart AnSwerS #15

Hey Splunk community and welcome to the 15th installment of Smart AnSwerS.

Splunk HQ never misses a chance to get down and festive when the opportunity strikes, and St. Patrick’s Day was no exception. Facilities equipped the office with some awesome green hats, noisemakers, beads, and even kicked off the middle of the afternoon with some Irish music! Although, I’m pretty sure the music genre changed later in the day when I could feel some heavy bass shaking my desk up a bit. That’s when you know the work day is over. 😛 – Check out this week’s featured Splunk Answers posts:

How does Splunk handle transactions that span search time boundaries?

If you’re running a transaction search within a specified time range, what happens to events within a transaction that started before or ended after the specified window? This question posted by cantgetnosleep opens the door to this head scratcher, but was well received by a tag team answer. MuS provided a clear understanding on how the transaction command operates, unfortunately bearing the news that the command will not be aware of events before and after the selected time range. martin_mueller steps in and explains how to build a scheduled search as a possible way to work around this issue to capture accurate results on transaction data.
http://answers.splunk.com/answers/151899/how-does-splunk-handle-transactions-that-span-search-time-boundaries.html

How to search concurrent logins from geographically distinct locations during the same time period?

dpoloche was interested in searching concurrent logins occurring in different locations within a window of time to determine whether certain users’ credentials were compromised. bridgeythegeek shared a previous Answers post that highlighted a blog written by sedward5 who tackled this exact issue with a different approach. It was an eye-opening read and just what dpoloche needed. http://answers.splunk.com/answers/219607/how-to-search-concurrent-logins-from-geographicall.html

Is there any online regex tool to create regular expressions for given sample data?

This question isn’t necessarily Splunk specific, but very relevant considering that a high percentage of posts are regex related. Whether it’s for field-extractions, filtering, routing, assigning sourcetypes, or correlating searches, users sign in to Answers every single day asking for help with writing or correcting regular expressions for various use cases. This post has a great list of resources for the community to learn and tackle the cumbersome beast known as regex. Thanks to splunker12er for asking the question and big thank you to tom_frotscher, somesoni2, RiccardoV, lmyrefelt, dimoobraznii, and mikaelbje for contributing answers and comments. If you have any favorites that you don’t already see here, feel free to contribute!
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

Thanks for reading!

 

Missed out on the first fourteen Smart AnSwerS blog posts? Check em out here!
http://blogs.splunk.com/author/ppablo

This is, by far, my favourite blog series! Looking forward to #16, Patrick!

March 20, 2015