Smart AnSwerS #18

Hey Splunk community and welcome to the 18th installment of Smart AnSwerS.

Earlier this week, piebob got a shipment with numerous bags of Hershey’s chocolates and candies from one of our amazing customers (thanks alacercogitatus!). It has all been laid out on a table 15 feet behind me, staring into my very soul every day. I look over my shoulder occasionally to see the progress made, semi-hoping it’ll be gone for the greater good of my temptations…but who am I kidding *grabs some chocolate* – Check out this week’s featured Splunk Answers posts:

Is it possible to create a dashboard where you must manually select a panel before a search is run to improve performance?

therockhead was tasked with hacking away at dashboard performance issues, and one of the problems found was some dashboards had over 30 panels that ran searches all at once upon selecting a time range. There are several ways to tackle this, but LukeMurphey actually dealt with a similar situation and took the approach of putting panels in tabs where searches would only run when clicking on the tab to view them. This helped declutter the dashboard and prevented searches from running at the same time. LukeMurphey formally composed his answer as an awesome blog post. Check it out!

Do we have to write a custom transform for our Apache combined access log format for proper field extraction?

aruncse83 shared sample Apache log data and the format did not match Splunk’s default field extractions in transforms for Apache Combined log format. dwaddle had to state the reality that field extractions via regex shipped with Splunk will not apply to a custom format, but all was not lost as he had dealt with this situation before. His proposed solution was to add data to the end of the default Apache Combined format as key=value data. This way, the regex matches the standard format, but Splunk’s ability to automatically extract KV pairs takes care of the rest.

How to compare a list of disabled users from Source A to a list of application users from Source B, both with different field names for the user account?

kgreat had data in two sources that each had the same values for user accounts, but the field names were different. The goal was to find out if any disabled user accounts from Source A were also found in Source B. With some back and forth information gathering with martin_mueller, a little magic using eval, a sprinkle of pixie dust of coalesce, and running a distinct count with stats, kgreat got just the search for the job.

Thanks for tuning in and have a good one!

Missed out on the first seventeen Smart AnSwerS blog posts? Check ‘em out here!