Smart AnSwerS #19

Hey Splunk Community! Welcome to the 19th installment of Smart AnSwerS.

With Splunk HQ just 2 blocks away from the San Francisco Giants stadium, the bustle of game day foot traffic can be pretty disruptive–today some random jerk banged pretty hard on the street-level windows. There has been a home game every day this week and it’s always an interesting commute to and from the office through waves of black and orange and accompanying traffic car-mageddon. Luckily, facilities keeps us informed and forewarned on game day madness, about things like $50-$60 flat parking rates *jaw drops ensue* Tis the season!

Check out this week’s featured Splunk Answers posts:

Is there a way to separate the hot and warm bucket path?

PPape wanted to keep hot buckets on a Solid-State Drive, but didn’t find any mention of separating the hot and warm path as a possibility in Splunk documentation. Check out dwaddle’s exceptional answer describing how file system architecture, open file descriptors, and hot/warm buckets operate with searches to get the full picture on why this can’t be done.

Why does a simple Splunk search such as index=abc take a long time to complete?

sushmitha_mj didn’t understand why a simple index=foo search resulted in a lengthy completion time and assumed adding more complexity to the search would make things even worse. The moral of the story here is that simple does not always equate to optimal performance. This is where understanding the Splunk search process, knowing the purpose of your search, and what results are necessary to return all factor in for better efficiency. sideview, with a little cameo by somesoni2, explains what happens behind the scenes when running different types of searches, tips for optimization, and recommends covering the basics. Having a strong foundation in SPL is key for getting full value out of your data.

Why is my simple alert not being triggered with the condition “Number of results > 500 in 4 hours”?

razlani was having problems figuring out why a simple condition was not being triggered for a real-time alert. somesoni2 points out that a real-time search isn’t appropriate for a trigger relying on historical data and that a scheduled search is the way to go. This is a very common theme that hopefully more users start putting into practice because real-time searches are often not necessary and end up being resource intensive. Showing appreciation for getting an awesome answer is always highly encouraged behavior on Answers, and razlani’s response shows one of the many ways in which our user community might express thanks ;P

Thanks for reading!

Missed out on the first eighteen Smart AnSwerS blog posts? Check ‘em out here!