Smart AnSwerS #20

Hey Splunk Community and welcome to the 20th installment of Smart AnSwerS!

Almost every day in the Splunk documentation team Hipchat room, a conversation about cats comes up which isn’t surprising since a good number of the technical writers are cat owners. Through much discussion on our observations and exchanging of photos of our pets, the moral of the story usually ends up being that cats just want to be lazy, carry out revenge, and still be loved. Truly living the life. Now if only we could get them to help out with mice problem at the office 😛

Check out this week’s featured Splunk Answers posts:

How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1 was aware of restricting a user role to only search certain indexes, but wanted to know how to set up a role to only search data from certain search peers. Just when the hunt for a solution to this question seemed futile, alacercogitatus saves the day. He runs through creating a role in Splunk Web and setting a search filter with searches specific to certain indexers that will be appended to all searches run by users with that role.

How to count the number of values case-insensitive, but show the most popular case version in the results (ex: 2 “Apple” + 1 “apple” = 3 “Apple”)?

eugenek had field values in his data that were the same, except for variations in the first letter being upper or lower case. He wanted to count the number of field values ignoring the case, but needed the most common variation of the value returned for the total count in search results. This was another walk in the park for somesoni2 providing a search addressing eugenek’s problem and a runanywhere example for other users to test out and see exactly how the search works its magic.

How do I search for events where a specific field value in a multivalue field is NOT the first value per event?

edrivera3 needed to figure out how to filter through and only return events where a certain value in a multivalue field was not the first value in the event. lguinn answered the question with a clean and simple search using eval and mvindex. edrivera3 had a follow up question on how to return a value from the multivalue field that appears in the event just before a specific value. Once again, lguinn pushed out another search throwing mvfind into the mix, showing the power of eval and a few of its many functions at work.

Thanks for reading!

Missed out on the first nineteen Smart AnSwerS blog posts? Check ‘em out here!