Smart AnSwerS #21

Hey there Community and welcome to the 21st installment of Smart AnSwerS.

I just got an email this week about a Cinco de Mayo party at the office, which would have been my first at the company. Sadly, with today as my last day as a contractor at Splunk, I’ll be missing out :( I’ll be entering funemployment…to start as a full-timer mid-May! *confetti* Smart AnSwerS will be on hiatus, so until I return, keep on keepin’ on, awesome Splunk Community!

Check out this week’s featured Splunk Answers posts:

How to use eval if there is no result from the base search and without the use of any subsearch?

MuS lives up to his reputation once again, finding common issues on Splunk Answers, posting a question to explain the problem, and answering it himself to share with the community. Gosh, why must he be so helpful and informative?! Because he’s awesome of course ;D Dive into this great read as he dissects a search using eval to handle zero events returned while avoiding subsearch like the plague.

How to implement Splunk SSO with Google Authentication Proxy when the username is not an email address?

eshedra successfully integrated Splunk SSO with Google Authentication Proxy, but came across a roadblock because the username had to be an email address. Lo and behold, dwaddle had dealt with this situation before and shared his configuration to pass only the username from the proxy to Splunk without “”.

How to number each line in a multiline event?

There have been a handful of questions asking how to number each row in a table, but landen99 presented a scenario that required a different approach. Instead of numbering each row of a table, he needed to number each line in a multiline event. Gilberto Castillo shows how to tackle this making use of the search commands accum, reverse, and eval, explaining what each does to manipulate and format the data.

Thanks for reading and see you in 2-3 weeks!

Missed out on the first twenty Smart AnSwerS blog posts? Check ‘em out here!