Smart AnSwerS #25

Hey there community, and welcome to the 25th installment of Smart AnSwerS.

Whistling Nerf ammunition has been flying all around me the past couple of days. Surprisingly, I’ve left the battlefield, a.k.a. the office, unscathed. Occasionally, I’ll find a stray bullet in the plant next to me, behind my desk, under the couch, you name it. I noticed folks engaging in this Nerf warfare recently have been scrounging for stray bullets more often than normal. Apparently, hundreds and hundreds of rounds have gone and continue to go missing every week until the numbers have dwindled to just a handful per gun. 200+ rounds have just been ordered to arrive within the next week. It’s about to get real!

Check out this week’s featured Splunk Answers posts:

How to extract age from a birthday field before the year of our Splord 1970?

aljohnson_splunk posted a very interesting question that needed to be put in the spotlight. He wanted to know how to extract age from a birth date before 1970, the beginning of (Epoch) time, without using rex or custom search commands. alacercogitatus heeds this calling, sharing his trials and tribulations in search of the answer simply using eval. He adds that this can be added to props.conf as a calculated field to automate the process. This is a must read and a very entertaining one at that. :)

Migrating separate environments to Search Head Clustering, what are things I should watch out for?

sat94541 had two separate environments: one using a standalone search head and another using search head pooling. She wanted to know the detailed process to migrate both to search head clustering. Cluster master (as I like to call her; pun intended) rbal_splunk works extensively with customers on cluster related cases and shares key highlights from her experience. sk314 comments that users should be aware of how to maintain consistency with configurations across all cluster members. Last but not least, documentation team linchpin Steve G. reminds the community that Splunk documentation is well-equipped with the information covered in the previous answer and references links to key topics.

After migrating CSV lookups to kvstore, why does the lookup command no longer output results in a search?

spyme72 migrated CSV lookups to kvstore, but came across an issue where the lookup command was no longer returning expected results. jacobwilkins was aware of a particular bug with the transforms.conf attribute case_sensitive_match being set to false and noticed spyme72 had fallen victim to this. After this setting was removed, all was well. jacobwilkins also points out the pros and cons between CSV and kvstore lookups for users to understand how each will or will not be ideal in different types of deployments and scaling.

Thanks for reading and have a great rest of the week!

Missed out on the first twenty-four Smart AnSwerS blog posts? Check ‘em out here!