Smart AnSwerS #30

Hey there community and welcome to the 30th installment of Smart AnSwerS.

Splunk HQ’s kitchens underwent a total makeover last week, and this beast of an automated hot drink machine appeared on the 1st floor. Splunkers have been frequenting the new big shiny toy, taking all the mugs, bringing them back to their respective floors, and leaving us first floor dwellers with nothing *cries*. Fortunately, this new installation has brought comic relief. Some new signage was placed on the machine saying “”OK Coffee” I am voice activated, please try me.” The machine is not voice activated, serving some occasional amusement 😉

Check out this week’s featured Splunk Answers posts:

Real Time Search Performance Considerations: Are there any scenarios where real-time searches would be acceptable?

shailesh030 wanted to know if there were any cases where real-time searches would be recommended in a production environment. This is a question that many users do not consider and think real-time searches are the only way to go, but often come across performance issues. The response to this and similar questions is almost always the same, but not quite as thorough and detailed as lguinn’s answer. Come see how she describes the performance implications of different search options and factors to consider for each to gauge what will be optimal for your own environment.

How to edit the email address for all scheduled searches and reports in a single app without editing each one by one?

marees123 had an app with more than 170 scheduled searches and reports, but needed to figure out how, in the most convenient way possible, to add email addresses for all of them to deliver search results to certain recipients. LukeMurphey shows a way to do this by creating a macro with the sendemail command that can be added to all searches. Although this does require modifying every search which marees123 wanted to avoid, putting this solution in place now makes editing recipients’ emails a one stop shop in the future. Luke explains that since macro references are replaced before the search executes, editing the macro once will change all the searches that use the macro.

How to convert indexed IP data from hex to decimal format in Splunk?

splunknewby already had indexed IP data in hex format, but needed to convert it to decimal format. MuS uses his Splunk fu search skill level 5000 to construct a search using rex to extract the value and eval to work conversion magic. This answer passed with flying colors, but splunknewby had a follow up question and wanted to know how to make sure future searches already have the IP addresses in the new decimal format. Other than the obvious approach of changing the source output to be in decimal format, MuS also suggests using field extraction combined with a lookup table to translate extracted fields into the desired numbers.

Thanks for reading!

Missed out on the first twenty-nine Smart AnSwerS blog posts? Check ‘em out here!

Congratulations on the 30th installment of Smart AnSwerS. That’s good.

July 24, 2015