Smart AnSwerS #38

It’s almost time for .conf2015, Splunk’s worldwide user conference in Las Vegas in t-minus 4 days! Unless, of course, you’re going to Splunk University to level up your Splunk skills, then the action starts for you in less than 48 hours :) This will be my very first year attending, so it’ll be great to finally put faces to usernames I see on Splunk Answers all the time. If you happen to be around the Answers booth, gamer lounge, or other community spaces where I’ll be hanging out with support folks, don’t be a stranger!

How can I assign the day of the week to my events?

Support team folks matt and Flynt share a nifty trick with the Splunk community: how to assign the day of the week to events to show users whatever happens on a certain day of the week, say, Monday for example. Flynt writes up a nice search using stats and the power of eval to manipulate and create fields to make this possible, as well as how to adapt it according to your needs.

Why I am unable to accelerate this report?

IRHM73 had created an accelerated report before, but was stuck figuring why he was unable to accelerate the current search he was working on. Luckily, a second pair of eyes came along to pinpoint the issue, and lguinn found the sort command was used which is neither transforming, distributable, nor streaming. She edited the search to use the stats command to get the same sorting functionality, and shared a link to the docs as reference for what search commands qualify for report acceleration.

How can I split an event into two or more events according to two multivalue fields?

caili presented sample raw data to show a relationship between two multivalue fields, and needed help splitting two sample events based on each value of the fields, one event per value. acharlieh graced the question with his Splunk search fu in a well-crafted answer. Learn how to use multivalue eval functions to split, zip, and expand values to create separate events with your multivalue fields.

