Smart AnSwerS #44

Hey there community and welcome to the 44th installment of Smart AnSwerS.

Have you been looking for an opportunity to expand your Splunk search fu? Look no further! As mentioned in a previous Smart AnSwerS post, come join 60+ RSVP’d users (and counting!) this Monday, November 23rd, 2015 @ 11:00AM PST in attending the SplunkTrust Virtual .conf Session #2. The presenter, Kyle Smith, will be covering his popular .conf2014 session “Lesser-known Search Commands”. Be sure to visit the Meetup page to RSVP, find the URL to the WebEx session, and come learn a thing or two with the rest of us next week :)

Check out this week’s featured Splunk Answers posts:

Is there a posted percentage for the number of people that passed or failed each Splunk certification?

cbeard604 had taken classes and tests for Splunk certifications before and was familiar with the rigor of the curriculum, but for certain interested parties, he wanted to know if there was a public percentage for the number of people who have passed each certification. khodges, Global Certification Program Manager for Splunk, laid out a very thorough response to assure that Splunk’s certification program is not just a simple “attend and receive a certificate” type of structure, but that each track requires passing the courses with interactive lab work in addition to passing the tests. She goes into more detail on the requirements for several advanced programs, as well as how to verify certification for a work proposal.

What is the best way to spoof run-anywhere fake data for a question?

SplunkTrust member woodcock helps a lot of users on Answers with their search woes, but this can prove difficult when you don’t actually have fake sample data to work with to figure out the solution. He posed this question to the community to gather other types of methods beside his own. esix recommended using a combination of the _internal index, Eventgen app, and add-ons for Windows or *nix to use data to play around with. 2 other SplunkTrust members martin_mueller and acharlieh join the fray showing how to produce dummy data using a variety of search commands with different approaches. Choose your flavor!

Why are the search and query tags in my dashboard XML failing?

IRHM73 shared a part of his dashboard XML to get help figuring out why it was being rejected, particularly a search enclosed within search and query tags which were highlighted in red. This and similar issues have come up before, and the solution by richgalloway has usually been the way to go. He suggested enclosing the actual search string within a CDATA [ ] section, explaining that this tells XML parsers to ignore everything within the brackets. This was exactly what IRHM73 needed, and hopefully this will help other users new to learning the little nuances of XML in Splunk dashboards.

Thanks for reading!

Missed out on the first forty-three Smart AnSwerS blog posts? Check ‘em out here!