Smart AnSwerS #52
Hey there community and welcome to the 52nd installment of Smart AnSwerS.
A BoardAtWork group was started at Splunk HQ for folks interested in, well, playing board games at work during lunch or after hours. We had our first game night earlier this week and had a nerdy great time…even though I was the first one dead 😛 Just glad to unwind and share my love for games with fellow Splunkers after a long day!
Check out this week’s featured Splunk Answers posts:
Why is the Host IP value from udp:514 syslog input incorrect for one device?
evgenyv was collecting syslog events through a udp:514 input and needed help figuring out why only one device was reporting a host value of “2015”. nnmiller gives a very detailed and educational answer, explaining how events configured as the syslog sourcetype are parsed by Splunk, and pinpointing the issue was most likely on the device side with how its data was formatted. She gave two options to fix the issue immediately, but also recommends using a central syslog server rather than UDP/TCP and shares the widely referenced blog post by starcher on best practices collecting syslog data in Splunk.
How to hide panels with no results from a dashboard?
How to run a different rex extraction only if another rex extraction did not find anything to extract?
raby1996 had a working rex extraction, but found that the field for that pattern was not always present in the data. raby needed a way to run a different rex statement when the first one doesn’t match anything. somesoni2 suggested providing sample logs for both patterns as there possibly could have been a way to capture both in one rex expression. It’s also best practice to include sample data when asking for help with regex related questions as everyone’s data will be formatted differently. Regardless, somesoni2 still worked with what he had and provided a workaround using eval with the coalesce function.
Thanks for reading!
Missed out on the first fifty-one Smart AnSwerS blog posts? Check ‘em out here!