Smart AnSwerS #54

Hey there community and welcome to the 54th installment of Smart AnSwerS.

Next Tuesday, February 23rd, 2016, we’ll be having our SplunkTrust Virtual .conf session #4 from 12:00PM to 1:00PM PST. SplunkTrust member Mark Runals will be presenting his .conf2015 session “Taming your Data”, featuring the data onboarding maturity scoring model and dynamically having Splunk detect mis-categorized sourcetypes. Visit the event meetup page to RSVP and join the 35+ users and counting via Webex next week!

Check out this week’s featured Splunk Answers posts:

Is it recommended to install a universal forwarder on thousands of workstations or on a few dedicated syslog/Windows Event Collector servers?

flee needed to forward Windows events from about 6000 Windows workstations and was looking for advice on what deployment strategy would make the most sense for ongoing maintenance, especially having to manage universal forwarders using a deployment server. javiergn gives a pretty solid list of pros and cons to consider for going the route of installing and managing universal forwarders on each machine.
https://answers.splunk.com/answers/331926/is-it-recommended-to-install-a-universal-forwarder.html 

How to index certain logs only during a certain time range (6am – 6pm)?

agoktas had four log files on one host, but only wanted one of those files to be indexed between 6am and 6pm each day. Stopping the universal forwarder service during off hours was not an option because the other three log files needed to be ingested 24 hours a day. SplunkTrust members MuS and rich7717 worked together to come up with just the right configuration in props.conf and transforms.conf on the indexer to filter out all events for this particular file from 6pm to 6am.
https://answers.splunk.com/answers/332983/how-to-index-certain-logs-only-during-a-certain-ti.html

How do I change the owner of a saved search or view in a search head cluster environment?

rphillips from the Splunk Support team shared this helpful question and answer with the community as this is a concern brought up by many admins managing a search head cluster. He shows two examples using REST endpoints via CLI to change the owner for a search and a dashboard view that will get replicated across all members in the cluster.
https://answers.splunk.com/answers/295303/how-do-i-change-the-owner-of-a-saved-search-or-vie.html

Thanks for reading!

Missed out on the first fifty-three Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo