Smart AnSwerS #55

Hey there community and welcome to the 55th installment of Smart AnSwerS.

Next Wednesday, March 2nd @ 6:30PM, Splunk HQ will be hosting our monthly SF Bay Area User Group meeting. Since it’s during RSA, topics covered will be related to *drum roll*…SECURITY! If you happen to be local or visiting from out of town for the conference, come join fellow users over pizza and beer and listen to a talk from Monzy Merza, Chief Security Evangelist at Splunk. Be sure to visit the user group event page to RSVP and stay updated on the tentative agenda. Hopefully see you next Wednesday!

Check out this week’s featured Splunk Answers posts:

How to combine my two searches to get the duration of completed jobs with start/end events and display a list of incomplete jobs?

dpoloche had two searches that individually returned expected results, but needed to combine both into one, preferably without the transaction command for performance reasons. wpreston admits it is an expensive command, but reminds how powerful it can be by simply adding the keepevicted=t argument and using the closed_txn field in dpoloche’s existing search to get the job done. He also suggests using the fields command to improve performance by reducing field extractions. Runals provided an answer with a working search as well, using stats and eval without transaction for users to see how both approaches can work.
https://answers.splunk.com/answers/339864/stats-duration-without-using-transactions-for-even.html

How to search how much bandwidth a forwarder is using?

sbattista09 wanted to show how much bandwidth a forwarder was using by host in a timechart, but wasn’t sure where to start using _internal data. jbsplunk shows how this can be done, pulling an example search from S.o.S – Splunk on Splunk using metrics.log to calculate the outgoing thruput. sowings added that this can also be found through the Distributed Management Console.
https://answers.splunk.com/answers/340084/how-to-search-how-much-bandwidth-a-forwarder-is-us.html

Why is my rex statement unable to extract the field?

This question by jsiker is a topic that comes up often, but usually only has an answer that is useful for the original poster as everyone’s data will be formatted differently. However, the accepted answer by MuS has a comment thread with useful tips on testing out regular expressions by him and his fellow SplunkTrust members, somesoni2 and Runals. Learn how you can test your syntax directly from the Splunk CLI, in a search in Splunk Web, or external sites with tools for leveling up your regex fu.
https://answers.splunk.com/answers/305727/why-is-my-rex-statement-unable-to-extract-the-fiel.html

Thanks for reading!

Missed out on the first fifty-four Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo