Smart AnSwerS #57

Hey there community and welcome to the 57th installment of Smart AnSwerS.

Feels good to be back in action after a 3 week break, minus coming down with the flu, but that hasn’t completely stopped me from shifting my brain back into Splunk mode. Even though I’ve had to spend recovery time working from home, I was still able to join in on the SplunkTrust Virtual .conf March Session on “Grouping with stats: practical concerns and best practices” presented by Nick Mealy, aka sideview. You can visit the Meetup page to find the link to the recording in case you missed out and stay tuned for the next session.

Check out this week’s featured Splunk Answers posts:

How to write a search to only show the latest contents of a lookup file on a dashboard?

kuga_mbsd had an external program creating a lookup table every night, but needed an easy way to search and display the latest contents of the file on a dashboard rather than manually checking it every time. Lucas K gives a nifty solution defining a macro to simplify and automate the process in combination with an inputlookup scheduled search to pull the latest data.
https://answers.splunk.com/answers/330443/how-to-write-a-search-to-only-show-the-latest-cont.html

Is it possible to have your sourcetype be determined at index-time based on host?

cmeyers wanted the sourcetype for his data to be the type of device and wanted this to be based on host as data is indexed. lguinn provides an answer that cautions against using sourcetype for another purpose other than grouping data based on the actual data format and fields. She instead suggests creating a CSV file of host names with other necessary information such as devicetype, and upload it as an automatic lookup to use the devicetype field in searches. This method is easier and more flexible as the CSV file can be updated and reloaded as needed.
https://answers.splunk.com/answers/334331/is-it-possible-to-have-your-sourcetype-be-determin-1.html

How to work out the age of a user based on date of birth?

A similar question was featured before, but this run anywhere search example by SplunkTrust member somesoni2 is a great learning opportunity for other users. Amohlmann had a search to calculate a person’s age based on a dateofbirth field, but was having trouble figuring out how to make it work for birth dates before 1970. Level up your SPL fu with somesoni2’s answer using rex and eval.
https://answers.splunk.com/answers/338613/how-to-work-out-the-age-of-a-user-based-on-date-of.html

Thanks for reading!

Missed out on the first fifty-six Smart AnSwerS blog posts? Check ‘em out here!
http://blogs.splunk.com/author/ppablo