#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Community Office Hours - March 4th 2022 11:00AM ET

muebel
SplunkTrust
SplunkTrust
‎03-02-2022 04:01 PM

The Splunk Trust and members of the community will be hosting open office hours for anybody who wanted to chat about anything Splunk related.

Please visit the office_hours  channel in slack or drop comments here if there is any topic you'd like to see discussed!

Tags (1)
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-04-2022 08:43 AM

Concerning the subtleties of _index_time in search, making sure you find the events you need, great conf talk on this 

https://conf.splunk.com/watch/conf-online.html?search=PLA1327B&search.event=conf21

slides directly https://conf.splunk.com/files/2021/slides/PLA1327B.pdf

>With minimal up-front effort it is possible to guarantee that your alerts and other scheduled searches run, are always successful, and do not miss data. Common challenges are skipped searches, latent data, Splunk down time, failures, and dependencies on other searches. Approaches such as an expanded sliding window consume additional resources and will inevitably fail. We will demonstrate a Splunk macro that tracks search execution times in a KVstore and dynamically controls the search timeframe, thus decoupling it from execution time. This additionally provides a capability to quickly and easily re-run a search over any timeframe in a controllable manner. We will further demonstrate the use of Apache Airflow for more complex use cases.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-04-2022 08:30 AM

https://batchworks.de/recover-deleted-data/ for recovering deleted data

0 Karma
Reply

Taruchit
Contributor
‎03-03-2022 07:34 AM

Hello All, 

Thank you for organizing office hours event tomorrow. I will need your expertise and support for following topics and questions: -

  1. Can you please explain use of Delta command? And how it is used with syntax and an example. 

  2. Can we build SPL and Splunk alert in a way that everytime there is a new entry in the table, a notification email and a ticket gets generated to support team? And for older events, no action triggers. I understand for suppressing Splunk alert trigger, we use Throttle, but I see Suppressing trigger action is available based on time. For example: 
    Suppressing for __ seconds/minutes/hours/days

  3. In Splunk alerts, can you please explain about writing custom scripts in Splunk? Can you please share the resources to understand the syntax for writing custom scripts?

  4. Can we add dynamic up and down KPI arrow in Splunk dashboard table based on increase or decrease in current values compared to values in previous day? I asked the same earlier in separate forum, but, need more information about it? I do not have support to add apps from Splunkbase, can we still build the solution? 
    If adding up and down arrow is an issue, please help with the approach to decide if today's values are different than last day and then we can decide the color of cells based on it for differentiation. 
0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-04-2022 08:25 AM

Timechart + single-value visualization from Rich

muebel_0-1646411099101.png

 

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎03-04-2022 08:18 AM

Best thing to do for usage of the delta command is find blog posts such as https://www.splunk.com/en_us/blog/tips-and-tricks/search-commands-delta.html

I'd also suggest searching GitHub for "| delta" to find SPL examples for people that added searches to their repos.

https://dev.splunk.com/ is a good starting place for custom search commands, and alert actions. For finding existing third party integrations via alert actions, checking splunkbase is always a good idea.

https://splunkbase.splunk.com/app/4621/ The TrackMe is something I've found useful for watchdog type alerting on the absence of certain types of data.

`!missinghosts` in slack drops a links to all sorts of apps and thoughts on this

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...