#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the most common questions you are answering?

to4kawa
Ultra Champion
‎11-28-2019 04:38 AM

I answered several times, but there are several similar questions.

What are your most frequently asked questions?

If you have your best answer, please provide a link.

I will study.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 11:29 AM

There are always questions about join and the answer is always:

Stop using "join" and and learn to use "stats".

There are always questions about field extractions and generally the answer is:

Learn how to RegEx (don't let Splunk do it for you) and test it with RegEx101.com.

There are always questions about peculiarities in clustering and the answer is either:

Read the docs and experiment (check out Splunk-n-box: https://github.com/mhassan2/splunk-n-box)

Or

Open a ticket.

There are many questions around where does this setting go or why isn't this working and I will commonly say:

If you are sure that your settings are correct, it must be something else.  If you are doing a sourcetype override/overwrite, you must use the *ORIGINAL* value, *NOT* the new value.  You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier) UNLESS you are using HEC's JSON endpoint (it gets pre-cooked) or INDEXED_EXTRACTIONS (configs go on the UF in that case), then restart all Splunk instances there.  When (re)evaluating, you must send in new events (old events will stay broken), then test using "_index_earliest=-5m" to be absolutely certain that you are only examining the newly indexed events.

There are many questions around missing data/hosts and I always say:

This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

There are all sorts of questions about dashboards, css, and javascript and I always wait for @niketnilay to answer. 😜

google = site:answers.splunk.com "answer by niketnilay"

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-19-2019 03:30 AM

Everyone. Thank you.
I learned a lot.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 11:29 AM

There are always questions about join and the answer is always:

Stop using "join" and and learn to use "stats".

There are always questions about field extractions and generally the answer is:

Learn how to RegEx (don't let Splunk do it for you) and test it with RegEx101.com.

There are always questions about peculiarities in clustering and the answer is either:

Read the docs and experiment (check out Splunk-n-box: https://github.com/mhassan2/splunk-n-box)

Or

Open a ticket.

There are many questions around where does this setting go or why isn't this working and I will commonly say:

If you are sure that your settings are correct, it must be something else.  If you are doing a sourcetype override/overwrite, you must use the *ORIGINAL* value, *NOT* the new value.  You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier) UNLESS you are using HEC's JSON endpoint (it gets pre-cooked) or INDEXED_EXTRACTIONS (configs go on the UF in that case), then restart all Splunk instances there.  When (re)evaluating, you must send in new events (old events will stay broken), then test using "_index_earliest=-5m" to be absolutely certain that you are only examining the newly indexed events.

There are many questions around missing data/hosts and I always say:

This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

There are all sorts of questions about dashboards, css, and javascript and I always wait for @niketnilay to answer. 😜

google = site:answers.splunk.com "answer by niketnilay"
Reply
Solved! Jump to solution

niketn
Legend
‎12-07-2019 05:50 AM

LOL @woodcock May be google Splunk Answers niketnilay <your_dashboard_issue> to find what I have solved before 😄

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-07-2019 06:25 AM

site:answers.splunk.com "answer by niketnilay"

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-07-2019 02:06 PM

about 2,130 (0.24 sec) wow!

0 Karma
Reply
Solved! Jump to solution

randy_moore
Path Finder
‎12-06-2019 01:05 PM

I wish i could upvote your answer multiple times @woodcock 🙂

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-06-2019 11:41 AM

Thank you for your response.
I agree for regex.
I don't know the rest so I will study.

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-06-2019 04:43 AM

Is there anything else?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-13-2019 04:45 AM

How about other people?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-28-2019 06:44 AM

@to4kawa search for Smart Answers on Google. You will find several examples.

https://www.google.com/search?q=splunk+smart+answers

Follow Splunk Answers karma leaders (all time top 10 or quarterly top 10 etc). If you navigate to their profile, you can open their Answers tab and then sort by Most Voted answers.

Spend some time on Splunk Answers just to read interesting questions and follow them so that you get notified when it is answered. I have learnt mostly on answers by spending some time daily to read, understand and solve 5-10 questions per day for past several months.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎11-29-2019 03:33 AM

Hi, @niketnilay Thank you for your reply.
There was such a page.

It ’s a good opportunity,
I've been helped by your blog and answers since I started studying splunk.
Thank you very much.

Reply
Solved! Jump to solution

Sukisen1981
Champion
‎12-03-2019 12:15 AM

adding on to what @niketnilay said it is always a best practice to provide splunk docs links and links to previous answers which are similar/almost similar, even if you provide your own answer.
Many times users will post questions which already have a very similar solution in past answers

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-03-2019 03:39 AM

Hi, @Sukisen1981

Thank you for your response.

I got it. I don't have enough study.

Many times users will post questions which already have a very similar solution in past answers

It can't be helped. 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top