#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.

What are the most common questions you are answering?

to4kawa
Ultra Champion

I answered several times, but there are several similar questions.

What are your most frequently asked questions?

If you have your best answer, please provide a link.

I will study.

Tags (1)
1 Solution

woodcock
Esteemed Legend

There are always questions about join and the answer is always:

Stop using "join" and and learn to use "stats".

There are always questions about field extractions and generally the answer is:

Learn how to RegEx (don't let Splunk do it for you) and test it with RegEx101.com.

There are always questions about peculiarities in clustering and the answer is either:

Read the docs and experiment (check out Splunk-n-box: https://github.com/mhassan2/splunk-n-box)

Or

Open a ticket.

There are many questions around where does this setting go or why isn't this working and I will commonly say:

If you are sure that your settings are correct, it must be something else.  If you are doing a sourcetype override/overwrite, you must use the *ORIGINAL* value, *NOT* the new value.  You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier) UNLESS you are using HEC's JSON endpoint (it gets pre-cooked) or INDEXED_EXTRACTIONS (configs go on the UF in that case), then restart all Splunk instances there.  When (re)evaluating, you must send in new events (old events will stay broken), then test using "_index_earliest=-5m" to be absolutely certain that you are only examining the newly indexed events.

There are many questions around missing data/hosts and I always say:

This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

There are all sorts of questions about dashboards, css, and javascript and I always wait for @niketnilay to answer. 😜

google = site:answers.splunk.com "answer by niketnilay"

View solution in original post

to4kawa
Ultra Champion

Everyone. Thank you.
I learned a lot.

0 Karma

woodcock
Esteemed Legend

There are always questions about join and the answer is always:

Stop using "join" and and learn to use "stats".

There are always questions about field extractions and generally the answer is:

Learn how to RegEx (don't let Splunk do it for you) and test it with RegEx101.com.

There are always questions about peculiarities in clustering and the answer is either:

Read the docs and experiment (check out Splunk-n-box: https://github.com/mhassan2/splunk-n-box)

Or

Open a ticket.

There are many questions around where does this setting go or why isn't this working and I will commonly say:

If you are sure that your settings are correct, it must be something else.  If you are doing a sourcetype override/overwrite, you must use the *ORIGINAL* value, *NOT* the new value.  You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier) UNLESS you are using HEC's JSON endpoint (it gets pre-cooked) or INDEXED_EXTRACTIONS (configs go on the UF in that case), then restart all Splunk instances there.  When (re)evaluating, you must send in new events (old events will stay broken), then test using "_index_earliest=-5m" to be absolutely certain that you are only examining the newly indexed events.

There are many questions around missing data/hosts and I always say:

This has been solved many times including:
Meta Woot!: https://splunkbase.splunk.com/app/2949/
TrackMe: https://splunkbase.splunk.com/app/4621/,
Broken Hosts App for Splunk: https://splunkbase.splunk.com/app/3247/
Alerts for Splunk Admins ("ForwarderLevel" alerts): https://splunkbase.splunk.com/app/3796/
Splunk Security Essentials(https://docs.splunksecurityessentials.com/features/sse_data_availability/): https://splunkbase.splunk.com/app/3435/
Monitoring Console: https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring
Deployment Server: https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarde...

There are all sorts of questions about dashboards, css, and javascript and I always wait for @niketnilay to answer. 😜

google = site:answers.splunk.com "answer by niketnilay"

niketn
Legend

LOL @woodcock May be google Splunk Answers niketnilay <your_dashboard_issue> to find what I have solved before 😄

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

woodcock
Esteemed Legend

site:answers.splunk.com "answer by niketnilay"

to4kawa
Ultra Champion

about 2,130 (0.24 sec) wow!

0 Karma

randy_moore
Path Finder

I wish i could upvote your answer multiple times @woodcock 🙂

to4kawa
Ultra Champion

Thank you for your response.
I agree for regex.
I don't know the rest so I will study.

to4kawa
Ultra Champion

Is there anything else?

0 Karma

to4kawa
Ultra Champion

How about other people?

0 Karma

niketn
Legend

@to4kawa search for Smart Answers on Google. You will find several examples.

https://www.google.com/search?q=splunk+smart+answers

Follow Splunk Answers karma leaders (all time top 10 or quarterly top 10 etc). If you navigate to their profile, you can open their Answers tab and then sort by Most Voted answers.

Spend some time on Splunk Answers just to read interesting questions and follow them so that you get notified when it is answered. I have learnt mostly on answers by spending some time daily to read, understand and solve 5-10 questions per day for past several months.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

to4kawa
Ultra Champion

Hi, @niketnilay Thank you for your reply.
There was such a page.

It ’s a good opportunity,
I've been helped by your blog and answers since I started studying splunk.
Thank you very much.

Sukisen1981
Champion

adding on to what @niketnilay said it is always a best practice to provide splunk docs links and links to previous answers which are similar/almost similar, even if you provide your own answer.
Many times users will post questions which already have a very similar solution in past answers

to4kawa
Ultra Champion

Hi, @Sukisen1981

Thank you for your response.

I got it. I don't have enough study.

Many times users will post questions which already have a very similar solution in past answers

It can't be helped. 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...