Smart AnSwerS #93

Hello, community, and welcome to the 93rd installment of the Smart AnSwerS blog series, where we feature Splunk tips and tricks created by users in the Splunk Answers community.

Many of us at the Splunk office in San Francisco are just returning from celebrating the American holiday of Thanksgiving. If you celebrate Thanksgiving, we hope that you were able to step away from your precious Splunk deployments long enough to dine with your family and friends. Or, at the very least, that you brought a plate of traditional fixings—like turkey, stuffing, and mashed potatoes—to eat at your computer.

Nothing goes better with a regex field extraction than Thanksgiving leftovers!

Also, our hearts and thoughts go out to the residents and firefighters affected by the devastating fires in Northern and Southern California. To help out with disaster relief efforts, Splunk has been coordinating a fundraiser to provide support to the American Red Cross, Team Rubicon, and the humanitarian aid organization Direct Relief.

If you’d like to contribute to the organizations providing support during this unprecedented disaster, you can learn more about those donation efforts here.

Lastly, we at Splunk Answers are excited to announce last month’s winner of the "Where Will Your Karma Take You" contest. If you aren’t familiar with the contest, every month the Splunk Community team gets together to pick a user who has been especially awesome.

For the month of October 2018, that winner is...user 493669!

We on the Splunk Community team are endlessly curious as to the origin of this user’s mysterious numerical name. Though we may never get the answer to that question, we’re sure of one thing: user 493669 will be receiving a free pass to .conf19, which will be held next year in Las Vegas!

But if you haven’t won yet, don’t worry! The karma contest restarts at the beginning of every month, so you’ll have plenty more chances to win.

Which brings us to the main reason we're here today: to highlight some particularly out-of-this-world answers from the Splunk community. Now, selecting them wasn’t easy, given there was so much amazing material to sift through. However, we landed on a couple tricks from the Splunk community that we thought were especially awesome.

So, without further adieu, here are three solutions from Splunk Answers that we think are worth knowing about!

How do you extract information from a field?

Since its creation in the 1950s, regex (short for regular expression) has served many important functions in computer science. The programmers equivalent to being able to find a needle in a haystack, regex allowed those who could wield its algebraic code to search through mounds of text quickly and efficiently.

And, as a testament to its usefulness in searching through strings of data, regular expression is still used today, especially when it comes to Splunk. Regex and Splunk go together like peanut butter and jelly!

One thing regex is very useful for in Splunk is extracting fields. Field extraction allows you to extract valuable information from your raw data for all sorts of purposes.

However, what happens if you need to extract fields from an existing field’s value? What is this, the Splunk version of the film Inception?

That’s what happened to the user samlinsongguo. They built a search that returned a field, which contained all sorts of useful information. Unfortunately, its format was yucky and difficult to search. samlinsongguo wanted to extract timestamps, usernames, and comment content from that field and make new fields with them, turning a previously tangled data blob into something that would be easily searchable.

However, the user was having trouble building the regex to extract the fields they wanted. If you’ve ever tried to use regex with Splunk, you can probably relate to samlinsongguo—it can be tricky!

Good thing the user Raschko stumbled upon the post because their answer was top notch! raschko built the SPL and regex that samlinsongguo needed to extract multiple fields from the originally returned field. That way, each field could be searched for individually.

And, to top it off, Raschko explained each individual piece of regex code, so that regex newbs—like moi—could see what was going on under the hood.

Nice work, Raschko!

If you want to read the entire post, you can check that out on Splunk Answers.

How do you make a table that reduces in height when your dashboard search returns no results?

From drilldown menus, to a bazillion different colored charts, Splunk dashboards brings your complex data to life. That way, you can visualize and share your Splunk insights with co-workers or business associates who may not know the difference between a field and that thing a football team plays on.

However, while you can do a lot with the built-in dashboard editor in Splunk Web, what happens if you want to customize your dashboard to better meet your needs?

That’s where a knowledge of markup languages like Simple XML, CSS, and HTML can come in handy. By editing the code that lies beneath your Splunk dashboard, you can make all sorts of customizations to it, from changing the size dimensions of your panels to adding a drilldown menu to a chart.

However, customizing your dashboard through the editing of Simple XML can be daunting—at least at first.

Luckily, there are people like SplunkTrust member and Answers moderator niketnilay in the community. niketnilay took the time to document how to change the height of a table in a Simple XML dashboard because...well, that’s just the kind of guy that he is.

Here’s what niketnilay did.

He had a dashboard that was working properly. When a user searched it, the results were displayed in a table the way niketnilay wanted—no problem there. But, that wasn’t enough for niketnilay. He wanted the table’s height to reduce in size if the dashboard’s search returned empty.

But, to do this, niketnilay had to get pretty sneaky.

He built a hidden HTML panel to apply CSS for the dashboard, which allowed him to decrease the table height. Then, in the dashboard’s Simple XML code, he showed where the search job token was located and how to change it to get the shortened table he wanted.

Finally, niketnilay displayed the full Simple XML code with the HTML and CSS nested within it, so that users in the community could easily replicate his actions.

But as LeVar Burton used to say in the television show Reading Rainbow, don’t take my word for it! Read the full story in niketnilay’s Splunk Answers post.

How do I consolidate the count of similar values in a table?

Splunk user jonathanoberhaus had a search that was supposed to take XML responses from an API and chart them by time and error message. By building an organized chart of errors returned, jonathanoberhaus could gain insight into what errors were occuring at any given time

With the Splunk search jonathanoberhaus built, he was able to capture the information he needed. However, the problem was the way his data was being displayed in the table.

The issue was with an error labeled “transaction deadlock.” Despite each error being of the same ilk, each transaction deadlock possessed a unique processing ID. So, instead of having them all counted as the same error, the table returned each error in its own column, undoing any usefulness the chart would have provided.

Enter KailA, the Splunk user who was able to provide the SPL that jonathanoberhaus needed.

As it turned out, jonathanoberhaus’ SPL was mostly correct, but it had left one thing out: the eval command. By using the eval command with an IF statement—and some other nifty syntax—KailA was able to get Splunk to consolidate all of the transaction deadlock errors into one column, ensuring that the errors wouldn’t be returned independently.

Now, with this problem solved, jonathanoberhaus was able to move on to the next important query: what should he eat for lunch?

Read the entire Splunk Answers post here.

If you want to get more involved with the Splunk community, you’re in luck! There are many ways to be a part of the conversation. You can ask a question—or give a solution—at the Splunk Answers forum, join our Splunk Community chat, or attend a user group meeting in an area near you.

Thanks for reading, and we’ll see you next month!

----------------------------------------------------
Thanks!
Matt St. John