Splunk Search - 12/13/23

Community Office Hours

Splunk Search - 12/13/23

1 Comment

Published on by adepp | Updated on

Register here. This thread is for the Community Office Hours session on Splunk Search on Wed, Dec 13, 2023 at 1pm PT / 4pm ET.

This special 1-hour session is your opportunity to ask questions related to your specific Splunk Search challenge, use case, best practices, or any new features/capabilities in search. Including:

Tips & tricks for faster searches, scheduled searches, etc.
Best practices for optimizing search performance
Using SPL commands
Federated search (e.g., for Amazon S3)
Creating alerts, visualizations, and dashboards from searches
How to translate your questions into SPL
Anything else you’d like to learn!

Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here).

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

Look forward to connecting!

Hi everyone! Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):

Q1: Best practice to track 100k Global assets and identities across multiple SAAS sources?

This is the ultimate question… do you have a central point? A CRM? usually people say “yea… we’re working on that”. Think of this as an operational question. Can I programmatically pull all these? if so, what’s my single source of truth? what’s the easiest thing to keep updated and visible to those who need it?

Q2: Can I make a Splunk index I own available to other orgs or even be public facing?

Making Spunk Available to specific orgs:
- Roles and SAML groups are the starting point for considering what you need to make available and what should never be seen by anyone but the owners.
- Building a good permissions and authentication system practice will enable you to share specifically and shield specifically.

Q3: What is the best approach for dealing with/extracting nested JSON objects?

SPATH. Easier said than done though. Sometimes it takes a bit of specific tweaking
See this community link on the subject with solution for when you can just change the log structure and for when you don’t have that opportunity: https://community.splunk.com/t5/Getting-Data-In/How-to-handle-simple-JSON-array-with-spath/m-p/10317...

SPL2 JSON commands: https://docs.splunk.com/Documentation/SCS/current/SearchReference/JSONFunctions

Other questions (check the #office-hours Slack channel for responses):

Need help with an SPL Query to replace joins with something else
What are the advantages of using federated search as opposed to just pointing the search head to each indexer/cluster master directly?
Health monitoring of FWs (Palo Alto, F5, Checkpoint). Do we need a script which will run directly on gateways? What will be in the script?
How can I improve my search performance for faster searches? Reduce skipped searches?