Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate query from an event?

AL3Z
Path Finder
‎02-06-2023 09:26 AM

Hi,

I want to make a search out of events

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2023 12:04 AM

The extract command will extract the fields from _raw. You could then use a where command to filter the events you want.

| makeresults
| eval _raw = "Created=\"2022-11-09 18:00:48 +00:00\" date to be change to date format 2022-11-09
Feb 5 22:00:28 centino03 729 <134>1 2023-02-06T03:00:05.982+00:00 centino03 centino 7824 - [centino-Discover@017474 id=\"252235\" MacAddress=\"42-01-0A-08-10-76\" MacOrganization=\"null\" \" HostName=\"MACRO-GPG0\" Labels=\"Lost Interface\" Computer-Name=\"fdsfaeds\"Locations=\"\" centinoComputerId=\"0\" Os=\"Windows\" OsGeneration=\"null\" Managed=\"0\" Unmanageable=\"0\" Arp=\"1\" Nmap=\"1\" Ping=\"1\" Connected=\"1\" AwsApi=\"0\" CentralizedNmap=\"0\" SatelliteNmap=\"0\" Created=\"2022-11-09 18:00:48 +00:00\" UpdatedAt=\"2023-02-06 02:41:53 +00:00\" FirstManaged=\"2022-12-18 04:01:02 +00:00\" LastManagedAt=\"2023-01-12 12:01:11 +00:00\" LastDiscoveredAt=\"2023-02-06 02:41:53 +00:00\" Profile=\"GCP_TnD_Subnets\" SatelliteDecId=\"null\" SatelliteName=\"null\"]"
| extract
0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...