Splunk Search

Community Activity

How to exclude duplicate field values from different fields Hi All, I am writing a search string for Windows, which should return events where a privileged user (Source_User) h... by MikeElliott Communicator in Splunk Search 03-13-2018 0 11	0	11
Discrepancy between raw search and accelerated data model search I have a customer who has tasked me with coming up with a strategy for monitoring that the output of data model searc... by responsys_cm Builder in Splunk Search 03-13-2018 0 3	0	3
How do I independantly scale x-axis in charts in Trellis? Hello Splunk Community, I'm trying to display multiple charts of data with Trellis. Example: Chart 1 will have a x-ax... by rormond New Member in Splunk Search 03-13-2018 0 4	0	4
Add a custom field at index time based on sourcetype or index name Hi everyone. I've been going back and forth through the docs and other answers posted here, but nothing definitive i... by DEAD_BEEF Builder in Splunk Search 03-13-2018 0 7	0	7
Transform a field into a multi-value field Hi, I have an auto extracted field with comma separated values. DesiredAccess = Read Data; List Directory; Read Att... by ikulcsar Communicator in Splunk Search 03-13-2018 0 4	0	4
How do I edit my search to remove specific substrings from URI values in my results? ri_domain=HTTPS://xxxxxxx.com ".jsp" \| top limit=10 uri Under the statistics tab, I get different URIs with coun... by manjunathin New Member in Splunk Search 03-13-2018 0 4	0	4
I am using subsearch and trying to pass ID from sub to the main and trying to calculate minimum of time by ID using tstats. My normal query is working fine. Normal index query : searchA[search search B\|stats count by _time,BusinessIdentifier\|return BusinessIdentifier]\|stat... by payal23 Path Finder in Splunk Search 03-13-2018 0 2	0	2
rex expression does not works as expected I have a following splunk log 2018-03-13T06:28:23.543266+00:00 Commissions.development.loan*** 103a9[[APP/PROC/WEB/0... by karthi25 Path Finder in Splunk Search 03-13-2018 0 3	0	3
How to use String fields in chart?? I want to use the string Fields in the chart. Please help me on this. EX: Date Duration Volume 01-... by Rajkumarkbm Engager in Splunk Search 03-13-2018 0 2	0	2
Is there any specific syntax or regex form that help to identify a end line of any log file? I have different log files but the last line of each files are different and don't know what will come tomorrow. So, ... by saibal6 Path Finder in Splunk Search 03-12-2018 0 3	0	3
How to convert 12 hours to 24 hours? I want to convert my date field from 12 hours to 24 hours. I have the date field as "2/27/2018 10:21:03 PM" and woul... by angelinealex Communicator in Splunk Search 03-12-2018 0 2	0	2
How to compare different fields having the same value in different events? How to compare different fields having the same value and though in different events? For example : index1, source1,... by pratibha2018 Explorer in Splunk Search 03-12-2018 0 2	0	2
How do I create an multivalue field after stats that don't include it? Is there a way to aggregate data and then show additional fields as mv fields without running another search? I want ... by dj69 Explorer in Splunk Search 03-12-2018 0 10	0	10
Comparing previous event field value to another event field value So I have events that are tickets that have a State eg. "New" , "In Progress" , "Completed" etc and a short_descript... by Moreilly97 Path Finder in Splunk Search 03-12-2018 0 8	0	8
AddcolsTotals & Where Statement Hi, I wonder whether someone may be able to help me please. I'm using the query below which calcluates the differenc... by IRHM73 Motivator in Splunk Search 03-12-2018 0 14	0	14
Using Stats command to outputlookup Vs using table command Hi, To increase the performance of the search can we use stats command rather than table command to output the resul... by macadminrohit Contributor in Splunk Search 03-12-2018 0 5	0	5
Configuring field extractions for multivalue nested JSON events Hi experts, I am working with nested JSON events which look as follows: { [-] compliance: <compliance_stat... by sharad06 Explorer in Splunk Search 03-12-2018 0 4	0	4
How to join events with lookuptable based on numerical values? I want to join these two types of data: The following events have the recorded value for each step in a test. Test... by edrivera3 Builder in Splunk Search 03-12-2018 0 0	0	0
How to extract a field from a Juniper log? I'm trying to extract a field from a Juniper log. An event would end with something like this: reason=Close - RESP\x0... by bbsplunklog New Member in Splunk Search 03-12-2018 0 6	0	6
Case Rex on drop-down I have a query that receives input from a drop-down. Example info coming from the drop-down: Static: All = * Dynamic... by JoshuaJohn Contributor in Splunk Search 03-12-2018 0 2	0	2
tstats and inputlookup case sensitive problem We had problem this week with logs indexed with lower or upper case hostnames. We run this query in a scheduled macro... by splunkreal Motivator in Splunk Search 03-12-2018 0 4	0	4
How to get tstats results non-case sensitive? Hello, how to get tstats results non-case sensitive? \| tstats latest(_time) as latest,earliest(_time) as earliest W... by splunkreal Motivator in Splunk Search 03-12-2018 1 2	1	2
How to use EVAL Concatenation within TSTATS? Want to improve the TSTAT for the "Substantial Increase In Port Activity" correlation search. \| tstats allow_old_su... by donaldwayne1975 Path Finder in Splunk Search 03-12-2018 0 1	0	1
Rex Error help: How to extract a certain part of a string? Hi, I want to extract a certain part of a string, for instance: Input \\domain.org\teams\team1\bla\bla\bla \\domai... by bomran Explorer in Splunk Search 03-12-2018 0 4	0	4
Use field as _time for Timechart and timepicker I'm trying to chart some phishing logs over time which contain 3 time values: _time - The time when an analyst proces... by Kieffer87 Communicator in Splunk Search 03-12-2018 1 2	1	2