Splunk Search

Ask a Question

Discussions

Thread Info

Duration of a single event

Splunkers! I need to compute the duration of a event, as the difference between the two field (END_TIME and OPEN_T...

by Path Finder in

Why does my search not finish?

index="king" source ="/King/East" I am confused why my search doesn't finish. I have a '2 month window' applied to...

by Engager in

how to search for a field containing timedate relative to todays date?

I have a field named "Expiry date" that contains future dates. I want to make a search that list will all entries tha...

by Explorer in

What is the search range given for beginning and end query?

Given the following log lines: Alpha Beta Gamma Hello World Soup I would like to query ` | first="Beta" | las...

by New Member in

How to fix the mismatched bracket in regex?

Hi, I have the below regex and Splunk keeps telling me I have a mismatched "[" and for the life of me I can't figu...

by Motivator in

How to pair values of the "FIELD" with values of the "VALUE" field?

I'm trying to figure out the best way to extract values currently displayed under the field name "FIELD", for example...

by Communicator in

How to keep the original start time, but continuously update the end time using the dedup command?

So the query that is currently in use is: index=name source=source_name | fields start_time end_time src subject c...

by New Member in

transform field in sha256 before indexation

is there a way to transform a field in sha256 before indexation? in the sourcetype ? I can do that after using ...

by Path Finder in

How to create a search to make a table of count of failed logins by user with fields in other columns?

A table with the count of failed login by a user for a day over the period of 7 days with the columns date, sourceip,...

by New Member in

How to get a single value subtraction from two Timecharts?

Hi, I have two searches Total Memory and Available memory and I want to subtract this two queries result, so that ...

by New Member in

How to use tstats and get raw last event?

Hello, I would like to get raw last event for each source listed by tstats, how to do? I've tried tstats ... | joi...

by Motivator in

How to exclude values from evaluation ?

I have a list of values for trans_time field ranging from 0 to 45000 (not continious values). I am performing some c...

by Contributor in

Why are the values showing wrong stats?

earliest=-32d@d | search Mode="GoNoGo" | stats dc(source) by Number | eval A=if(source= "faulty.csv", "Fail", "Pass"...

by Explorer in

Why IQR shows me only 10,000 results ?

I'm trying to find outlier using IQR method suggested by Splunk. I wonder why the statistics only shows 10,000 result...

by Contributor in

Applying a search filter (srchFilter) conditionally

Hello, I'm working on a Splunk system where we want to restrict users to certain data behind the scenes based on t...

by Explorer in

How to get an average value in timechart with time format?

I want an average answering duration of each HR persons in hh:mm format rep_duration is the time taken to answer and ...

by Explorer in

How to extract values from all fields?

Hi Team, I want to extract the values like left side(LABEL on of the fileds) all fields and values should take from a...

by Engager in

How to find the totals of status codes per uri per day?

I am using the following search: ( sourcetype=iis ) sc_status=500 |stats count by uri_path sc_status date but...

by Explorer in

Auto extracted field with kv_mode is overriding my default source and sourcetype

Hi Not sure this question has been asked before, I didn't seem to find that particular one, so here goes: I'm u...

by Path Finder in

Search Schedule Window option not there

Hi all, I have a 6.3.0 enterprise clustered installation with several alerts running with 5min intervals. Most of ...

by Path Finder in

Anybody have an idea for base64 decoding of fields in Splunk 6.5

Hi. I have upgraded to Splunk 6.5, and have a new source, with some base64 encoded values. I have tried looking at...

by Contributor in

Compare data from Yesterday and today without Weekend

host=somehost sourcetype=somesource earliest=@d+9h latest=now| timechart span=15m dc(UserId) | appendcols [search hos...

by New Member in

is the stats count is count of event or count of word?

For example I have a query like below index=ABC | stats count by host Does stats is the word count of all the...

by Builder in

In a time limited table, I'd like to indicate which field values are unique across the whole data set?

Hi there, I have this dashboard that displays a table of field values from a data set. At the top are some filters...

by New Member in

Match value from lookup table to values of specific fields

Hi, How to match lookup table of ip addresses with the existing field value of host_ip I want to display IP ad...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Duration of a single event

Why does my search not finish?

how to search for a field containing timedate relative to todays date?

What is the search range given for beginning and end query?

How to fix the mismatched bracket in regex?

How to pair values of the "FIELD" with values of the "VALUE" field?

How to keep the original start time, but continuously update the end time using the dedup command?

transform field in sha256 before indexation

How to create a search to make a table of count of failed logins by user with fields in other columns?

How to get a single value subtraction from two Timecharts?

How to use tstats and get raw last event?

How to exclude values from evaluation ?

Why are the values showing wrong stats?

Why IQR shows me only 10,000 results ?

Applying a search filter (srchFilter) conditionally

How to get an average value in timechart with time format?

How to extract values from all fields?

How to find the totals of status codes per uri per day?

Auto extracted field with kv_mode is overriding my default source and sourcetype

Search Schedule Window option not there

Anybody have an idea for base64 decoding of fields in Splunk 6.5

Compare data from Yesterday and today without Weekend

is the stats count is count of event or count of word?

In a time limited table, I'd like to indicate which field values are unique across the whole data set?

Match value from lookup table to values of specific fields

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Using Machine Learning Toolkit to detect auth abus...

How to check MQ reconnects after a connection is d...

I cloned HTTP traffic collection from Splunk Strea...

Proactively stream data to different index after C...

Write Splunk log with Laminas