Splunk Search

Discussions

Thread Info

Subsearch for multiple sourcetypes and fieldnames

I need to do a search in two different sourcetypes and use the result to do additional searches in these queries. But...

by New Member in

Extract in Props.conf

I am trying to extract a field from cisco:asa events in my props.conf. Here is the event: Jan 23 11:04:57 taaaaaaa...

by Path Finder in

Show items which appear in clusters

I have a log file of the following sort: vendor productId clusterId A 1 1 B 2 1 A ...

by Path Finder in

Getting averages from 2 columns

Hi, I have a query that looks like this index=wholesale_app counter buildTarget=* product=* Properties.index=0 ...

by Motivator in

Cannot find log messages for -1d@d but -7d@d works

I have a Splunk alert that has been sending false emails. The alert is sent when a string is absent from the applicat...

by New Member in

Where does a lookup table need to be in a distributed search environment?

All, I'm having an issue where one of my indexers is complaining about a lookup table that I have setup on my sear...

by Contributor in

How to combine two sources using common field.

Hi everyone, I just start using splunk and hit a road block. Using two sources (Loaninfo and Loanapp), my end g...

by New Member in

How can we detect the heaviest search users during peak usage time?

Our indexers were under heavy load today and some crushed. Most likely it’s due to extensive search activity. Is ther...

by Ultra Champion in

SPL search pattern efficiency: join vs eventstats

We have a Splunk app that was developed in-house to track indicators that are submitted to a blocklist. Here's a simp...

by Champion in

RDP Session Daisy Chain

Hello, I am trying to form a script that will parse information to detect RDP sessions that are Daisy Chained ove...

by New Member in

Trying to get the domain from multiple email recipients using rex

sourcetype=mysource | rex field=shared_with "(?P[A-Za-z0-9]+.[a-zA-Z]+)$" emails going to several different recipi...

by Explorer in

How to add new field in existing index

I have a index that have 2 fields only index="TRIAL_INDEX" fields: sample1, sample2 And i will make a new field by...

by Builder in

addtotals to calculate percentage

I am trying to calculate what percentage of Operating Systems have windows 10 installed out of the total number which...

by Communicator in

How to decrease the count for everr search that is true

I'm trying to remove duplicates log from the search result every time the page is refreshed. eg index=main "Entered ...

by New Member in

Set values to 0 when there are no search results

Hi, on Splunk Enterprise 6.6.5 I have the following problem: I am using 3 saved searches in one dashboard via appe...

by New Member in

CSV files generated from Outputlookupand Outputcsv cant be re-used as input.

I used a search query to get a value. source="nfr-output_300_1.csv" host="IHTNW754752GG-L" index="main" sourcetyp...

by New Member in

How to combine 2 csv files and perform multiple eval operations on it and produce a graph?

I have 2 CSV files. Each CSV file has 2 fields "Start_Time" and "End_Time" 1. I need to find the "total time" taken i...

by New Member in

stats count for multiple columns in query

Hello All, I have query which is returning below result sets in table :Field1, Field2, Field3 are headers and BLAN...

by New Member in

How can I use lookup?

How can I do this in splunk?

by New Member in

How to edit my subsearch to keep a variable to add to the end results?

I am running 2 searches from 2 different source types. Search 1 Search for sidewinder traffic that went through at...

by Path Finder in

Is there an easy way to update a record in KV Store from the results of a Splunk search instead of bulk reloading a lookup table?

It seems using KV store from migrating from lookups seems to be very easy. Just outputlookup to a KV store stanza. Bu...

by Communicator in

lookup Compare value for 2 different Columns

This is my search - | metadata type=hosts | table host | lookup Device.csv Hostname as host OUTPUT Status | wher...

by Explorer in

Multiple expressions in single search

I'm trying to combine multiple rex expressions in a single search, but I'm having issues with my syntax. More specifi...

by New Member in

Sub-search doesn't work in some apps/dashboards but works in others and as a separate search

Been wrestling with this issue for a while now... I have a search like the below (sensitive information redacted). Th...

by Communicator in

Pair-wise Comparison Across Values of Different Fields

Splunk newbie here. What I'm trying to do is a pair-wise comparison across all of the values of two different fields,...

by Engager in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Subsearch for multiple sourcetypes and fieldnames

Extract in Props.conf

Show items which appear in clusters

Getting averages from 2 columns

Cannot find log messages for -1d@d but -7d@d works

Where does a lookup table need to be in a distributed search environment?

How to combine two sources using common field.

How can we detect the heaviest search users during peak usage time?

SPL search pattern efficiency: join vs eventstats

RDP Session Daisy Chain

Trying to get the domain from multiple email recipients using rex

How to add new field in existing index

addtotals to calculate percentage

How to decrease the count for everr search that is true

Set values to 0 when there are no search results

CSV files generated from Outputlookupand Outputcsv cant be re-used as input.

How to combine 2 csv files and perform multiple eval operations on it and produce a graph?

stats count for multiple columns in query

How can I use lookup?

How to edit my subsearch to keep a variable to add to the end results?

Is there an easy way to update a record in KV Store from the results of a Splunk search instead of bulk reloading a lookup table?

lookup Compare value for 2 different Columns

Multiple expressions in single search

Sub-search doesn't work in some apps/dashboards but works in others and as a separate search

Pair-wise Comparison Across Values of Different Fields

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...