Splunk Search

Ask a Question

Discussions

Thread Info

How to "join" two different searches with no common fields?

Splunkers! I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of...

by Path Finder in

How to remove limitations of join command

Hi, I'm using the join command to join to searches based on a common field called ITEM. Based on this join, I want...

by Path Finder in

How to break multiple values into a new row ?

Thanks in advance, We are having a hard time trying to split free and used space by partition, hope you can help.

by Path Finder in

HEC - Can I have 2 soucetype associated with single HEC token

I have created a HEC which is associated with index "AAA" and soucertype"ZZZ". Is it possible to have another soucety...

by Explorer in

How to show max TPS with trendline

I'm trying to show MAX TPS on a single value panel, with a trendline. Showing just TPS is easy: <search> earliest...

by Path Finder in

Foreach weird bug in variable

So I have this chunk of code eval matched=0 | foreach UF* [eval matched = if(like('<<FIELD>>',valMask),matched+1,m...

by Communicator in

Club two different searches into one

I have one search which gives results like below: PlanNumber PlanType 123456 C 879879 R 567891 C 2nd search gives ...

by New Member in

Timechart on dates in a file that may or may not change

I want a rolling 12 month bar chart. I have a lookup file (flagcve.csv) as follows. CVE,ReleaseDate CVE-2017-0144,...

by Explorer in

How to find difference between errors by server based on time?

I am attempting to do the following, I want to look at one system, a test system, for the last few months and compare...

by Contributor in

Locate where field extractions are used

Is there a way to determine everywhere that a field extraction is used? We're turning down an app and it just dawned ...

by Path Finder in

Result of subsearch field repeated instead of displaying unique values

Hi, I have a could of fields that contain multiple values, and I am trying to seperate them into sepereate records...

by Path Finder in

Source and sourcetype filtering no longer working after upgrade

After upgrade from Splunk 6.2. to 6.6.3 having large existing indexes, any search by either source or sourcetype does...

by Explorer in

Adding data from multiple fields into a new field

Hi All, Out of the many data fields, I have three fields "Created Time", "Number" and "Priority" (Image below). Wh...

by Communicator in

Lookup with variable Output

Splunkers! I'm facing the following use case. I've a search that return fields like: - date (month/year) - AppI...

by Path Finder in

How can I use dnslookup only when input logs.

We use DHCP. If dnslookup works for past ip address, they will change current host name.

by New Member in

what format are raw logs stored in the Indexer ?

In addition to the main question, Client wants to install Splunk in non-default partition (i.e not the default Splun...

by Motivator in

How do I find count of duplicates along with total events count?

I have payload field in my events with duplicate values like val1 val1 val2 val2 val3 How to do I search for t...

by Explorer in

Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf Looking at t...

by Communicator in

iplocation/geostats to show events from statistics tab.

Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following quer...

by Engager in

How can I compare values from a lookup file with the indexed data?

Hi, A lookup file, with a single column, was configured for comparing the data that it's already indexed. The look...

by Communicator in

Comparing results from two different dates

Hello all, Search string: index=blahblah host=blahblah | fields host, EventCode | stats count by host, EventCode |...

by Path Finder in

Removed index from indexes.conf but still getting errors about index

I tried removing an index from /opt/splunk/etc/master-apps/_cluster/local/indexes.conf as per https://answers.splunk....

by Path Finder in

EVALstatement not working

My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used ca...

by Communicator in

Need to exract amountTendered

EWS Response Content:{_ "responseHeader" : {_ "success" : "true",_ "serviceName" : "payment",_ "resourceName" : "paym...

by New Member in

EVAL statement not correct

My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used ca...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to "join" two different searches with no common fields?

How to remove limitations of join command

How to break multiple values into a new row ?

HEC - Can I have 2 soucetype associated with single HEC token

How to show max TPS with trendline

Foreach weird bug in variable

Club two different searches into one

Timechart on dates in a file that may or may not change

How to find difference between errors by server based on time?

Locate where field extractions are used

Result of subsearch field repeated instead of displaying unique values

Source and sourcetype filtering no longer working after upgrade

Adding data from multiple fields into a new field

Lookup with variable Output

How can I use dnslookup only when input logs.

what format are raw logs stored in the Indexer ?

How do I find count of duplicates along with total events count?

Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf

iplocation/geostats to show events from statistics tab.

How can I compare values from a lookup file with the indexed data?

Comparing results from two different dates

Removed index from indexes.conf but still getting errors about index

EVALstatement not working

Need to exract amountTendered

EVAL statement not correct

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...