Splunk Search

Community Activity

HEC - Can I have 2 soucetype associated with single HEC token I have created a HEC which is associated with index "AAA" and soucertype"ZZZ". Is it possible to have another soucety... by raomu Explorer in Splunk Search 01-18-2018 0 1	0	1
How to show max TPS with trendline I'm trying to show MAX TPS on a single value panel, with a trendline. Showing just TPS is easy: <search> earliest=1... by randy_moore Path Finder in Splunk Search 01-18-2018 0 12	0	12
Foreach weird bug in variable So I have this chunk of code eval matched=0 \| foreach UF* [eval matched = if(like('<<FIELD>>',valMask),matched+1,mat... by greggz Communicator in Splunk Search 01-18-2018 0 6	0	6
Club two different searches into one I have one search which gives results like below: PlanNumber PlanType 123456 C 879879 ... by bashtekar New Member in Splunk Search 01-18-2018 0 9	0	9
Timechart on dates in a file that may or may not change I want a rolling 12 month bar chart. I have a lookup file (flagcve.csv) as follows. CVE,ReleaseDate CVE-2017-0144, 0... by claatu Explorer in Splunk Search 01-18-2018 0 3	0	3
How to find difference between errors by server based on time? I am attempting to do the following, I want to look at one system, a test system, for the last few months and compare... by aohls Contributor in Splunk Search 01-18-2018 0 4	0	4
Locate where field extractions are used Is there a way to determine everywhere that a field extraction is used? We're turning down an app and it just dawned... by sheltomt Path Finder in Splunk Search 01-18-2018 1 5	1	5
Result of subsearch field repeated instead of displaying unique values Hi, I have a could of fields that contain multiple values, and I am trying to seperate them into sepereate records. ... by mahbs Path Finder in Splunk Search 01-18-2018 0 10	0	10
Source and sourcetype filtering no longer working after upgrade After upgrade from Splunk 6.2. to 6.6.3 having large existing indexes, any search by either source or sourcetype does... by ufotech Explorer in Splunk Search 01-18-2018 0 3	0	3
Adding data from multiple fields into a new field Hi All, Out of the many data fields, I have three fields "Created Time", "Number" and "Priority" (Image below). What... by shiv1593 Communicator in Splunk Search 01-18-2018 0 8	0	8
Lookup with variable Output Splunkers! I'm facing the following use case. I've a search that return fields like: - date (month/year) - AppID - ... by CarmineCalo Path Finder in Splunk Search 01-18-2018 0 3	0	3
How can I use dnslookup only when input logs. We use DHCP. If dnslookup works for past ip address, they will change current host name. by micchiiii New Member in Splunk Search 01-18-2018 0 0	0	0
what format are raw logs stored in the Indexer ? In addition to the main question, Client wants to install Splunk in non-default partition (i.e not the default Splun... by damode Motivator in Splunk Search 01-17-2018 0 1	0	1
How do I find count of duplicates along with total events count? I have payload field in my events with duplicate values like val1 val1 val2 val2 val3 How to do I search for the c... by relango Explorer in Splunk Search 01-17-2018 0 9	0	9
Why am I getting the following error after updating from 6.6.0 to 6.6.3: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf Looking at th... by gregbo Communicator in Splunk Search 01-17-2018 0 6	0	6
iplocation/geostats to show events from statistics tab. Hi, I'm trying to view event related to a specific country or city based on the source ip,so i ran the following quer... by prithvi08 Engager in Splunk Search 01-17-2018 0 4	0	4
How can I compare values from a lookup file with the indexed data? Hi, A lookup file, with a single column, was configured for comparing the data that it's already indexed. The lookup... by Yaichael Communicator in Splunk Search 01-17-2018 0 6	0	6
Comparing results from two different dates Hello all, Search string: index=blahblah host=blahblah \| fields host, EventCode \| stats count by host, EventCode \| s... by matthew_foos Path Finder in Splunk Search 01-17-2018 0 3	0	3
Removed index from indexes.conf but still getting errors about index I tried removing an index from /opt/splunk/etc/master-apps/_cluster/local/indexes.conf as per https://answers.splunk.... by wsanderstii Path Finder in Splunk Search 01-17-2018 0 2	0	2
EVALstatement not working My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used ca... by davidcraven02 Communicator in Splunk Search 01-17-2018 0 1	0	1
Need to exract amountTendered EWS Response Content:{_ "responseHeader" : {_ "success" : "true",_ "serviceName" : "payment",_ "resourceNam... by yograjpatel New Member in Splunk Search 01-17-2018 0 9	0	9
EVAL statement not correct My eval statement below is to check if 'Action is Required' only if the below conditions are met, I have also used ca... by davidcraven02 Communicator in Splunk Search 01-17-2018 0 3	0	3
fieldset input depends not valid Hi, I'm trying to add conditional form inputs, but I just get an error even though the docs say it's supported??? DO... by cdstealer Contributor in Splunk Search 01-17-2018 0 18	0	18
Subsearch vs. stats = different results. Why? Here are two searches, which I think are logically equivalent, yet they return different results in Splunk. Option 1... by lguinn2 Legend in Splunk Search 01-16-2018 0 5	0	5
How to add sub totals to a table Suppose I have the following table: comonent \| count \| --------------\|---------\| a1 \| 3 \| ... by vshakur Path Finder in Splunk Search 01-16-2018 0 2	0	2