Splunk Search

Discussions

Thread Info

Dashboard: Replacing default text for empty reports

I'm developing a dashboard to display the results of several saved searches and everything's looking nice. I just ...

by Explorer in

Get last 3 events based on time in 1 index when an error happens in a different index

I have the below search where i get an errot and then i want to pull through the last 3 events prior to that error bu...

by Communicator in

How to see all values in a field

It says 41 values exist, but it's only showing 10. How do I see the rest, and select from them with checkboxes? This ...

by Builder in

Delta over Multiple SIDs

In my raw data I have a lot of values for a field called "sid". For each of those values I want to calculate the delt...

by Explorer in

How can I search for events that match two subsearches?

I'm trying to pull back events that have a specific field value, but should only return events that match that field ...

by Explorer in

How to group uri strings inside a case statement based on a substring portion of a uri

I have three types of uris stored in a field called uri. The uris are as follows: First type: /a/b/c/1/d /a/b/c/2/...

by Motivator in

Get last login time based upon a list of accounts in a CSV lookup file

I have a list of accounts that I wish to monitor in a csv file, say accounts.csv. The file looks like: userid,name...

by Explorer in

Display rows not older than 1 day based in a date column

Thanks in advance. We are trying to display the rows where the column is not older than 1 day and this has to be d...

by Path Finder in

Splunk Search & Reporting app returns "500 internal server error", only for one user.

I'm running Splunk Enterprise v 6.6.1 on Windows 2008 R2 (not by choice). Without making any configuration changes (t...

by Path Finder in

Avoiding a double-lookup for an efficient search

A user is only allowed to log in from one of their AllowedPlatform: userAllowedPlatform.csv | User | Allow...

by Explorer in

Strange behavior of an eval

"call" OR "exception1" OR "exception2" OR "exception3" | eval calls = if(like(message, "%call%"), 1, 0) | eva...

by New Member in

Command 'search' can't compare two floating numbers

I am writing a saved search to trigger and alert when a difference between values is higher than a threshold. A simpl...

by Explorer in

How can I extract additional fields from this source?

eg: source = shuttle(Oct1-3).zip:./shuttle/5720/LOG/shuttle_log.20171002 ,shuttle_3.zip:./shuttle_3/5720/LOG/shuttle_...

by New Member in

How do I get the event associated to a fired_alert?

I run this search: index=_audit action=fired_alert I get back this which looks like properties of the alert. Audit...

by Path Finder in

Lookups excluding answers if multiple same lines are found

I have a lookup that end users can update. However they might make a mistake and put in the same data twice. The issu...

by Motivator in

Dataset regexed field to uppercase

Hello. I have a dataset with a regular expression where i extract the hostname of the computer to a hostname varia...

by Communicator in

Exclusive Right Join option in splunk

I am trying to list the events from the subsearch which are not found in the main search. For example the subsearc...

by Path Finder in

Help extracting a value from this log?

Hi, can someone help me to exact "536 MiliSeconds" from below is log 6>2017-11-02T05:55:12Z d065d14b-3bcd-481c-512...

by Communicator in

Problem using set diff together with mvexpand

I'm trying to compare multi-value fields from multiple events and display the diff between the two sets. For examp...

by Explorer in

How do I delimit multivalue fields?

Dear All, We have a scenario, where For each Application_ID, Application_Name is having multi-value and delimited....

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Dashboard: Replacing default text for empty reports

Get last 3 events based on time in 1 index when an error happens in a different index

How to see all values in a field

Delta over Multiple SIDs

How can I search for events that match two subsearches?

How to group uri strings inside a case statement based on a substring portion of a uri

Get last login time based upon a list of accounts in a CSV lookup file

Display rows not older than 1 day based in a date column

Splunk Search & Reporting app returns "500 internal server error", only for one user.

Avoiding a double-lookup for an efficient search

Strange behavior of an eval

Command 'search' can't compare two floating numbers

How can I extract additional fields from this source?

How do I get the event associated to a fired_alert?

Lookups excluding answers if multiple same lines are found

Dataset regexed field to uppercase

Exclusive Right Join option in splunk

Help extracting a value from this log?

Problem using set diff together with mvexpand

How do I delimit multivalue fields?

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

What's New in Splunk Cloud Platform 9.0.2208?!

How to write a Splunk search for License Utilizati...

Is it possible to extract nested data make 2 key?

Why the error "sh: /opt/container_artifact/splunk-...

Why the error "sudo: unable to send audit message:...

Is it possible to turn 8 product charts into one t...