Splunk Search

Thread Info

How do I use the latest value given to replace a field that is NULL but both event have one common value?

As stated I want the latest value in "Hash Value" and "Type" column to be filled instead of being "NA" and "Unknown" ...

by Path Finder in

Why does rex/regex return different results than field-extraction?

Data: Nov 16 12:50:51 172.23.0.29 Nov 16 12:50:51 dc01 Microsoft_Windows_security_auditing.[1688]: Domain\user1: Secu...

by Path Finder in

Splunk enterprise 6.6.1 - existing custom apps are not opening

We have few custom apps in our splunk enterprise instance which were opening to all user before. Suddenly custom apps...

by Explorer in

How to extract a field using regex at indexing time?

Hi, I'm ingesting the data in JSON format. we have a field event.user, which is auto extracted. is there a way to ...

by Builder in

eval command

Ok I'm feeling kinda stupid this query works index=wholesale_app buildTarget=comcast analyticType=SessionStart ...

by Motivator in

How to assemble a field via indirect references to other fields

I have logs where the these fields exist: raw_message="Dropped table {table_name}" table_name="jobs" and I wan...

by New Member in

Are there any search and performance pitfalls with keeping data in hot buckets for 1 month and moving it from hot to cold directly?

I have gone through the documentation and want to check if a scenario like this will work out: -Hold 1 months data in...

by Explorer in

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

by New Member in

How can I identify duplicates in a multivalue field based on the value of another field?

I need to be able to identify duplicates in a multivalue field. The difficulty is that I want to identify duplicates ...

by Builder in

Tokens and Evals

I am trying to set up a form input and I feel like I'm missing some basic understanding of how tokens work. Our data ...

by Communicator in

How do I display fields in two separate indexes

I have two separate indexes for example index A and index B. I need to display one field from index A and one field f...

by New Member in

How to split a row by 2 field values

I have a sample data which I am trying to split over 2 fields. For Example: In above image we have a te...

by Explorer in

Transaction with multiple startswith conditions

Hi, I'm looking to get a duration for a transaction that has multiple startswith conditions they are BUFFERING ...

by Motivator in

Makemv command question

What is the best way to use the Makemv command when my logs have no delimiter? For example: field=abcd Where a,...

by Path Finder in

How can I monitor the usage of hundreds of specific email addresses?

I want to upload hundreds of email addresses in some format, so as to track the activity of each of those email addre...

by Path Finder in

Detect identical events but different hosts

Hello, I am searching all identical events that came from 2 different hosts. Dedup is not working because the ...

by New Member in

stats by date_hour and by another field add zero count for hours with no events

Hello, I'm working on a search to report the count of data by hour over any specified time period. At the moment i...

by New Member in

How to work out Total Staff numbers Entering Buildiing Each Day and Weekly Total

Afternoon Splunk Community Can you help me solve a problem? I have been asked to supply a report showing number...

by New Member in

i have 40 use cases to evaluate status or incidents in a log file? What programming approch should i follow, how can i use CASE statement here?

I have 40 usecases. I have 800+ incidents in incident log file Every inicident should be evaluated by these 40 useca...

by New Member in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Search

Discussions

How do I use the latest value given to replace a field that is NULL but both event have one common value?

Why does rex/regex return different results than field-extraction?

Splunk enterprise 6.6.1 - existing custom apps are not opening

How to extract a field using regex at indexing time?

eval command

How to assemble a field via indirect references to other fields

Are there any search and performance pitfalls with keeping data in hot buckets for 1 month and moving it from hot to cold directly?

I've a log in which instead of X=Y, it is present as "X":"Y". How do I extract X as a field and Y as its value?

How can I identify duplicates in a multivalue field based on the value of another field?

Tokens and Evals

How do I display fields in two separate indexes

How to split a row by 2 field values

Transaction with multiple startswith conditions

Makemv command question

How can I monitor the usage of hundreds of specific email addresses?

Detect identical events but different hosts

stats by date_hour and by another field add zero count for hours with no events

How to work out Total Staff numbers Entering Buildiing Each Day and Weekly Total

i have 40 use cases to evaluate status or incidents in a log file? What programming approch should i follow, how can i use CASE statement here?

Problem pulling multiple values from field-extraction within a subsearch

multivalue field search time extraction

SPL to take a field and make it a different "word"

Regular expression and aggregate the result

Query return value if NULL event

Table showing when a a user started an action but didn't finish it with the first and last event times

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

ES8 + Mission Control Usage rest API

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...