Splunk Search

Thread Info

How can I use joins (or an alternative) for a search that joins 3 different event types each on different time scales?

Hi, I've written a query (see original query below) which joins 3 different event types to display A_events start...

by Explorer in

How to use 'OR' boolean in an eval expression?

We're combining many types of searches into one tabled alert. We create our own variables with an eval statement and ...

by Path Finder in

How can I customize my chart with a new y-axis label?

Is there a way to customize the column charts label, or the y-axis? What I want to do is create a column with the ...

by Path Finder in

How can I sort a field alphabetically and then by total?

I have the following search in which I'm trying to sort first alphabetically and then by total, but the Processes fie...

by Influencer in

Create a variable that combines two string values

I have a simple question: I have two variables foo and bar, each containing a set of strings, and I would like to...

by Path Finder in

Compare search results with a lookup table and identify unobserved matches

I have a query that shows observed category of domains (search engines, social media, streaming, etc.). I'd like to c...

by Builder in

How do I parse a key value field in Splunk and search based on values of that field?

I have a log as follows 14AUG2017_12:54:44.903 3418:13 INFO filename.cpp:200 ID:abc123 contextInfo: [ peer_service: ...

by New Member in

Why does the table command in Splunk cause performance degradation?

When I use this command ( table ) it runs at a slow speed .... please help me. Thank you for your answer.

by New Member in

How to put working hours from each user by day in a time chart

My search so far: index=notimportant EventID=4624 [ inputlookup users.csv | fields TargetUserName ] | chart eval(...

by New Member in

Displaying either value or fixed string based on if statement

Hello everyone, So what I'm trying to do with this is print out a value into a Single Value Panel (42). Depending ...

by Explorer in

Can I use modulus in Splunk to extract the decimal portion (only) of a result?

how to extract only decimal values in splunk ? ..example (7 divided by 2 ) = 3.5 , I need to get only 0.5 here ...wil...

by Explorer in

How to use lookup file to set earliest and latest time

I have a lookup file with dates. how do i use it to set earliest and latest inorder to search for events, For exam...

by Communicator in

Regex to insert ":" after every second character

Hello I have a string of all uppercase letters (no digits) I need a regex to insert a ":" after every second chara...

by Observer in

How can I make visualizations with time format hh:mm:ss?

Hi, I have the below statement with the correct statistics output. However my visualization is empty. But when I u...

by Communicator in

From a list of column values can we print one final, single message?

Hi All, I want to compare result column Names which is displaying 3 kind of messages. Normal, Elevated, Critical. Ex...

by Explorer in

Can I have the difference of two values as the output using appendcols? How?

index=main (sourcetype=bb OR sourcetype=cc) type=DELETE | transaction info.agentId startswith=COMPLETED endswith=DELE...

by Path Finder in

Can I deploy a new app that only changes one of my two universal forwarders if they have the same inputs.conf?

Hi, For example, we have 2 universal forwarders UF1 = web01abc23 UF2 = web01cde21 Both are having same inpu...

by Path Finder in

How do I migrate my configuration (dahsboard, alerts, fields, etc) to a new Splunk instance?

I migrated the database "splunk/var/lib/splunk" but when I copy my configuration files, the fields and alerts disappe...

by New Member in

How can I write a search that returns _time in 1-second intervals even when _time stamp doesn't match a value?

Hello Guys, I have a column _time Ex Values (Suppose the search has 4 events here): 2017-08-11 12:06:51 2017-0...

by Explorer in

Can you help me write an eval case function search?

I am looking for help with a case statement that looks for a field full load with a value of "running CDC only in fre...

by New Member in

How to extract the fields using regex and props.conf at indexing time?

Hello, How to use Regex in props.conf to extract the fields in the below sample event with source type "syslog". ...

by Builder in

What time modifiers do I use for earliest and latest for day before yesterday, 2 days before yesterday, 3 days before yesterday, and so on?

For yesterday's results we give the earliest and latest as below earliest=-1d@d latest=@d Simillarly, what cou...

by Builder in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Search

Discussions

How can I use joins (or an alternative) for a search that joins 3 different event types each on different time scales?

How to use 'OR' boolean in an eval expression?

How can I customize my chart with a new y-axis label?

How can I sort a field alphabetically and then by total?

Create a variable that combines two string values

Compare search results with a lookup table and identify unobserved matches

How do I parse a key value field in Splunk and search based on values of that field?

Why does the table command in Splunk cause performance degradation?

How to put working hours from each user by day in a time chart

Displaying either value or fixed string based on if statement

Can I use modulus in Splunk to extract the decimal portion (only) of a result?

How to use lookup file to set earliest and latest time

Regex to insert ":" after every second character

How can I make visualizations with time format hh:mm:ss?

From a list of column values can we print one final, single message?

Can I have the difference of two values as the output using appendcols? How?

Can I deploy a new app that only changes one of my two universal forwarders if they have the same inputs.conf?

How do I migrate my configuration (dahsboard, alerts, fields, etc) to a new Splunk instance?

How can I write a search that returns _time in 1-second intervals even when _time stamp doesn't match a value?

Can you help me write an eval case function search?

How to extract the fields using regex and props.conf at indexing time?

What time modifiers do I use for earliest and latest for day before yesterday, 2 days before yesterday, 3 days before yesterday, and so on?

How to get the Maximum and Minimum time difference between the events

How to split stats results into single line item for each event

Is there a way to create a hyperlink in a stats table to an external site?

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...

Splunk Search

Are you a member of the Splunk Community?

Discussions