Splunk Search

Discussions

Thread Info

split based on lookup

Hello, I have a set of windows events (4656 and 4663) which contain fullpathnames. I also have a list of 'critical...

by Observer in

Need help forming my search query for linux_secure sourcetype

I am receiving the /var/log/secure logs from my linux forwarder I am trying to create a search string that can detect...

by Explorer in

Lookup most recent login before event

Hi all, I have created a table that will show all FireEye events logged that contain a certain MAC address. This is t...

by Engager in

What are the list of Splunk commands?

I would like to have a list with (all) commands, their description, possible options and what ever is interesting abo...

by New Member in

Creating an If statement in Search with max() function inside

Here's what I have below. I'm trying to do unit conversion and the unit trails in the string (ex. 127 KiB). Any ideas...

by Engager in

Converting time in Time token to limit results till a particular date

I need to create a panel in dashboard which gives me list of activities till 23rd July 2017. Now, I don't want the st...

by Explorer in

How to comparing 2 date fields and create a third with the difference

Event_Reported_Time Comment_Date Diff 7/21/2016 7/22/2016 1 7/24/2016 7/29/2016 5 8/16/2016 8/25/2016 9

by Path Finder in

I need help with my search query

I have the follow search query: sourcetype=linux_secure source="/var/log/*" "su: (" | eval Date=strftime(_time, "...

by Explorer in

logs are missing from specific period in splunk

For example , i have a sourcetype=abc and data in splunk started missing for this sourcetype from past week . Can i p...

by Path Finder in

How to remove a field from a visualization, but not remove it from search results?

I have search results like this: Host---------------Description------------ EventSize 127.0.0.1----------Prod DB--...

by Explorer in

Change field to arbitrary value following a regex match using props.conf and transforms.com

I have two firewall devices that log their activities in different formats. I'm trying to create CIM compliant logs. ...

by Explorer in

How can we run searches based on token value?

I have two different searches and i want to run those searches based on the token. if any value is set for that to...

by Explorer in

How to use regex to extract field?

HI How to extract the field with space using regex? name: T11345DDF ERROR T11345SSDF Volume C values: 123455-25...

by Builder in

Repetive queries of LARGE indexes

We have an environment that indexes approximately 600GB / day. I have been tasked with creating queries that correlat...

by Contributor in

What is historical data?

While researching exchanging licenses between servers I came across "Historical Data." What is historical Data?

by New Member in

Can a lookup be used for renaming a field name?

Trying to figure out if can rename field names using lookup and CSV file. Something like this: index=main d_name="...

by Contributor in

Lookup in the Index Time

Hi, I have a file coming from the source ( UF ) in which I am getting two fields ( IP and PORT ) , Now I have a lo...

by Contributor in

Two multivalue fields needed

Hi - I need to extract two multivalue fields from each event. Let's say the strings are "AAA-" and "BBB-". Each strin...

by New Member in

How to replace values without using a join

I am using a join, but is there a better way to replace values? I have the following table. (NICKNAME + Human_Name...

by Influencer in

Searching events within a time range from csv file

My search operation consists of two parts Part 1: This job runs every 6 hours and keeps appending to the results o...

by Explorer in

Why am I getting an eval command error "The arguments to the match function are invalid"?

I would like to create a new panel in my Dashboard and I am using the following search string: index=$index$ event...

by Engager in

Splunk has to segregate the Logs when we imported.

Hi I need to segregate the logs which we imported splunk. Ex:- I want to extract the logs by using the word err...

by New Member in

How to automatically remove extraneous characters from field value?

Splunk is automatically (and correctly) extracting a user field/value in a particular set of logs, I'm looking for a ...

by Path Finder in

Plot the average of a field across all locations and have it as an overlay on a chart with the count of a field across a specific location

I am trying to do a timechart on the number of rows on a particular location as shown below. Pivot Query | search...

by Explorer in

How to generate a search to find the number of created accounts?

Hi, I'm trying to run a search that alerts me when 40 accounts is created within 1 minute. I'm talking about linux...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

split based on lookup

Need help forming my search query for linux_secure sourcetype

Lookup most recent login before event

What are the list of Splunk commands?

Creating an If statement in Search with max() function inside

Converting time in Time token to limit results till a particular date

How to comparing 2 date fields and create a third with the difference

I need help with my search query

logs are missing from specific period in splunk

How to remove a field from a visualization, but not remove it from search results?

Change field to arbitrary value following a regex match using props.conf and transforms.com

How can we run searches based on token value?

How to use regex to extract field?

Repetive queries of LARGE indexes

What is historical data?

Can a lookup be used for renaming a field name?

Lookup in the Index Time

Two multivalue fields needed

How to replace values without using a join

Searching events within a time range from csv file

Why am I getting an eval command error "The arguments to the match function are invalid"?

Splunk has to segregate the Logs when we imported.

How to automatically remove extraneous characters from field value?

Plot the average of a field across all locations and have it as an overlay on a chart with the count of a field across a specific location

How to generate a search to find the number of created accounts?

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions