Splunk Search

Community Activity

How can I use the "where" function to find where the output will be only the last 24hrs of the results? Ex: \| where first_seen<"24h" or where first_seen="-1d" this is what I used but obviously it's wrong. by GHOST27 Engager in Splunk Search 07-25-2017 0 2	0	2
"Account_Name" field listing in events 4624, 4768 and 4769 (Windows 2008) I am working on a query to extract all successful authentications (events 4624, 4768 and 4769) per user per day. The ... by bapruski Explorer in Splunk Search 07-25-2017 0 3	0	3
Need to identify the top 50 groups index=abc source=license_usage.log type=usage \| rex field=h "(ab2)(?P\w+[^\d+])" \|search Group=kb01m OR Group=kb02r ... by kteng2024 Path Finder in Splunk Search 07-25-2017 0 4	0	4
Field extraction from html email I've been banging my head against the wall trying to get this to work, and not succeeding, obviously. I have a 217 li... by manderson7 Contributor in Splunk Search 07-25-2017 0 2	0	2
Inputlookup subsearch shows invalid lookup I have a user who is receiving the error: No matching fields exist [subsearch]: The lookup table <-lookup>.csv is i... by mdsnmss SplunkTrust in Splunk Search 07-25-2017 0 3	0	3
How to prevent a user from running a high memory-use search and understand why this search consumed 120GB of memory on indexer(s)? We've recently run into some users that have run searches which resulted in Splunk Indexers crashing. I'm looking for... by Kieffer87 Communicator in Splunk Search 07-25-2017 0 4	0	4
How would I use multiple values from a subsearch as input to the main search? Hi All, I am looking for a query which will accept multiple value subsearch output as a input of main serach, See be... by mdwasimkhan Engager in Splunk Search 07-25-2017 0 5	0	5
splunk cooked mode v3 Data received from universal forwarder is displaying as below. Please advise how to get it as normal text. --splunk-... by dahada2010 New Member in Splunk Search 07-25-2017 0 5	0	5
How to generate a search to find when a user is created and deleted in a period of time? Hi, I want to run a search that alert me when a user is created and deleted in a period of time between 72 hours and... by wvalente Explorer in Splunk Search 07-25-2017 0 2	0	2
Extract a field using rex Hi, I want to create a new field named "RequestId" from the data after "channelRequestId:" field using regex. This i... by davidda Explorer in Splunk Search 07-25-2017 1 2	1	2
check server is up or not I have a lookup with the details of server and I want to check whether that servers are up or not. if not i have to ... by manjuase Explorer in Splunk Search 07-25-2017 1 5	1	5
How to search the logfile which name is dynamic like application_yyyymmdd.log Hi Splunk support, I have a set of log file which name as below: (today is 20170723) application_20170721.log appli... by oolongcat New Member in Splunk Search 07-25-2017 0 3	0	3
About setting alert (search) I would like to compare the two logs and output the attachment file name to the alert if it is the same message ID. ... by honobe Explorer in Splunk Search 07-25-2017 0 6	0	6
index time extraction I have to discard keyvalue pair from a event to null queue during index time extraction .Also there are certain key v... by aab5272 Engager in Splunk Search 07-24-2017 0 4	0	4
How to edit my search to compare the same 1 hour time frame, week over week? Hi and Thanks .. I've been researching and trying methods to do this (even tried timewrap) and am (finally) asking f... by jpaulovich Explorer in Splunk Search 07-24-2017 0 6	0	6
How to pass the time of an event to drill down I'm trying to set up a drill down report that will list the events of a transaction, but having issue getting the dat... by Kozanic Path Finder in Splunk Search 07-24-2017 0 5	0	5
Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run? Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a fu... by esweeney Splunk Employee in Splunk Search 07-24-2017 2 4	2	4
Tracking User Activity Across applications without matching sourcetypes or Fields I am attempting to track user activity from vdi login to the use of a shared account to log into an application. For ... by scc00 Contributor in Splunk Search 07-24-2017 0 7	0	7
How to make Splunk stop searching after it finds a certain amount of results? I have tried head 100, but it seems like it does a regular search and then gives me 100 results because it takes the ... by rockyrush Explorer in Splunk Search 07-24-2017 0 4	0	4
How to calculate perc95 Response Time Hi, WHAT I NEED : Formula to calculate perc95 of responseTime WHAT I HAVE: I have a summary index which gives the b... by deepak02 Path Finder in Splunk Search 07-24-2017 0 3	0	3
How to combine graphs with different left and right axes? I have two graphs. The first shows the number of survey responses by week: Here is the search: index=webex_sentime... by mhtedford Communicator in Splunk Search 07-24-2017 0 6	0	6
What does the "Value" variable in my memory collection logs mean? When I enter In my the following into my Search... index=* host=* sourcetype="Perfmon"Memory" collection=Memory o... by drizzo Path Finder in Splunk Search 07-24-2017 0 1	0	1
How to should I perform a lookup between a url field and a url column inside a kv store file? Hi guys, I'm figuring out which steps should I follow in order to perform a lookup between a url field and a url col... by rookie507SL New Member in Splunk Search 07-24-2017 0 7	0	7
Add port 1521 to Splunk to connect to Oracle DB Hi. Is it possible to add port 1521 so that Splunk can connect to database? Thank you. by mrccasi Explorer in Splunk Search 07-24-2017 0 3	0	3
How to edit my search to find the total bandwidth by office subnet? Hi, We have MPLS connection and all our offices are getting the internet from our main office. What I want to see i... by ronaldlb80 Engager in Splunk Search 07-24-2017 0 7	0	7