Splunk Search

Discussions

Thread Info

Search Chain

Hopefully this is an easy one. We have an alert setup that notifies us if a specific error occurs more than 30 times ...

by Explorer in

How to format subsearch to give results with OR operator between and dropping field names.

I have a scenario where my subsearch should yield results in following format. Index=index1 [search index=index2 earl...

by Contributor in

How to populate dropdown input with ids from search?

Can anyone please help me to populate a Dropdown input with the ids from this this search: index=main sourcetype=main...

by Contributor in

Combine search results from one source in chart

I am trying to build a visualization of change data to show over time the number of concurrent changes on going. So t...

by New Member in

some records are missing when I list by table; but when I query that specific event, I can find it.

I have a trade message sourcetype in JSON, which I properly set up in props.conf and can query fine. To do a recon...

by Path Finder in

How to compute subtraction?

Start Time End time Reason Difference 05/09/2016 18:05 05/12/2016 14:55 Target Up 05/12/2016 14:55 05/12/2016 15:22 T...

by New Member in

Why is the collect command not working when used with map command?

If I do this search index=log NOT "*INFO*" earliest=-40d@d latest=-39d@d | cluster t=0.3 field=raw showcount=t ...

by Communicator in

How to organize values in Statistics search?

Hi, I have a blob of text in both the title and description file, I've tried looking for how to seperate them when I ...

by Engager in

Should I use root events, root transactions, or root searches to set up my data model?

I apologize in advance for the super broad question and I realize that the answer may depend heavily on the structure...

by Communicator in

Why does the lack of subsearch results cause my search to fail with "Error in 'eval' command: Failed to parse the provided arguments."?

Lack of subsearch results causing query to error I have a search that looks at historical data (using timewrap) an...

by Engager in

Making same query run for different times

Hi, I have a dashboard with a query that currently runs for the time range 'Today' everyday. I want the time range...

by Path Finder in

How to compare to a lookup table and pull fields?

I have an index=foo and a lookup table defined as foo2. How can I compare my index to the table to show only results ...

by Path Finder in

Multiple Value Field Extraction Help

I am trying to come up with a Regex that will extract several field values from an event which can potentially have s...

by Path Finder in

Extracting fields from transactions that have status events

I have a couple of transactions I have created for example: Transaction A: startswith=Begin_Process endswith=Reque...

by Explorer in

Timechart field value by field woes

Hello, I have log messages that look like this: Handled MessageTypeA in 10ms Handled MessageTypeB in 23ms Handled ...

by New Member in

Top 10 hosts whose number of events has increased the most

Hello, I would like to know which of my host have an increase in their event number compared to usual. I first...

by Explorer in

How to extract more than one value out of a field extraction using delimiters

I'm using props.conf and transforms.conf to extract fields with delimiters, some of which are multi-valued. Example: ...

by Communicator in

Long label text in charts

Hi all, I've tried to find a solution with other questions, and the main thing about I found is SideViews, but all...

by Contributor in

Nested Search Query on across multiple files

Hi, I am trying to do a nested search. in Log A, I want to get all the users who has accessed "X". So my search qu...

by Explorer in

Fixed-width field extraction but removing trailing spaces

I am currently defining some sourcetypes for some db2 SMF logs (oh joy). Luckily, the fields are well defined and are...

by Builder in

Lookup CSV location

Hi, I would like to ask if the CSV file that is being referenced to in the search command can be from any director...

by Explorer in

with the same search conditions, I cannot make eval if function to return true...

For some use case, I need to make a new true/false field. Below condition returns 11 events in my data sample: | f...

by Path Finder in

Drilldown with $click$ values not working

I have a dashboard where I display a list of wines. I want to be able to incrementally add the wine name to a search ...

by SplunkTrust in

Different results for error "specified span would result in too many (>50000) rows" based on time range

I am trying to run the below to get the avg/max number of hits per second each day. I have tried this multiple times ...

by New Member in

Problem while joining

Hi everyone Need your kind help. I have 50+ fields under index='abc' i want to join the same with a lookup w...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Search Chain

How to format subsearch to give results with OR operator between and dropping field names.

How to populate dropdown input with ids from search?

Combine search results from one source in chart

some records are missing when I list by table; but when I query that specific event, I can find it.

How to compute subtraction?

Why is the collect command not working when used with map command?

How to organize values in Statistics search?

Should I use root events, root transactions, or root searches to set up my data model?

Why does the lack of subsearch results cause my search to fail with "Error in 'eval' command: Failed to parse the provided arguments."?

Making same query run for different times

How to compare to a lookup table and pull fields?

Multiple Value Field Extraction Help

Extracting fields from transactions that have status events

Timechart field value by field woes

Top 10 hosts whose number of events has increased the most

How to extract more than one value out of a field extraction using delimiters

Long label text in charts

Nested Search Query on across multiple files

Fixed-width field extraction but removing trailing spaces

Lookup CSV location

with the same search conditions, I cannot make eval if function to return true...

Drilldown with $click$ values not working

Different results for error "specified span would result in too many (>50000) rows" based on time range

Problem while joining

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

ES8 + Mission Control Usage rest API

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...