Splunk Search

Discussions

Thread Info

How to edit my search to select the newest event based on LastModTime field?

So I'm taking in data from a source that has some duplicate records for the same ID. The only differentiator between ...

by Path Finder in

Use eval statement with and, if, then

Example: I'm trying to count how many books we have in our database based on subject: children's, romance, travel, et...

by Communicator in

How to remove a prefix on a field during search?

Hello, I'm trying to normalize a field during search. I have the field "user" and some of the fields are "NAU\abc123"...

by Explorer in

Alert when a host exceeds a certain number of messages per minute

I'm running a somewhat large splunk installation that monitors syslog for >40k hosts. Every once in a while, a host g...

by Explorer in

How do I create a time chart that predicts based on the values inside the search field?

I am trying to create a search that looks through some logs and creates a time chart based on the search field which ...

by Explorer in

How to get the 6 month ago column from field in lookup?

Hi, I have a column named Month in lookup file For example, Month 2017/02 2017/01 2017/01 2017/01 2016/12 2016...

by Explorer in

rex over 2 lines with 2 combined search phrases

I'm facing a problem with rex and working through many many threads which didn't help me to solve this issue. I ha...

by New Member in

How to color columns based on a variable?

I am charting a Product ID v/s count in a column chart I want to color the columns in red and green. Red if the PID i...

by New Member in

How to create a multivaluefield from fieldnames with a specific pattern?

Hi, let's say we have events with fields like: Event A: payload.productName1: payload.productName2: Event ...

by Motivator in

How to edit my search to show the count of a field per country?

I have a search below that shows the number of events by Country. I want to show the count of each dest_port per coun...

by Path Finder in

How do I iterate and match values within a column of my search result?

So, to start with, I have a table like this. Person role Time abc DBA 15-5-2017 abc SE 15-5-2017 xyz blahblah 14-2...

by Path Finder in

Help me with search query command

help me with JOIN query for my usecase i have index=abc sourcetype=abc index=abc sourcetype=pqr In sourcetype=abc...

by Communicator in

Metadata fields of custom search command

Hi guys, could you give me a documentation of the metadata fields of the custom search command? Im searching for s...

by New Member in

Writing a search that will catch sourcetypes that have logged in x amount of time

We are wokring on coming up with a methd to detect data that stops coming in based on sourcetype. I believe I will wa...

by Builder in

Re-apply extraction during search time for access_combined_wcookie data source

Is there anyway to apply access_combined_wcookie extraction to some historical data during search time? Some of the d...

by New Member in

How to determine how long a search will run for?

I've been waiting for over an hour and my search is still running with over 50 million events so far. I'm tempted to ...

by Path Finder in

where and eval clause does not work with "AND" condition?

Firstly, with below search, there are events returned: |from datamodel foo.fooo |search Counterparty=abc Transacti...

by Path Finder in

stats on transaction

Hello, I wonder about how can I do stats operation like counting of something inside of a transaction? I have a...

by Path Finder in

How to search for a user and then be able to see the computer he/she is logging into?

How would i search for a user and then be able to see the computer he/she is logging into?

by New Member in

what does the coalesce and eval in my query do?

Could anyone explain what does the below search string means ? | eval fieldA=coalesce(abc, "def")

by Builder in

Sparkline and Trend Indicator splunk

Hi, I did Sparkline and Trend Indicator splunk as compared to lastweek. In the result it showing as 92 means in...

by Path Finder in

How can i concatenate fields in my data then compare?

I am trying to find problems created by imaged systems running Alertus software. Scenario: Client checks into Aler...

by Explorer in

My extracted field contains special characters in extracted value. How can I replace it with actual string value?

Hi, My extracted field contains some special characters instead of actual string. For ex: Email_Address is ...

by Explorer in

How to combine multiple fields?

I have multiple fields with the name name_zz_(more after this) How would I be able to merge all of the like tests ...

by New Member in

eval searchmatch command OR if command

Hi, I need some help. I have two fields that mark the status alert, PROBLEM and OK, I'm trying to compare them with t...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to edit my search to select the newest event based on LastModTime field?

Use eval statement with and, if, then

How to remove a prefix on a field during search?

Alert when a host exceeds a certain number of messages per minute

How do I create a time chart that predicts based on the values inside the search field?

How to get the 6 month ago column from field in lookup?

rex over 2 lines with 2 combined search phrases

How to color columns based on a variable?

How to create a multivaluefield from fieldnames with a specific pattern?

How to edit my search to show the count of a field per country?

How do I iterate and match values within a column of my search result?

Help me with search query command

Metadata fields of custom search command

Writing a search that will catch sourcetypes that have logged in x amount of time

Re-apply extraction during search time for access_combined_wcookie data source

How to determine how long a search will run for?

where and eval clause does not work with "AND" condition?

stats on transaction

How to search for a user and then be able to see the computer he/she is logging into?

what does the coalesce and eval in my query do?

Sparkline and Trend Indicator splunk

How can i concatenate fields in my data then compare?

My extracted field contains special characters in extracted value. How can I replace it with actual string value?

How to combine multiple fields?

eval searchmatch command OR if command

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!