Splunk Search

Discussions

Thread Info

How to get correct host information from a Universal Forwarder to intermediary heavy forwarder to Splunk Cloud

We have a setup where we have a syslog-ng server that forwards all events using a UF to a HF and then to the cloud. T...

by Engager in

understanding the transforms.conf

hi, Can someone please explain me the below transforms.conf . I read the documentation ,but it's not clear to me . ...

by Path Finder in

How to write a query to have count of time where time is greater than 20s hits of one field "Time " against total time hits "Time" ,to create alert .

here is a search i'm using for one alert. sourcetype=xx source="*yy" method=* timeDiff| eval Time=ltrim(rtr...

by Path Finder in

How to trim values from results

Hi, We are looking to have my file name more readable and that being said FIlename looks like below and need to trim ...

by Path Finder in

How to generate a search to find unique IPs hitting a specific URL in Specific Time Range?

Hello - I'm trying to write a search string that finds unique IPs hitting a specific URL in 30 minute bursts. For exa...

by Communicator in

How to extract source and destination IP fields?

I am trying to configure various search fields for a firewall log from the field extractor but Splunk is pulling up s...

by Engager in

Display only differences in values, between 2 events

Hello, I'm looking events that track changes to a configuration. The first event is the "before" state the newest eve...

by Explorer in

How to edit my search to limit results to a specific user?

Hi i'm working w/ the below search and getting good results for all currently logged in user accounts but would anyon...

by Explorer in

How to include only certain fields in an email sent from an alert

I have an alert that looks for a pattern in an event that is an xml: ie. ":2017-03-01 06:02:16,194 INFO 7010 Syste...

by Path Finder in

How to generate a search that determines inactivity of firewall rules?

I'm having issues creating a search that determines inactivity of firewall rules. I'd like to determine if a firewall...

by Explorer in

Unknown error for peer xxx. Search Results might be incomplete

Splunk 6.4.2のSearch head 2台、Indexer 12台の分散環境を使っていますが、時間がかかるサーチを実行するとUI上に以下のエラーが表示されることがありますが、エラーが表示される原因および解決方法を教えてくだ...

by Contributor in

Why does appendcols cause a search to produce different results?

Hello all, I have an index of events, each of which has an enter and exit timestamp where _time is associated to t...

by Motivator in

How can I merge 2 tabled rows and add field values from columns as new fields?

I am looking to combine columns/values from row 2 to row 1 as additional columns. I am not sure which commands should...

by New Member in

Why am I receiving "Search process did not exit cleanly, exit_code=255, description="exited with code 255"" error with my current search?

Hi Folks, While executing the below command on Search and Reporting app, we are getting below error. could you ple...

by Explorer in

Searching Splunk logs and looking for occurrences of values fed from a CSV file

Hi, All, Here's what I have: I have a csv file (1 column, 1000 values) which I've uploaded to the lookup dir: "/op...

by New Member in

mainframe log parsing help - crazy log format

Greetings I have been staring at the below for sometime and I have no idea where to start to get this log to parse...

by Communicator in

Group by two or many fields fields

Hi This is my data : I want to group result by two fields like that : I follow the instructions on t...

by New Member in

What is the max value for maxsearches? Is there a way to NOT have a max (set to 0 or -1)?

by Path Finder in

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

Problem with this search? Would the following search detect a malicious user, trying to connect to multiple destin...

by Path Finder in

can i pass a subsearch argument as a greater than relationship?

I've looked into format and it doesn't look like I can replace the "=". I want to change ( ( DateStart="12/14/...

by Communicator in

How to remove max outliers from timechart?

I'm time-charting public transit vehicle "layover" time. ("Layover" is how long a driver takes a break upon reaching ...

by Splunk Employee in

Why is my search skipping?

Hi, index=_internal source=*metrics.log group=searchscheduler | timechart partial=false span=10m sum(dispatched) ...

by Path Finder in

getting the list of all saved searches

hi, can i please know the query to list all the saved searches and query used for those saved searches , user id .

by Path Finder in

subtract response time value in 'ms' from the _time field and assign it to new field.

Hi, Our application logs an event at the end of completion of an api call with response time in milliseconds(ms) ...

by Builder in

How to compare a lookup field value with my current search?

HI All, I have a lookup table with host names value around 10 field name host. I have this search index=Application s...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to get correct host information from a Universal Forwarder to intermediary heavy forwarder to Splunk Cloud

understanding the transforms.conf

How to write a query to have count of time where time is greater than 20s hits of one field "Time " against total time hits "Time" ,to create alert .

How to trim values from results

How to generate a search to find unique IPs hitting a specific URL in Specific Time Range?

How to extract source and destination IP fields?

Display only differences in values, between 2 events

How to edit my search to limit results to a specific user?

How to include only certain fields in an email sent from an alert

How to generate a search that determines inactivity of firewall rules?

Unknown error for peer xxx. Search Results might be incomplete

Why does appendcols cause a search to produce different results?

How can I merge 2 tabled rows and add field values from columns as new fields?

Why am I receiving "Search process did not exit cleanly, exit_code=255, description="exited with code 255"" error with my current search?

Searching Splunk logs and looking for occurrences of values fed from a CSV file

mainframe log parsing help - crazy log format

Group by two or many fields fields

What is the max value for maxsearches? Is there a way to NOT have a max (set to 0 or -1)?

Would my search detect a malicious user, attempting to connect to multiple destinations, but only one failed login to each destination?

can i pass a subsearch argument as a greater than relationship?

How to remove max outliers from timechart?

Why is my search skipping?

getting the list of all saved searches

subtract response time value in 'ms' from the _time field and assign it to new field.

How to compare a lookup field value with my current search?

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions