Splunk Search

Discussions

Thread Info

How to ignore some events at index time?

Hello, I have to index only events that contains the string "$$log$$". I try with a transforms like [ignore] REGEX...

by Path Finder in

how to remove white space in the beginning of string value in field?

In my field value are unstructured, few of the strings having space at beginning. Do anyone help, how to eliminate th...

by New Member in

How to separate the ordering of a chart Legend with the actual chart?

Has anyone know how to "decouple" or separate the ordering of a chart Legend with the actual chart? I've looked at "...

by Splunk Employee in

Any search examples for displaying a flame graph visualization?

Hi, i am trying to implement visualization using flame graph, i was able to download flames code from git. can som...

by Communicator in

How to edit my search to determine if a field has a null or blank value?

I'm trying to determine whether a field has a value but my search isn't giving me expected results, I've tried this: ...

by Explorer in

How to write multiple fields into one column as values?

Hi, I have a data that looks like this: ---------- *ID1 field1=value1&field2=value2&field3=value3* ----...

by New Member in

How to write a search for mapping fields based on dependency

Hi, I have a sample dataset as follows: PROCCESS_NAME STATUS p1 PASS p2 PASS p3 PASS p4 PASS p5 PASS p6 PASS Th...

by Builder in

Recursive search

I have a script that generates the time offset of a server from it's source, however, what I want to be able to do is...

by Engager in

How to fill empty field with the time now

My search throws empty time-related fields and I want to fill that compo with the current time

by New Member in

How do I compare my lookup table to multiple fields?

I have a lookup table with IP address indicators that I would like to be alerted on whether the IP address is the sou...

by Builder in

How to modify my regular expression to extract strings between two pipes?

hello, I need to extract the strings between both pipes " | | ", for instance, here are a few sample strings: (someti...

by Communicator in

How to write a regular expression to identify multiple capturing groups?

Hi, below is the stanza in transforms.conf. [rfc5424_header] REGEX = <(\d+)>\d{1}\s{1}\S+\s{1}\S+\s{1}(\S+)\s{...

by Contributor in

Where do you manually delete certain reports or dashboards on the server?

So I have mass copied the search app from Server A to Server B (Along with the users directory) to basically copy ove...

by Builder in

Why is my search using join returning zero results?

hi i am trying to do something like index=uk search [subsearch] | fields a b | join a [index=uk search | table a b...

by Path Finder in

Why does an extracted timestamp field show as _raw?

I've setup a field extractions with K=V; format and every field is working correctly except for the first field, "tim...

by Explorer in

How to extract username from my data?

Hi Splunkers, I have been struggling to extract user name from below values of user. user -------- user1@sa.com...

by Path Finder in

Manipulating Table Rows of Sensor Data to Shift _time

tl;dr : Need to manipulate rows / cols of a table in a specific way to avoid using subsearch, can't figure out how. S...

by Communicator in

Regex to split field, optional second field

I have a field that has a pattern where there is a first portion of the string that I'd like to capture into one fiel...

by Splunk Employee in

How to edit my search into a timechart?

In a past post someone helped me create the following search source=duo extracted_eventtype=authentication result...

by Path Finder in

Mass rename of fields

I want to rename any number of fields/columns based on simple patterns. From: randomfields, a1.name1.stuff, a2.nam...

by Motivator in

How to enable Search Assistant for all users on a Search Head Cluster?

I would like to enable to search assistant on my Search Head Cluster. The documentation recommends an edit to the fil...

by Builder in

get latest time stamp from two timestamps

HI I have two time stamps like "2017-01-30T19:22:39Z" "2017-01-29T19:17:33Z" From the above two timestamps I wan to g...

by New Member in

Cron expression for first two mondays of every month

I need a cron expression that would run a report on first two mondays of every month.What would be the expression?Tha...

by Engager in

fields - values search command breaks dashboard when edit mode was activated

Hi, I'm running Splunk 6.4.0 with two customers. When using the fields - values search command, the dashboard i...

by Path Finder in

EVAL is overwriting field of other add-on

Hi, I have an EVAL statements in two add-ons. The field names are same and the add-on that comes later in alphabet...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to ignore some events at index time?

how to remove white space in the beginning of string value in field?

How to separate the ordering of a chart Legend with the actual chart?

Any search examples for displaying a flame graph visualization?

How to edit my search to determine if a field has a null or blank value?

How to write multiple fields into one column as values?

How to write a search for mapping fields based on dependency

Recursive search

How to fill empty field with the time now

How do I compare my lookup table to multiple fields?

How to modify my regular expression to extract strings between two pipes?

How to write a regular expression to identify multiple capturing groups?

Where do you manually delete certain reports or dashboards on the server?

Why is my search using join returning zero results?

Why does an extracted timestamp field show as _raw?

How to extract username from my data?

Manipulating Table Rows of Sensor Data to Shift _time

Regex to split field, optional second field

How to edit my search into a timechart?

Mass rename of fields

How to enable Search Assistant for all users on a Search Head Cluster?

get latest time stamp from two timestamps

Cron expression for first two mondays of every month

fields - values search command breaks dashboard when edit mode was activated

EVAL is overwriting field of other add-on

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Alert Triggered Action: Dashboard Studio Snapshot

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions