Splunk Search

Discussions

Thread Info

is there a way to get metadata about a search result with loadjob

Hi, I am trying to get the metadata info of the search artefact that is returned by loadjob (when loading the lat...

by Engager in

Save Button Grayed Out When Editing Regex (Field Extraction)

I am trying to extract a new field from an event using regex in Splunk 6.5. I've progressed through the "Extract a Ne...

by Path Finder in

How to import files that change names when they roll over to a new daily file

Hi, I have a system which logs data into a file, once about 24 hours of logging occurs the file is renamed and a n...

by Explorer in

How to edit our props.conf to assign a time field in our sample JSON event as the event timestamp?

Can you please tell us how to assign event log time (ALERT_TIMESTAMP fields value ) as the event timestamp (_time)? S...

by Builder in

How to change my sample timestamp to a different time format?

Hi, I have time entries like 2017-01-04T19:12:33.0117979+00:00 in the logs. How can I change this to 2017-01-04 19...

by Explorer in

How to edit this search to exclude some servers from the metadata?

by New Member in

Why is regex not returning any results when used in a tstats search?

I have a correlation search that triggers on users accessing too many URLs categorized as unknown. | tstats allow_...

by New Member in

Lookup Definition Not Replicating Across Search Head Cluster

I have pushed a static lookup file via the Deployer to all of my Search Heads. I then configure the lookup definit...

by Builder in

What should I do, if anything, when approaching the max number of searches?

Sometimes I see this message in Splunk Web: You are approaching the maximum number of searches that can be run con...

by Splunk Employee in

Indexed Events Per Minute

Hi, is it possible to write a search, that shows the total count of events by indextime (span=1m)? Best Hein...

by Motivator in

How to dedup a combination of two fields and get the count of unique values per host?

We have devices that generate thousands of a particular entry. I created a daily search to summarize. I combined the ...

by New Member in

Why is my search stuck in "Finalizing job..." status and does not return any results with Internet Explorer (IE11)?

Hello. I just finished upgrading from 6.3.3 to 6.5.1 last night. This morning, I am able to reproduce a problem where...

by Builder in

How to search multiple field values from a table?

I have a lot of details in my table, so I want to search values from some of the fields IN THOSE FIELDS There is one ...

by Explorer in

how to set default count=0 when the search result is null

When the search result is null with the special filter, how to show it with count =0 instead of no record? index=a...

by New Member in

Can I make a trendline that overlays my area chart?

eventtype=cv "Source Client"=* "Destination Client"=slc-p-res* OR dab* Duration=* | convert dur2sec(Duration) AS Dura...

by Communicator in

Why does having multiple values for mvlist produce unexpected results for my transaction search?

I am still not able to get 2 fields in the mvlist list. Here is my transaction line now: | transaction visitID mvl...

by Explorer in

How can we optimize our current search?

We want to optimize below query as it's taking 4 Min to execute. index= idx_prod sourcetype=SRC1 "Sent message:"...

by Path Finder in

Why is the date 2017-01-01 marked as calenderweek 2017-52 when using eval strftime?

Hi, I'm calculating the calenderweek with this: | eval calenderweek=strftime(_time,"%Y-%V") For some reason...

by Motivator in

How to aggregate sequences of consecutive events into transactions?

Hi Team, I need to aggregate sequences of all consecutive events with a field Door=''Open" delimited with sequence...

by Contributor in

why undefined text is displayed in search bar when i open a search from dashboard( like pie chart search)

Hi, My problem is "undefined" word is displayed when i opened in search bar. In turn it gives some random values ...

by Path Finder in

How do you swap key/value pairs for two-column data?

I'm trying to swap the roles of two columns. Normally, there is one "key" in the first column for every group of "val...

by Explorer in

How do I extract the entire value for a field in my sample data?

I'd like to get contents between fields. Here is a sample log. CheckPointCount=N/A,CheckPointRestart=no,CheckPoint...

by New Member in

Conditional field based on transaction

Hi I am currently using transaction to generate a report on length of user session, which is working well. The nex...

by Explorer in

If one field has many values, a single value, or is null, how do I extract those as separate fields?

req_event_id field has values like: PL-ADMIN-11004.30A5748A69B1:AEECB6513 PL-ADMIN-11004.30A5748A69B1:AEEC909E6 PL...

by Explorer in

How to extract key value pairs out of a multivalue field?

Hi, is it possible to extract key value pairs out of a multivalue field like this: multivaluefield: sales:100 ,...

by Motivator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

is there a way to get metadata about a search result with loadjob

Save Button Grayed Out When Editing Regex (Field Extraction)

How to import files that change names when they roll over to a new daily file

How to edit our props.conf to assign a time field in our sample JSON event as the event timestamp?

How to change my sample timestamp to a different time format?

How to edit this search to exclude some servers from the metadata?

Why is regex not returning any results when used in a tstats search?

Lookup Definition Not Replicating Across Search Head Cluster

What should I do, if anything, when approaching the max number of searches?

Indexed Events Per Minute

How to dedup a combination of two fields and get the count of unique values per host?

Why is my search stuck in "Finalizing job..." status and does not return any results with Internet Explorer (IE11)?

How to search multiple field values from a table?

how to set default count=0 when the search result is null

Can I make a trendline that overlays my area chart?

Why does having multiple values for mvlist produce unexpected results for my transaction search?

How can we optimize our current search?

Why is the date 2017-01-01 marked as calenderweek 2017-52 when using eval strftime?

How to aggregate sequences of consecutive events into transactions?

why undefined text is displayed in search bar when i open a search from dashboard( like pie chart search)

How do you swap key/value pairs for two-column data?

How do I extract the entire value for a field in my sample data?

Conditional field based on transaction

If one field has many values, a single value, or is null, how do I extract those as separate fields?

How to extract key value pairs out of a multivalue field?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Joining records in a table

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions