Splunk Search

Ask a Question

Discussions

Thread Info

How can I optimize the performance of my current base search and subsearches?

I have a base search to collect all data and some subsearches that access these base searches to draw graphs. Base...

by New Member in

How to compare values from two fields from different sources but only keep an uncommon value?

Hi community, I have a combined search which includes two sourcetypes. Both include a field with a username. Let's...

by New Member in

How to edit my search to get a weighted average based on total event count?

New to splunk, so if any more info needs to be provided, please let me know. I'm trying to get a weighted average,...

by New Member in

Show Only Logon Events

I simply will audit our Administrators on which Systems they are logged on right now. but i cannot separate only E...

by Path Finder in

How to generate a search that will let me know if Splunk is installed on a host and if the host is sending data or not?

how can i know that a particular host is sending data or not? and how can i know that the Splunk agent is installed i...

by Communicator in

How to find the time taken to create a particular index in Splunk?

Hi All, I have to find the "time it took to create my index in Splunk". Can anyone please help me how to find tha...

by Explorer in

How to display cumulative results' count of events in timechart by hour?

I want to show the sum of events in a search from the earliest time to the time increasing hour by hour. Because I wa...

by Explorer in

Why do I sometimes get "Failed to load component" in the Events tab while performing a search?

During a search, the query runs and i get the extracted fields in the fields sidebar however in the panel for events ...

by New Member in

"Configuration initialization took 1441ms for C:\Splunk\etc" How do I get rid of this warning message?

"Configuration initialization took 1441ms for C:\Splunk\etc" Can someone please let me know how to get rid of this...

by Explorer in

Multiple match in lookup File

I have a search query which gives me the following information in the table: Device | MsgType | TimeStamp A |MSG1...

by New Member in

How do I do Field (column) selection for post process search in a dashboard panel?

In a dashboard I'm trying to drive several charts off a single query and use post process search to select the fields...

by New Member in

How to extract a string without using rex or erex?

How to extract a string without using rex or erex? Ex: I don't have clear logs for phone numbers, want to extract ...

by Explorer in

How to resolve "approaching the maximum number of historical searches" message received after moving to search head cluster?

heyyyy everyone, anyone run into this annoying message before? we keep getting this after moving to a search head...

by Contributor in

How to generate a search that will look for Splunk apps that have not been used?

Any one know of a search that will look for Splunk apps that have not been used by any user for a week, etc?

by Splunk Employee in

How to create a lookup table for sourcetypes that are indexed into Splunk?

Hi all i have various number of sourcetypes. i want to create lookup table for all my sourcetypes. i want all my s...

by Path Finder in

Does anyone already have a Formatter (User defined language) for Splunk search text or dashboard XMLs on Eclipse or Notepad++?

Searched a bit, but could find anything. Does anyone already have a Formatter for Splunk search text or Splunk dashbo...

by Explorer in

Is it possible to divide all individual values in field1 by the column total of field1?

Hi there, I am wondering - is it possible to divide values in field1 by the column total of field1 and create a new f...

by Explorer in

How to extract base_url and guid values into two separate fields from our current sample URL field?

Hi I have log files which collect url as: cs_uri_stem="/dsa/api/playercommands/a6ada68b-7a72-4f38-b752-d99f7ef...

by Path Finder in

What is the eval command doing in this search?

We use eval command to create new field, and we used this as function ex: |stats count(eval(method="GET")) as get. Ca...

by Communicator in

How do I edit my search using tstats to get top hosts by percentage?

I run the following every morning, but I know it could be accomplished more efficiently using tstats, but I cannot ge...

by Contributor in

Is it possible to use the join command to join data from an index with a lookup table?

Hello, I want to know if it is possible to use a join command with inputlookup instead of a lookup to join data b...

by New Member in

How to generate a search that will find values which are hexadecimal only?

I have a query which returns a field which is occasionally a 13-digit hexadecimal value, and occasionally a string wh...

by Explorer in

How can I search for specific text within _raw?

Good morning, I want to search for specific text within the _raw output of my syslog messages. Something along the...

by Path Finder in

What is the best way to join search queries in different time zones?

What is the best way to join search queries in different time zones? I have tried following and it doesn't work. It j...

by Explorer in

How to get the first event from a search AND get 1 event in a timechart by source?

Hi all, How to get the first event from a search AND get only 1 event in a timechart by source ? (and not "by source,...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How can I optimize the performance of my current base search and subsearches?

How to compare values from two fields from different sources but only keep an uncommon value?

How to edit my search to get a weighted average based on total event count?

Show Only Logon Events

How to generate a search that will let me know if Splunk is installed on a host and if the host is sending data or not?

How to find the time taken to create a particular index in Splunk?

How to display cumulative results' count of events in timechart by hour?

Why do I sometimes get "Failed to load component" in the Events tab while performing a search?

"Configuration initialization took 1441ms for C:\Splunk\etc" How do I get rid of this warning message?

Multiple match in lookup File

How do I do Field (column) selection for post process search in a dashboard panel?

How to extract a string without using rex or erex?

How to resolve "approaching the maximum number of historical searches" message received after moving to search head cluster?

How to generate a search that will look for Splunk apps that have not been used?

How to create a lookup table for sourcetypes that are indexed into Splunk?

Does anyone already have a Formatter (User defined language) for Splunk search text or dashboard XMLs on Eclipse or Notepad++?

Is it possible to divide all individual values in field1 by the column total of field1?

How to extract base_url and guid values into two separate fields from our current sample URL field?

What is the eval command doing in this search?

How do I edit my search using tstats to get top hosts by percentage?

Is it possible to use the join command to join data from an index with a lookup table?

How to generate a search that will find values which are hexadecimal only?

How can I search for specific text within _raw?

What is the best way to join search queries in different time zones?

How to get the first event from a search AND get 1 event in a timechart by source?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions