Splunk Search

Discussions

Thread Info

Remove data from Index

I have indexed many months worth of data, but would like to "remove" only the first of the 3 months worth of data. Ho...

by Communicator in

Is it possible to do a set command on a subsearch that already uses a set command?

Greetings, Is it possible to do sets of sets? e.g. (though this doesn't work) | set diff [ | set intersect [se...

by Engager in

How to edit my regular expression to extract a string between percentages and other characters?

I have to get "THIS" out of O_name%253DTHIS%2526, for my_field. I'm a regex newb. i tried the following but it ...

by Explorer in

How to search the number of times a universal forwarder went down in a day?

Hi , We are facing an issue with our universal forwarder where the Splunk agent on universal forwarder is going do...

by Path Finder in

What are the best resources to understand and know about all of the extraction commands in Splunk SPL?

I want to understand and know about the all of the extraction commands (like rex) in Splunk SPL. Kindly guide me to a...

by Engager in

Syntax that works in 6.1.1 (SPLUNK Enterprise) doesn't work in 6.4.2 (HUNK)

This syntax .. | stats sum(transmitted_MB) AS transmitted_total_MB, sum(received_MB) AS received_total_MB, count e...

by New Member in

How is transactiontypes.conf called i.e. is it called by props.conf?

How is transactiontypes.conf called i.e. is it called by props.conf? I found this documentation but that's it. http:...

by New Member in

How to match IP and CIDR block in a single Lookup file and match the lookup file field as OUTPUT

Hello Guys! I have a lookup file with both IP Address and IP ranges e.g. ip, threat_key, description 10.10.1.1...

by Engager in

Trying to find if at least one value of a multivalue field matches another field

Hello, I am trying to figure out how to check if inside a list of paths that are inside a multivalue field there is o...

by Communicator in

Finding Splunk Roles?

How to get Splunk Sever roles using Splunk internal logs(autid,internal, etc ..) without using Rest command ?

by Contributor in

How to dynamically create a field for each API with eventstats?

I have an index with several API calls and I would like to dynamically create a field for each API which can then be ...

by Engager in

lookup is not working

I am doing it using GUI as i dont have server access. I have lookup file serverrole.csv host,role,environment A,X,pro...

by Communicator in

rex expression

I need to extract the account name from this snippet of a Windows security event log: Account For Which Logon Fail...

by Communicator in

How can I quantify the intermittent failure of a regular event?

My logs contain records of scheduled events. Sometimes the events fail, usually in 1 of 2 modes: systematic - once th...

by Path Finder in

Searching across multiple standalone indexers without data replication / indexer clustering

I have 6 different DCs with standalone Splunk ENT installed working as indexers and no replication for security reaso...

by Communicator in

validate a value base on the lookup

I have a csv lookup table like: item, expression a, "value>12 AND value<14" b, "value=1" c, "value!=111 " d, "value<1...

by New Member in

How to display a total count of results from an IP address instead of listing each event related to that IP?

Hi, I use Splunk at work and I've just downloaded Splunk Light to my personal server to test and learn. I've recen...

by Explorer in

How to modify my stats search to join multiple fields from three sources?

I have data coming in from three sources, with three different sets of fields: Source 1: Filename Source 2: Filena...

by Engager in

How to create a KV store that pulls events from an indexer?

Hi, I am trying to create a KV Store that pulls events from an indexer. It should display the Event, Log Line, Dom...

by Explorer in

Why are the second y-axis labels being overwritten by the original y-axis labels? (charting.axisY2.text displayed as charting.axisY.text)

The second y-axis labels are being overwritten by the original y-axis label. I can see the the correct label briefly,...

by Explorer in

How to extract dates from event results and compare them?

Hi, I've been doing lots of study on this, and now I am stuck.. hoping to get some insight here. I'm an absolute noob...

by New Member in

Search filter giving unexpected results

I have the following search: index=ironstream MFSOURCETYPE=SMF110 (SAPPLID=CSFBTP0* AND (TRAN=PA6* OR HOL* OR SMX*...

by Explorer in

I missed a field in my custom sourcetype

I am trying to add a field that I missed on my custom sourcetype. If I add it to the transforms.conf, the data (event...

by Path Finder in

Has anyone created a Splunk Chargeback Model that includes number of and performance heavy searches, not just data indexed and support costs?

We are currently working a chargeback model for our Splunk platform. At first glance we were thinking it would be fai...

by Explorer in

Splunk search query to list down all eventtypes

Can anyone please help me to write a search query, which lists down all eventtypes?

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Remove data from Index

Is it possible to do a set command on a subsearch that already uses a set command?

How to edit my regular expression to extract a string between percentages and other characters?

How to search the number of times a universal forwarder went down in a day?

What are the best resources to understand and know about all of the extraction commands in Splunk SPL?

Syntax that works in 6.1.1 (SPLUNK Enterprise) doesn't work in 6.4.2 (HUNK)

How is transactiontypes.conf called i.e. is it called by props.conf?

How to match IP and CIDR block in a single Lookup file and match the lookup file field as OUTPUT

Trying to find if at least one value of a multivalue field matches another field

Finding Splunk Roles?

How to dynamically create a field for each API with eventstats?

lookup is not working

rex expression

How can I quantify the intermittent failure of a regular event?

Searching across multiple standalone indexers without data replication / indexer clustering

validate a value base on the lookup

How to display a total count of results from an IP address instead of listing each event related to that IP?

How to modify my stats search to join multiple fields from three sources?

How to create a KV store that pulls events from an indexer?

Why are the second y-axis labels being overwritten by the original y-axis labels? (charting.axisY2.text displayed as charting.axisY.text)

How to extract dates from event results and compare them?

Search filter giving unexpected results

I missed a field in my custom sourcetype

Has anyone created a Splunk Chargeback Model that includes number of and performance heavy searches, not just data indexed and support costs?

Splunk search query to list down all eventtypes

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...