Splunk Search

Start a Conversation

Discussions

Start a Conversation

Thread Info

How to use _time as latest in search?

Hi I'm using a join command to join two searches, how can i use the sub-search for same time range? I'm not able t...

by Builder in

How to edit my rex mode=sed syntax to remove parts of a string value?

Hello, Apologies if this has been asked before (or if there is a much easier way of doing this), I haven't been ab...

by Explorer in

Use subsearch results as input token to another search

I have a dashboard panel search that contains a subsearch that returns formatted results from three source types base...

by Path Finder in

How to write a search to show any scheduled search jobs that may have been delayed and for how long?

We have a problem with scheduled searches where they will sometimes be delayed due to heavy load on our search heads/...

by Path Finder in

Is outputlookup command atomic?

Hi, Do you know if "outputlookup" is an atomic operation (for both kvstores and csv files)? I have something li...

by Communicator in

Summary indexing searches

Hi, This is a carry-on question from a previous post. https://answers.splunk.com/answers/439628/scheduling-multipl...

by Explorer in

inputlookup - How to search through all lookup fields

Hi, Splunkers! Looking for easy way to get results from any lookup table like it might be: | inputlookup mylookup ...

by Contributor in

Why is the eval if statement in my search not producing any results if I add anything more with the AND operation?

I am doing a search on two sourcetypes and looking for data that matches multiple parts of a field called method. The...

by Path Finder in

How to edit my stats search to display certain fields based on a resulting value?

I have some data that looks like: Status Rec_Cnt Message OK 723 File produced 723 records ERROR ...

by Explorer in

How filter results from the outer search in join subsearches?

I'm trying to monitor a set of hosts that run a batch process, and I want to produce output that dynamically identifi...

by Path Finder in

How to compare values of a field in a transaction?

Is it possible to compare values in a transaction? I have a transaction with maxspan of 5 minutes, which group eve...

by Communicator in

How to search for events that are in one index, but not in another without using a subsearch?

I have 3 indexes containing events with IP addresses, index1, index2, and index3. My goal is to return a list of all ...

by Explorer in

How to edit my search to get all fields associated with an internal_message_id field?

Trying to correlate email security appliance logs to email malware analysis logs. I am using the following code th...

by Contributor in

How scheduling works?

Hi, I have a scheduled search that runs every 1 minute and it searches events on last 1 minute. Will this searc...

by Communicator in

How to store search result to variable in Splunk?

Hi, Please let me know how to store search result to variable in splunk [like the one in below mentioned code in h...

by Explorer in

How to calculate duration from start date, start time and DATETIME (end date and time)

I have the following 3 fields and need to calculate the duration (in this case it should be .63 seconds)? I know that...

by Explorer in

How to filter out numercial value from the particular field

Hi, I have a field which contains both string and numeric value .I want to run a serach query which can exclude da...

by New Member in

What effect does the search TTL in limits.conf have on the dispatch directories?

Receiving the well kwown warning messages on the dispatch directory: Too many search jobs found in the dispatch di...

by Communicator in

How to use a value created with eval to search my events for a particular line of text?

Hi, I am trying to use a value from an eval as search data. I am searching my events for a particular line of tex...

by Path Finder in

If statement with AND

Hi, Is it possible to use AND in an eval if statement.. for instance if(volume =10, "normal" if(volume >35 AND <40...

by Explorer in

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:
SOAR (f.k.a. Phantom) >>
Enterprise Security >>
Splunk Enterprise or Cloud for Security >>
Observability >>

Or Learn More in Our Blog >>

Splunk Search

Discussions

How to use _time as latest in search?

How to edit my rex mode=sed syntax to remove parts of a string value?

Use subsearch results as input token to another search

How to write a search to show any scheduled search jobs that may have been delayed and for how long?

Is outputlookup command atomic?

Summary indexing searches

inputlookup - How to search through all lookup fields

Why is the eval if statement in my search not producing any results if I add anything more with the AND operation?

How to edit my stats search to display certain fields based on a resulting value?

How filter results from the outer search in join subsearches?

How to compare values of a field in a transaction?

How to search for events that are in one index, but not in another without using a subsearch?

How to edit my search to get all fields associated with an internal_message_id field?

How scheduling works?

How to store search result to variable in Splunk?

How to calculate duration from start date, start time and DATETIME (end date and time)

How to filter out numercial value from the particular field

What effect does the search TTL in limits.conf have on the dispatch directories?

How to use a value created with eval to search my events for a particular line of text?

If statement with AND

Is it possible to change the severity/color of the...

Why does statistics from a tstats change while the...

How to write query for Windows Remote Desktop Conn...

Help with Transforming an ingest of timestamped da...

How to generate alarm for when CPU peaks at100% o...