Splunk Search

Ask a Question

Discussions

Thread Info

How do create an alert to trigger if my search returns a count that is greater than or equal to 20 per minute for 10 minutes?

Hi , We need to set up an alert to check if events with below format exists: index=idx1 sourcetype=compass:serv...

by Path Finder in

How do I edit my regular expression to extract a field from my sample log event?

Hi, I am trying to extract a field from a log event, but need help as my RegEx seems to be wrong. Input string: ...

by Path Finder in

Why my CLI query returns empty field values

My query works from Splunk Web UI and returns field values of Source in a table form, but it doesn't work from the CL...

by Path Finder in

What are the functions of commas and periods in the Splunk search language?

I was just wondering if the commas in this search are just to aid readability of the code, or if they are important t...

by Communicator in

Can someone tell me what each part of this search does so I can learn more about the search processing language?

Could someone please tell me what this does? I'm in the process of learning Splunk and knowing what each part of this...

by Communicator in

How to use a lookup to validate hosts against metadata

Hi, Is it possible to create a lookup, and then validate that data has been received from each host in the lookup ...

by Champion in

How do I get 3 fields on a timechart?

Hi, I have data that looks like this: REBOOT_REASON,EVENT_SUB_TYPE uc-keypad,etherLoss uc-keypad,etherLossRes u...

by Motivator in

Xpath command is not giving result

I have a XML embedded in another XML with escape characters <Audit> <tracker>XXXXX123</tracker> <Message>&lt?xml ...

by New Member in

Why Splunk is telling me that my eval expression is malformed?

I'm trying to evaluate the normal distribuiton's PDF into my search as follows: ... | eval prob=(1/sqrt(2*pi()*sig...

by Explorer in

Why is Regular Expression (Regex) grabbing digits in multiple cases?

I am trying to grab this response time **** info[[Path::/rest/motService][corRID::NAID-iOS-DFA65777-2339-4A0802F42...

by Contributor in

Finding USB and Removable Media Detection

I've recently had some Ransomware that I think came off of a users USB drive. I am worried he might have shared it wi...

by New Member in

How to sort the items within a stacked bar chart by size?

I have created a search to produce a stacked bar chart: (each shop sells the same items but in different quantities) ...

by Path Finder in

Why does the C# SDK 2.0 only work when a query produces results?

Perhaps similar to: https://answers.splunk.com/answers/206372/enumerating-empty-searchresultstream-causes-invali-1...

by New Member in

Splunk query

Hi I need to write a query for creating an alert whenever there is message in the "Splunk bar" message tab. Ple...

by Path Finder in

Query for scenario with status change

Hi All, I have a scenario where an entity when enrolled has many status i.e. EntityName Date Status Entity1 01-...

by Path Finder in

How to run rex commands from CLI mode

I want to run Splunk query from the cmd prompt. It works just fine with basic error search, but when I tried with...

by Path Finder in

How to run different timerange in subsearch versus the original search?

Hi, I'm trying to execute this query: index=index_cbo [search index=index_cbo 12018955000155 "An error ocurred...

by Engager in

How to fetch results by grouping the fields with a condition like count>0?

Hi Team, I have fields like txn_id and txn_chain_id where txn_chain_id can have more than 1 txn_id like: Log 1:...

by New Member in

Need help combining 2 separate searches on different log files and show the results on a single timechart as 2 separate lines

Hi - I'm having trouble in combining 2 separate searches and displaying the results on a single visualization (timech...

by Path Finder in

How to edit my regular expression to extract the date and time from my sample data?

Hi, I have data that looks like this: "-" 10.30.28.1 "10.30.28.1" - - [09/Sep/2016:16:58:31 -0500] "GET /ICHeal...

by Motivator in

How to edit my subsearch syntax to combine the results of my two searches?

Thanks in advance for any assistance.. I am trying to create an alert that creates a table that shows sourceIP, co...

by Explorer in

How to filter my search to only count the users that visited each location at least N number of times?

We have a listing of travelers. Every event has the following two fields: USER and LOCATION. I need a search that ...

by Communicator in

How can I get the subsearch results in the same row as the main search?

Hi, Please see the image below. I want to get shipcond=NEXTDAY in the first column also. How can I get that? Here,...

by Explorer in

why splunk doesn't resolve stats count on postprocess ?

when i try to run a stats count using postprocess splunk doesn't resolve the query search and i don't know why ? t...

by Contributor in

My search returns results but why does it not work as a query in my dashboard?

Hi, I have this query index=top10_1 source="*Account_Log*" OR source="*Arm_Disarm_Events*" OR source="*CPE_Comm...

by Motivator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How do create an alert to trigger if my search returns a count that is greater than or equal to 20 per minute for 10 minutes?

How do I edit my regular expression to extract a field from my sample log event?

Why my CLI query returns empty field values

What are the functions of commas and periods in the Splunk search language?

Can someone tell me what each part of this search does so I can learn more about the search processing language?

How to use a lookup to validate hosts against metadata

How do I get 3 fields on a timechart?

Xpath command is not giving result

Why Splunk is telling me that my eval expression is malformed?

Why is Regular Expression (Regex) grabbing digits in multiple cases?

Finding USB and Removable Media Detection

How to sort the items within a stacked bar chart by size?

Why does the C# SDK 2.0 only work when a query produces results?

Splunk query

Query for scenario with status change

How to run rex commands from CLI mode

How to run different timerange in subsearch versus the original search?

How to fetch results by grouping the fields with a condition like count>0?

Need help combining 2 separate searches on different log files and show the results on a single timechart as 2 separate lines

How to edit my regular expression to extract the date and time from my sample data?

How to edit my subsearch syntax to combine the results of my two searches?

How to filter my search to only count the users that visited each location at least N number of times?

How can I get the subsearch results in the same row as the main search?

why splunk doesn't resolve stats count on postprocess ?

My search returns results but why does it not work as a query in my dashboard?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!