Splunk Search

Community Activity

How can I edit my search so if my subsearch returns no results, my main search returns all events from index="test"? index="test" [search index="test_summary" key_field="y" \| head 1 \| eval search = "_time>" . _time \| fields search] \|... by rmuraly Explorer in Splunk Search 09-19-2016 0 2	0	2
What is the meaning of my regular expression? Hi, I used splunk to extract a new field and it has used this regular expression, rex "^(?:[^\\|\n]*\\|){6}(?P<error... by namritha Path Finder in Splunk Search 09-19-2016 0 6	0	6
How to add a clientip field to data sources for the iplocation command? I have a general question and I am more of a power user than admin level here (but I'm in the process of becoming one... by brian1_tate Path Finder in Splunk Search 09-19-2016 0 2	0	2
Why is my tstats including other counts? Hi, I am querying an accelerated data model for active directory, using the search below. However, the results are ... by a212830 Champion in Splunk Search 09-19-2016 0 3	0	3
How to exclude events with null fields in a search? Hello Splunkers, I've got a search built thats working properly but I'm not able to get the events with a particular ... by lbogle Contributor in Splunk Search 09-19-2016 10 8	10	8
How to search multiple sources within my search? How do I search multiple source files within my search? I want to do something like: source="/foo/bar/2016/09/{08,15... by andreacorrie Explorer in Splunk Search 09-19-2016 0 8	0	8
Is there an easy way to create a drilldown for an area chart? I have a dashboard panel that shows the sum of outbound data where I want to click on a value and display the raw eve... by pgort New Member in Splunk Search 09-19-2016 0 3	0	3
Extracting Fields from Structured HL7 Data I am trying to figure out how to extract structured data from an HL7 2.x message The entire message is wrapped in a... by dmbreton New Member in Splunk Search 09-19-2016 0 3	0	3
Graph the same time period but from 1 week previous Hi, I have a query that looks like this <chart depends="$tableurlerror$"> <title>URL Errors by Host Detail... by dbcase Motivator in Splunk Search 09-19-2016 0 12	0	12
Extra conditional search based on eval result Hi, I've a periodic anomaly detection search (alert) query that results like this in inline mail result table; AVER... by ozirus Path Finder in Splunk Search 09-19-2016 0 3	0	3
Why can't I get my search results to sort properly? Hi, I have this search index=main \| rex "(?i)\".*? /(?P<URL_HEADER>\w+/\w+)"\| rex "(?i) UCT\-(?P<URL_MICRO_SECONDS>... by dbcase Motivator in Splunk Search 09-19-2016 0 2	0	2
How to create a single value panel that changes based on weighted values? I want to create a single value panel that starts at 100, and when a specific alert goes off with an assigned weight,... by JoshuaJohn Contributor in Splunk Search 09-19-2016 0 15	0	15
Is there a way in splunk to get the Custom sql query execution time ? I am writing a custom sql dbxquery. When this custom query executes I want to know when it gets started and when its ... by JBNB007 New Member in Splunk Search 09-19-2016 0 1	0	1
How can I improve my active directory data search so that it does not take a long time to load? Hi, I have a search that is taking waaaaaaaaayyyyyyyyy too long and am looking for idea on how to improve it, be it ... by a212830 Champion in Splunk Search 09-19-2016 0 2	0	2
How to count events that are common or existing among multiple sourcetypes? Seeking help of Splunk Gurus. I have three sourcetypes : TICKET_OPENED, TICKET_ACTIVITY & TICKET_CLOSED. A common fi... by christopheryu Communicator in Splunk Search 09-19-2016 0 6	0	6
Getting the time that maximum count occurs every hour I have a search that finds the maximum number of events that occur in a single second on any given hour during the da... by klodian90 New Member in Splunk Search 09-19-2016 0 1	0	1
Variable earliest and latest? Hey, This forum has been so very helpful... I really cannot thank the posters here enough! However, I have a quest... by stevensa Explorer in Splunk Search 09-19-2016 3 4	3	4
subtract previous results with current result Hi All, I have a result which shows the total user directory count for every 1hr, but I want to how many user got cr... by kpavan Path Finder in Splunk Search 09-19-2016 1 4	1	4
Can't use rex extracted value in new search because value isn't an extracted field Hi all, I've written the following query: sourcetype=mysourcetype DA-bericht [search sourcetype=mysourcetype "Beri... by Whistler Engager in Splunk Search 09-19-2016 0 6	0	6
How to fix my time-based lookup? Hi at all, I'm trying to use time based lookups and I found the following problem: I created a Time Based Lookup and ... by gcusello SplunkTrust in Splunk Search 09-19-2016 0 2	0	2
Show a result even if no events match As part of a larger project, one of the things we want to do is to let the user build tables with one search criteria... by DaleFRice Explorer in Splunk Search 09-18-2016 2 5	2	5
How to compare two counts from a single stats search, and alert if there is a large difference between the results? I have searched a lot and haven't found a straight answer to this, yet. I want to create an alert on spikes of load ... by Xarian Explorer in Splunk Search 09-18-2016 0 4	0	4
within "Extract Fields", how can I start the regular expression with a value from another field? I have a field 'foo', it has a value like "data1_data2" I'd like to make an Extracted Field that starts with the co... by chgray New Member in Splunk Search 09-18-2016 0 2	0	2
How to search for failed logins of a specific Active Directory group? Greetings. I am looking to search failed logins for a particular Active Directory group(s). I was thinking I'd have... by SplunkLunk Path Finder in Splunk Search 09-17-2016 0 1	0	1
"Failed to properly initialize the key-value parser for transform_name 'REPORT-wf'. You must define least one delimiter." I extract various fields using the other delimiter " , Only the admin user can see the fields, but all users are sup... by monteirolopes Communicator in Splunk Search 09-17-2016 0 3	0	3