Splunk Search

Thread Info

Why am I getting less fields returned from a search with the stats command compared to transaction?

Hello! I've been told to use stats values() instead of transaction for performance issues. However, with long log ...

by Engager in

Unauthorized Vulnerability Scan - External

HI everyone, I am trying to figure out about Unauthorised Vulnerability Scan - External.. we detected an external ...

by Communicator in

How to search for results that are in result A, but not result B?

I have 2 logs: an error log and a success log. When an item fails (error log), it is retried. I would like to filter ...

by New Member in

Is there a more efficient solution than my current search to validate whether data from two different sources is the same?

I am trying to validate whether data from two separate sources is the same. I have indexed two csv files of 450,000+ ...

by Path Finder in

Null Question

Null

by Path Finder in

Stats/Chart count distinct users by Country and eval field?

Hi, I have a query showing the amount of distinct logins by IP address based on the "term" i've created in the que...

by Path Finder in

Is it possible to use a search value or a token in the outputlookup name?

Hi! Is it possible to pass into lookup's name created by outputlookup command a token or a search value? Smth l...

by Builder in

How to dynamically fill null values with the last known field value based on the results of search?

I have log data that doesn't always contain a user ID, but I would like to fill the user ID field with the last known...

by Engager in

How to edit my search with appendcols to alert on a 99% drop in logging from an app_pool?

alt text I want an alert if an application pool drops more than 99% of logging. (We have an issue where before a JVM ...

by Builder in

How to gather a span of 5 Seconds for the Max EPS/TPS for a given Day Span?

So I've posted a question a week ago regarding finding the max EPS for a timespan of a day. The query that I am using...

by New Member in

How to search for two groups of field values?

So I've got 2 different values I'm trying to use; letters & numbers. I want to be able to say If letters = a b or...

by Communicator in

What is the best way to join a row with rows in another table?

Hi guys, I need to create a join with a row, and this row has multiple occurrences in another table. What is the b...

by Path Finder in

how to place commas in the output of a chart with columns that varies depending on the search

how to place commas in the output of a chart with columns that varies depending on the search (example is date). Samp...

by Explorer in

Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

Hi All, When I execute the search below, it works fine: index="X" sourcetype="xx" "applicationCode: 123" "prov...

by Explorer in

Why does my search with the mvexpand command never finalize?

Hi guys, I have a problem with a table with 78k of register. I'm trying to expand a multivalue field, but the s...

by Path Finder in

Simple Json formatting into table

Hi, I posted similar question earlier but I dont see it anymore as posted so reposting simplified version. json ha...

by Explorer in

How to search email logs for potential SPAM IOC via character count or special characters in a field?

We are ingesting some of our email logs, and one of the fields is 'Subject'. I was wondering if anyone has create...

by Influencer in

How do I extract a string of numbers using rex?

I am dealing with a SQL log file. The field I am attempting to extract a string of numbers from is called 'SQL_BIND'....

by New Member in

Which is the best way to extract fields: field extractor, rex and eval commands, or props and transforms?

Out of three ways to extract the fields, 1. BY using rex or eval command in search 2. By using field extractor optio...

by Path Finder in

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

I want to inputlookup a CSV and search the hosts in the CSV to see if they have been reporting into Splunk, and then ...

by Contributor in

Wildcard in Lookup: Why am I getting error "The lookup table 'ssIdlookup' does not exist. It is referenced by configuration data_sourcetype"?

All, I've seen this: https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.ht...

by Contributor in

How do I map these fields from my sample log file at index or search-time?

Hello. I have the following log file: 2016-06-28T10:08:08.152Z: pass proto tcp from 10.60.13.19:33099 to 10.193.44...

by Builder in

How to get a timechart for two values, but not sort by the split-by field alphabetically?

I'm trying to plot to two separate values against another value like this timechart avg(x) avg(y) by z And I w...

by Engager in

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf? For e...

by Motivator in

Too many search jobs found in the dispatch directory + Keep on extending the job expiry time + Search artifacts not removed as per ttl

I see too many search jobs present in the dispatch directory. Even after completing the jobs the expiry date keep on ...

by Motivator in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Search

Discussions

Why am I getting less fields returned from a search with the stats command compared to transaction?

Unauthorized Vulnerability Scan - External

How to search for results that are in result A, but not result B?

Is there a more efficient solution than my current search to validate whether data from two different sources is the same?

Null Question

Stats/Chart count distinct users by Country and eval field?

Is it possible to use a search value or a token in the outputlookup name?

How to dynamically fill null values with the last known field value based on the results of search?

How to edit my search with appendcols to alert on a 99% drop in logging from an app_pool?

How to gather a span of 5 Seconds for the Max EPS/TPS for a given Day Span?

How to search for two groups of field values?

What is the best way to join a row with rows in another table?

how to place commas in the output of a chart with columns that varies depending on the search

Why is my search with an eval case condition resulting in error "The expression is malformed. Expected )."?

Why does my search with the mvexpand command never finalize?

Simple Json formatting into table

How to search email logs for potential SPAM IOC via character count or special characters in a field?

How do I extract a string of numbers using rex?

Which is the best way to extract fields: field extractor, rex and eval commands, or props and transforms?

How to use inputlookup to check if hosts in a CSV have been sending events to Splunk, then use eval to output "yes" or "no"?

Wildcard in Lookup: Why am I getting error "The lookup table 'ssIdlookup' does not exist. It is referenced by configuration data_sourcetype"?

How do I map these fields from my sample log file at index or search-time?

How to get a timechart for two values, but not sort by the split-by field alphabetically?

Is it possible to extract a multivalue field from an already extracted field using fields.conf?

Too many search jobs found in the dispatch directory + Keep on extending the job expiry time + Search artifacts not removed as per ttl

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...