Splunk Search

Discussions

Thread Info

How to pass one value at a time to a search from a subsearch?

I am looking to run anomaly detection on failed and successful logons per user per host over a given time frame (7 da...

by Explorer in

How to group multiselect drop-down values?

I have a multi-select dropdown which is dynamically populated. I want to show only one option to the user to choose f...

by Communicator in

How to check if each value in multivalue field exists in another multivalue field?

I have two multi value fields with delim "," (comma) field1 field2 \value\random\end, ...

by Path Finder in

Is there a best practice for creating a multivalue field instead of writing a search with a lot of OR statements?

I need to search through my email logs to determine who sends emails to personal accounts (e.g. gmail, yahoo, etc). R...

by New Member in

How to get the sum of multiple rows based on a different column?

I have a CSV with 3 columns; Username, AD group, Logins (Logins being total number of logins for that user). I want t...

by Explorer in

How to count all events by a value combination even if the values appear in different fields?

Hi, let's say we have an event with Field1=A Field2=B and another event with Field1=B Field2=A How c...

by Motivator in

Emailed PDF bar chart drops row labels if > 20 rows. How do we get the chart labels to display properly?

We are on Splunk 6.2.1 Every night we have Splunk email our executive staff a PDF with a bar chart showing a measure ...

by Path Finder in

How can I have full queues and plenty of system resources on a heavy forwarder?

All, I am trying to understand how I can have full queues on a heavy forwarder but have plenty of CPU and RAM ava...

by Builder in

How do I get my top 10 search to return results per month for the last three months?

Hello I have a Top 10 query and it's run using earliest of -3mon to latest @mon So I would like to be able to retu...

by New Member in

How to extract these fields?

Hi How to extract these users using Regex? I need user=eerfe33, nrt123,.. file:_C:\Users\eerfe33\Documents.......

by New Member in

Why is the charting.reverse option for scatter chart not working in my dashboard panel?

Dear Splunk Community, In the current implementation of my dashboard, I have a scatter chart panel for which I am...

by Engager in

How to search duration of time above a percentage?

I have data that has a watermark percentage, and a consumed percentage in a timechart. I want to determine how much t...

by Contributor in

Dump command splits results in many files. How to consolidate to have a single file instead of splitting results by source?

I have used the dump command to extract data from production server and play with it on my local. I have 6 different ...

by Explorer in

How do I edit my timechart search to prevent all of my data being put into one bucket?

Hi, I have this search: eventtype=mlc sourcetype=murex_log4j source=launchermxmlc.mxres.log | stats earliest(_...

by Communicator in

How to create a drilldown from several pie charts in Dashboard1 to the same single table in Dashboard2?

I have several pie charts. I would like to drilldown from each of the pie charts to the same table in a different vie...

by Communicator in

Why is my summary index search timechart not displaying?

We have a summary index called summary_site_stats, One of the saved searches that adds data to that summary index...

by Builder in

iis field extraction uri="-"

So I am extracting fields using the standard field transforms, and many of my uri results and user agents are returni...

by Motivator in

How do I get these three conditions to work in my search for a field output?

I have search output wherein in field DB_NotBackedup has 3 values: 1- null value 2- value greater than 3 3- value le...

by New Member in

What is the precedence of common fields between the main search and subsearch after a join?

I have two types of log entry with a common field. I am using join to get the index=web_load sourcetype=instrumen...

by SplunkTrust in

Why is my scheduled search that includes join and append missing data for some rows in the report?

Hi, I have a comparatively very long search scheduled to run on the 1st of every month. This includes 2 subsearche...

by Path Finder in

How to configure Splunk to parse Perforce logging structured data in CSV files?

I am trying to ingest the structured logs from our main Perforce server. I have the structured logs split out to mult...

by Path Finder in

How to show multiple values for a single field in splunk

My raw data consists of xml data as below: <fundTemplateName>FUND1</fundTemplateName><quantityExpression>1600</qu...

by New Member in

Convert String to Integer

I have extracted a value out of expression but seems like it is still treated as String not integer and i cant do any...

by Path Finder in

How DBX decides dbmon interval

Hello, I am using DB Connect to pull data from my DB. I had configured dbmon interval manually (interval = 30s, fo...

by Motivator in

How do I edit my search to append a subsearch result to a count on an hourly basis?

Hi, I'm trying to create a scheduled report that runs daily at 3am. The use case is to track the occupancy number...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to pass one value at a time to a search from a subsearch?

How to group multiselect drop-down values?

How to check if each value in multivalue field exists in another multivalue field?

Is there a best practice for creating a multivalue field instead of writing a search with a lot of OR statements?

How to get the sum of multiple rows based on a different column?

How to count all events by a value combination even if the values appear in different fields?

Emailed PDF bar chart drops row labels if > 20 rows. How do we get the chart labels to display properly?

How can I have full queues and plenty of system resources on a heavy forwarder?

How do I get my top 10 search to return results per month for the last three months?

How to extract these fields?

Why is the charting.reverse option for scatter chart not working in my dashboard panel?

How to search duration of time above a percentage?

Dump command splits results in many files. How to consolidate to have a single file instead of splitting results by source?

How do I edit my timechart search to prevent all of my data being put into one bucket?

How to create a drilldown from several pie charts in Dashboard1 to the same single table in Dashboard2?

Why is my summary index search timechart not displaying?

iis field extraction uri="-"

How do I get these three conditions to work in my search for a field output?

What is the precedence of common fields between the main search and subsearch after a join?

Why is my scheduled search that includes join and append missing data for some rows in the report?

How to configure Splunk to parse Perforce logging structured data in CSV files?

How to show multiple values for a single field in splunk

Convert String to Integer

How DBX decides dbmon interval

How do I edit my search to append a subsearch result to a count on an hourly basis?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown