Splunk Search

Discussions

Thread Info

How to specify different time ranges for each panel on a dashboard using only one base search?

Hi, I'm trying to use a base search for different panels. I have this, but it's retrieving the same results in bo...

by Explorer in

Search Heads not looking for Events on Both Indexers

I have two indexers: splnkindex001 (si1) and splnkindex002 (si2). Both indexers have index replication configured for...

by Explorer in

Using Lookups to dynamically populate a dashboard

I would like to use a lookup table with multiple columns to populate multiple fields for use later in a dashboard. Sp...

by Contributor in

How to create graph based on hardcoded hosts with data, but generate an error if any of the hosts show no data?

All, I am trying to create a dashboard search to monitor if the named process is running on our name servers. I am...

by New Member in

Is it correct practice to leave an inline search untitled, and only set a title on the "parent" panel?

I'm using Splunk (6.3.1) Web to create dashboards. My newbie workflow involves entering a search string in the Search...

by Builder in

Best practice for representing bit flag fields in input data?

Suppose I have a field that consists of a byte value, where each bit can represent a "flag": a property whose value i...

by Builder in

Fill nulls based on previous value

I have events that contain the following data: Time, Name, Value, Quality. The Quality value can either be "Goo...

by Engager in

Some form of Display for Counting Down

Hi Everyone, I am looking for a way to display a downtime value. I am able to display the value in a single visual...

by Communicator in

Is it possible to match one or more values to one variable in a regex?

So I have log entries like the follow: 557 <134> 2016-04-20T10:33:05-04:00 PulseSecure: id=firewall time="2016-04-20 ...

by Path Finder in

regex help - transforms.conf

The goal is to take my ohs logs and dump all except entries with IP addresses. IP's w/o images that is. I can get it ...

by New Member in

How to write a search to only display entries added in the last 24 hours based on a time field from a lookup CSV file?

I have a .csv file as a lookup file that gets updated daily with new records. It has a number of fields, one being...

by Path Finder in

"eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

I have a search which uses an eval expression for a calculation. eval UsedMemory= (Avg_Memory/Total_Memory) I...

by Engager in

How to deal with "quotes" in field values that are causing Splunk to have issues parsing field/value pairs?

I'm having an issue with certain events that contain values with quotation marks in them. This is causing Splunk to h...

by Explorer in

How to edit my single regex for parsing multiple types of events in the same sourcetype?

Hi All, I want a single regex for multiple types of events getting generated in my access logs. I have written the...

by Builder in

How to create a single chart showing % Processor Time and % User Time by host?

I'm trying to create a single chart showing % Processor Time and % User Time by host My example so far: host="...

by New Member in

Anyone know of an efficient method to deploy Splunk UF v6.3.3 with Splunk_TA_Windows to several hundred Windows 2012 Servers?

Hello All, Does anyone know of an efficient method to deploy Splunk UF v6.3.3 with Splunk_TA_Windows to several hu...

by Engager in

How to search for an alert via rest with a name that contains spaces?

I have an alert named e.g. "My Alert". How do I search for it in Splunk using the REST API? I can successfully sea...

by Engager in

How can I set a custom linemerge sourcetype event break regex to ensure that an entire event is ready to be captured

Hi everyone, I have a monitored file that is appended to by a cron job. Sometimes splunk checks the file in the m...

by Explorer in

Is "unknown sid" and "The search job 'xxxxxxxxxxx.xxx_xxxxxxxxxx-xxx-xxx-x-xxxxxxxxxx was canceled remotely or expired" really a "feature"?

If I leave my Splunk WebUI dormant for a bit (I think about 30m), I get the following error message with scary, red, ...

by Communicator in

How apply a stats sum with a where condition?

Need to sum a field value with a condition. For example, every log contains a field value pair "failedcount" with int...

by Explorer in

Why is only one member of a search head cluster reporting "Maximum number of concurrent searches has been reached"?

Recently started encountering issues where one node of a 4 node search head cluster starts reporting: SHPMaster...

by Contributor in

How to write the regex to extract the domains from URLs?

I have been through the field extractor, answers.splunk.com, and the interwebs looking for help on this one. So our P...

by Builder in

How to edit my stats search to get a sum of bytes per app and total sum for all traffic?

I currently get events that shows bytes received from a router. What I'm trying to do is use stats to obtained a sum ...

by New Member in

operations or statistics on rows and cells in multi-line event table

I have an entry in /var/log/messages which contains a string of multiple sets of 6 keypairs (pairdelim="," kvdelim=":...

by New Member in

Add line numbers to multiline event using rex in sed mode

Hi, Is there a way to use fields in rex expression? I would like to do something like this: | eval num=1 |...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to specify different time ranges for each panel on a dashboard using only one base search?

Search Heads not looking for Events on Both Indexers

Using Lookups to dynamically populate a dashboard

How to create graph based on hardcoded hosts with data, but generate an error if any of the hosts show no data?

Is it correct practice to leave an inline search untitled, and only set a title on the "parent" panel?

Best practice for representing bit flag fields in input data?

Fill nulls based on previous value

Some form of Display for Counting Down

Is it possible to match one or more values to one variable in a regex?

regex help - transforms.conf

How to write a search to only display entries added in the last 24 hours based on a time field from a lookup CSV file?

"eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

How to deal with "quotes" in field values that are causing Splunk to have issues parsing field/value pairs?

How to edit my single regex for parsing multiple types of events in the same sourcetype?

How to create a single chart showing % Processor Time and % User Time by host?

Anyone know of an efficient method to deploy Splunk UF v6.3.3 with Splunk_TA_Windows to several hundred Windows 2012 Servers?

How to search for an alert via rest with a name that contains spaces?

How can I set a custom linemerge sourcetype event break regex to ensure that an entire event is ready to be captured

Is "unknown sid" and "The search job 'xxxxxxxxxxx.xxx_xxxxxxxxxx-xxx-xxx-x-xxxxxxxxxx was canceled remotely or expired" really a "feature"?

How apply a stats sum with a where condition?

Why is only one member of a search head cluster reporting "Maximum number of concurrent searches has been reached"?

How to write the regex to extract the domains from URLs?

How to edit my stats search to get a sum of bytes per app and total sum for all traffic?

operations or statistics on rows and cells in multi-line event table

Add line numbers to multiline event using rex in sed mode

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...