Splunk Search

Discussions

Thread Info

How can I check for events from a host in a list of "critical hosts"?

I have a list of hosts; I need to see if these hosts appear anywhere in my Splunked events. It is a very long list, s...

by Legend in

How to edit my search to get the max count per hour?

Hi, I'm trying to get the system with the most number of logs (usage) for every hour. I did a search for: even...

by Path Finder in

How to write a search to output results where a field from my events match with a field in my lookup CSV file?

Hi, I have found many searches using lookup files, but none works correctly for me What is the correct search to g...

by Engager in

How to extract a string from each value in a column in my log?

hi, I have log with 3 columns ID....TYPE...... DESC 1.......A............Member Since Year-2015 2...... B.........

by Explorer in

How to group by text within a field

I am trying to group by text within a specific field. I'm essentially searching a message content field called event....

by New Member in

Anonymous users access to their data and view.

I am not sure if this is feasible and done before. We have anonymous users, each have their own sensors which gene...

by New Member in

How to display the difference between the results from two different searches?

I display two different graphs by using the following strings. "Sending" earliest=-7days | eval gigabytes=((bytes/...

by Explorer in

How to set up an alert to trigger if EventB from IndexB happens within 1 minute after EventA from IndexA?

I had a previous thread open, but since then I worked on the alert and refined some criteria. The alert is running of...

by Communicator in

How to include the time of each calculated "stats max()" in a table?

If I have a search of search|stats max(duration) by Action When I run the search, how can I add the time for ...

by Builder in

Why is my search producing error "Error in 'eval' command: The expression is malformed..."?

When I enter this search: sourcetype=win* (EventCode=4624 OR EventCode=4634)| stats latest(eval(if(EventCode=4624...

by Communicator in

Why am I unable to get a running total using the streamstats command in my search?

When I try the search to create a running total out of the streamstats documentation, it doesn't work. Nothing change...

by Path Finder in

How do I get Cache Hit ratio?

I have cache hit as well as cache miss reports, How do i get the ratio of cache hit i.e, cache hit / (cache hit + cac...

by Engager in

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

I am collecting a PerfmonMK dataset that includes a memory value in bytes. I would like to display the value in KB. N...

by Path Finder in

How to create a search to find expected hosts that are not reporting to Splunk?

I'm looking to create a report that finds expected hosts not reporting to Splunk without using the Macro. Anyone have...

by Explorer in

How do I combine my two searches to get expected results?

Hi, Can someone help me? I have the searches below and need to be combine the two to display the expected results:...

by Explorer in

Python oneshot query to search for many values via API

I'm trying to run a search where I will get results if a field matches one of many predetermined values and I'm worri...

by Explorer in

How to disable search in a specified index for certain groups of users?

Hello. I have a simple question: I would like to have a specified index with sensitive data in it, however, I ...

by Explorer in

How to create a search to find a percentage using my data set and display this in a timechart?

First of all I am very new to splunk!  My data can be simplified to look something like this. Employee = (Unique...

by New Member in

How to use rex to extract Linux directory sizes and names?

I run a daily script on the server, du -sk, against a certain directory that contains 200 subdirectories and write th...

by Path Finder in

Aggregating fields in JSON array

I'm relatively new to Splunk queries. I have an event that contains JSON and within the JSON data is an array. There'...

by Explorer in

I am able to extract a field with rex in a search, but why does it not appear in Interesting Fields when I save it as a field extraction?

Hi all, I'm using the Splunk Field Extractor in order clean up the my search a bit, and I'm using the following re...

by Path Finder in

I have a graph displaying how many workstations have out of date virus definitions. How can I exclude certain systems from the count?

On my dashboard, I have a graph displaying how many workstations have out of date virus definitions. Several of these...

by New Member in

How can I recreate this chart in Splunk?

http://imgur.com/MbH4w37 Trying to recreate this chart in Splunk - can anyone assist, as I'm a bit uncertain where...

by Builder in

Can you use stats count() on each value in a mvfield that was just created in the same stats command by the stats values() function?

I might be going to deep here but I figured I'd give it shot... I have a stats command keying off of a domain name...

by Builder in

Join only returning values from one side of the search!

I need to join data from two (or more, ultimately) different sourcetypes based on the shared "host" field. Just a sub...

by Builder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How can I check for events from a host in a list of "critical hosts"?

How to edit my search to get the max count per hour?

How to write a search to output results where a field from my events match with a field in my lookup CSV file?

How to extract a string from each value in a column in my log?

How to group by text within a field

Anonymous users access to their data and view.

How to display the difference between the results from two different searches?

How to set up an alert to trigger if EventB from IndexB happens within 1 minute after EventA from IndexA?

How to include the time of each calculated "stats max()" in a table?

Why is my search producing error "Error in 'eval' command: The expression is malformed..."?

Why am I unable to get a running total using the streamstats command in my search?

How do I get Cache Hit ratio?

Why am I unable to convert a PerfmonMK memory value in bytes to kilobytes using eval?

How to create a search to find expected hosts that are not reporting to Splunk?

How do I combine my two searches to get expected results?

Python oneshot query to search for many values via API

How to disable search in a specified index for certain groups of users?

How to create a search to find a percentage using my data set and display this in a timechart?

How to use rex to extract Linux directory sizes and names?

Aggregating fields in JSON array

I am able to extract a field with rex in a search, but why does it not appear in Interesting Fields when I save it as a field extraction?

I have a graph displaying how many workstations have out of date virus definitions. How can I exclude certain systems from the count?

How can I recreate this chart in Splunk?

Can you use stats count() on each value in a mvfield that was just created in the same stats command by the stats values() function?

Join only returning values from one side of the search!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions