Splunk Search

Thread Info

Should I use an index-time field extraction?

Dear fellow Splunkers, I have seen the docs on index-time field extractions and a few related answers here, there ...

by Explorer in

creating an 'other' field with eval

I am quite knew to this and not remotely wedded to eval as the solution for this problem, I am eager to know if there...

by Engager in

Unexpected inner join results

Hi, I have two tables like below: table 1 (nl_t1.csv): IP Source1 1 a 1 b table 2 (nl_t2.csv): IP Source2 1 ...

by Path Finder in

how can i extract a quoted field value that includes a quoted string?

(a question from a customer) I have a field named string that reads: string="This is "an extraordinary" event,...

by Splunk Employee in

How to write a search to display events that do not have a corresponding event with a condition that negates them?

I want to write a search that returns results in a time frame that is conditional in this manner: Event A: If fiel...

by Path Finder in

How to convert computer name to host name?

Hi We have environment where windows events are forwarded => windows Event Collector Windows Event Collector ...

by Path Finder in

Another "DateParserVerbose - Failed to parse timestamp" warning

I'm getting "DateParserVerbose - Failed to parse timestamp" from a syslog source. I'm a pretty inexperienced Splunk u...

by Builder in

When I go to Settings, Data Inputs, Forwarded Inputs, Windows Event Logs and click on the listed Server Class link, the redirected page will not load, it just says loading...

When I go to Settings, Data Inputs, Forwarded Inputs, Windows Event Logs and click on the listed Server Class link, t...

by Explorer in

How to specify different time ranges for each panel on a dashboard using only one base search?

Hi, I'm trying to use a base search for different panels. I have this, but it's retrieving the same results in bo...

by Explorer in

Search Heads not looking for Events on Both Indexers

I have two indexers: splnkindex001 (si1) and splnkindex002 (si2). Both indexers have index replication configured for...

by Explorer in

Using Lookups to dynamically populate a dashboard

I would like to use a lookup table with multiple columns to populate multiple fields for use later in a dashboard. Sp...

by Contributor in

How to create graph based on hardcoded hosts with data, but generate an error if any of the hosts show no data?

All, I am trying to create a dashboard search to monitor if the named process is running on our name servers. I am...

by New Member in

Is it correct practice to leave an inline search untitled, and only set a title on the "parent" panel?

I'm using Splunk (6.3.1) Web to create dashboards. My newbie workflow involves entering a search string in the Search...

by Builder in

Best practice for representing bit flag fields in input data?

Suppose I have a field that consists of a byte value, where each bit can represent a "flag": a property whose value i...

by Builder in

Fill nulls based on previous value

I have events that contain the following data: Time, Name, Value, Quality. The Quality value can either be "Goo...

by Engager in

Some form of Display for Counting Down

Hi Everyone, I am looking for a way to display a downtime value. I am able to display the value in a single visual...

by Communicator in

Is it possible to match one or more values to one variable in a regex?

So I have log entries like the follow: 557 <134> 2016-04-20T10:33:05-04:00 PulseSecure: id=firewall time="2016-04-20 ...

by Path Finder in

regex help - transforms.conf

The goal is to take my ohs logs and dump all except entries with IP addresses. IP's w/o images that is. I can get it ...

by New Member in

How to write a search to only display entries added in the last 24 hours based on a time field from a lookup CSV file?

I have a .csv file as a lookup file that gets updated daily with new records. It has a number of fields, one being...

by Path Finder in

"eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

I have a search which uses an eval expression for a calculation. eval UsedMemory= (Avg_Memory/Total_Memory) I...

by Engager in

How to deal with "quotes" in field values that are causing Splunk to have issues parsing field/value pairs?

I'm having an issue with certain events that contain values with quotation marks in them. This is causing Splunk to h...

by Explorer in

How to edit my single regex for parsing multiple types of events in the same sourcetype?

Hi All, I want a single regex for multiple types of events getting generated in my access logs. I have written the...

by Builder in

How to create a single chart showing % Processor Time and % User Time by host?

I'm trying to create a single chart showing % Processor Time and % User Time by host My example so far: host="...

by New Member in

Anyone know of an efficient method to deploy Splunk UF v6.3.3 with Splunk_TA_Windows to several hundred Windows 2012 Servers?

Hello All, Does anyone know of an efficient method to deploy Splunk UF v6.3.3 with Splunk_TA_Windows to several hu...

by Engager in

How to search for an alert via rest with a name that contains spaces?

I have an alert named e.g. "My Alert". How do I search for it in Splunk using the REST API? I can successfully sea...

by Engager in

Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

Splunk Search

Discussions

Should I use an index-time field extraction?

creating an 'other' field with eval

Unexpected inner join results

how can i extract a quoted field value that includes a quoted string?

How to write a search to display events that do not have a corresponding event with a condition that negates them?

How to convert computer name to host name?

Another "DateParserVerbose - Failed to parse timestamp" warning

When I go to Settings, Data Inputs, Forwarded Inputs, Windows Event Logs and click on the listed Server Class link, the redirected page will not load, it just says loading...

How to specify different time ranges for each panel on a dashboard using only one base search?

Search Heads not looking for Events on Both Indexers

Using Lookups to dynamically populate a dashboard

How to create graph based on hardcoded hosts with data, but generate an error if any of the hosts show no data?

Is it correct practice to leave an inline search untitled, and only set a title on the "parent" panel?

Best practice for representing bit flag fields in input data?

Fill nulls based on previous value

Some form of Display for Counting Down

Is it possible to match one or more values to one variable in a regex?

regex help - transforms.conf

How to write a search to only display entries added in the last 24 hours based on a time field from a lookup CSV file?

"eval UsedMemory=(Avg_Memory/Total_Memory)" How do I know where the Avg_Memory and Total_Memory fields are coming from?

How to deal with "quotes" in field values that are causing Splunk to have issues parsing field/value pairs?

How to edit my single regex for parsing multiple types of events in the same sourcetype?

How to create a single chart showing % Processor Time and % User Time by host?

Anyone know of an efficient method to deploy Splunk UF v6.3.3 with Splunk_TA_Windows to several hundred Windows 2012 Servers?

How to search for an alert via rest with a name that contains spaces?

Holistic Visibility and Effective Alerting Across IT and OT Assets

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...