Splunk Search

Discussions

Thread Info

Is it better to only make searchable indexes available via the Selected search indexes option rather than using Restrict search terms?

If I leave the Restrict search terms option empty and only make searchable indexes available via the Selected search ...

by Engager in

Help with regex to extract a field from my sample data

Need assistance with Regex to parse the user from the event below. I'm looking to get the value of a string between =...

by New Member in

Iplocation reporting wrong country for a host - can this be fixed?

Not sure how or if this can be fixed, but iplocation is reporting Germany as the country for datacenter.fiberdc.com.t...

by Explorer in

Group IP addresses in CIDR format

I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy w...

by Path Finder in

extract one field from one index and pass to another search

Background: My windows AD users are in index "windersAD". All of their web traffic is logged in index "wsa". I would...

by Explorer in

how to query for users using Splunk?

This should be an easy one, how do I get a list of my top users accessing Splunk?

by Communicator in

Regex: How to extract multiple fields with the same name?

Here is an example of the log I am dealing with: <123 Main St> <456 Center St.> I'd like to simply extract the...

by New Member in

How do we count the fields inside a JSON array?

Each log entry contains some json. There is a field that is an array. I want to count the items in that array. Exa...

by Explorer in

how to compare values from two different searches

Hi, I need to run a compare against the count of two different searches - how would I do that? I'm counting the nu...

by Champion in

How to change sharing and permissions for a lookup table using the REST API?

I need to change sharing and permissions for a lookup table file using the REST API. I have been searching high an...

by Communicator in

Is there a way to dynamically assign chart labels using a search?

Is there a way to dynamically assign chart labels using a search? My search ends with a timechart values(foo) as bar,...

by Splunk Employee in

How to edit my search to combine results to make multiple rows?

Hello Everyone, With my current search I am able to display results in three rows, however, I need two of the rows...

by Engager in

How do I update the extracted part of the source field in props.conf and transforms.conf?

For example: source = D:\Users\ABC\Desktop\splunk\abc.log I have extracted the part of string I wanted using (...

by New Member in

To run a search only on click of a button in the page.

I have a submit button module containing search module and I want to execute the search only when user clicks on the ...

by Communicator in

How to write a search to only show the latest contents of a lookup file on a dashboard?

Hi there, My external program is retrieving the data and creating lookup table every night. The files are stored l...

by New Member in

Why does my query blow-up in size with a join?

Why does my query blow-up in size with a join? I have a query which without a join (for further analysis) runs in 2M...

by Explorer in

Help understanding search command : "Where"

Hello dear splunkers, Can anyone tell me why these two commands give different results ? sourcetype=shopping da...

by Super Champion in

show in a graph a numbers with two numbers after comma

hi, I would like to build a graph with these values: a 100 b 97,56 c 99,34 my issue is when i try to see a grap...

by Explorer in

regex to extract date from the file name

Hi we are using fs_notification and monitoring a specific path. I have a field called path which has the following...

by Communicator in

How to edit my regex to extract this value from my data?

This should be an easy thing to do but obviously, I am missing it. I need to extract "cannot be located" c.f....

by Explorer in

How to edit my search to only display users that have logged on to more than 5 workstations and sort the list in descending order?

Hello, Like the title says, I have the search criteria pretty nailed down, however, I would like to do a count so ...

by New Member in

Optimize query by referring latest source data

Hi, Here are the three sources that I have for the below query that I need to optimize : a) tech_detail.gz b) grou...

by Explorer in

Splunk is only reading some records from a lookup and leaving others out. Any suggestions why?

I have a CSV file uploaded as a lookup. I am using the userID from my search with the lookup, but for some reason, th...

by Path Finder in

How can I chart 24hr difference between Fields at exactly 7am over the last 7 days

I am capturing events every minute. Within the events, there is a continuously compounding field: "FlowTotal_Running_...

by Engager in

SEDCMD search inline question

I am trying to test a sedcmd command, inline, that Im going to add. I am finding a string and replacing it with a fie...

by Builder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Is it better to only make searchable indexes available via the Selected search indexes option rather than using Restrict search terms?

Help with regex to extract a field from my sample data

Iplocation reporting wrong country for a host - can this be fixed?

Group IP addresses in CIDR format

extract one field from one index and pass to another search

how to query for users using Splunk?

Regex: How to extract multiple fields with the same name?

How do we count the fields inside a JSON array?

how to compare values from two different searches

How to change sharing and permissions for a lookup table using the REST API?

Is there a way to dynamically assign chart labels using a search?

How to edit my search to combine results to make multiple rows?

How do I update the extracted part of the source field in props.conf and transforms.conf?

To run a search only on click of a button in the page.

How to write a search to only show the latest contents of a lookup file on a dashboard?

Why does my query blow-up in size with a join?

Help understanding search command : "Where"

show in a graph a numbers with two numbers after comma

regex to extract date from the file name

How to edit my regex to extract this value from my data?

How to edit my search to only display users that have logged on to more than 5 workstations and sort the list in descending order?

Optimize query by referring latest source data

Splunk is only reading some records from a lookup and leaving others out. Any suggestions why?

How can I chart 24hr difference between Fields at exactly 7am over the last 7 days

SEDCMD search inline question

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions