Splunk Search

Start a Conversation

Discussions

Start a Conversation

Thread Info

Regex not working?

I'm trying to get a time prefix working for the following event: 00:13:11:ee:b7:5e~00:13:11:ee:b7:5d~123.net~123.n...

by Builder in

Compare three sourcetypes

Hi , I have three sourcetype. It's a complicated question. I'll try my best to let you understand what I mean. ...

by Path Finder in

Expanding on a search result automatically

Hi, I am trying to figure out how to achieve something and would appreciate any help from your experience. I ha...

by Explorer in

Convert timestamp at search time for report?

Hey everyone! I am working on files right now that contain numerous timestamps. The timestamps are presented in this ...

by Builder in

Calculate averaage response time when number of trx > x within last y hours

I need to calculate average response time (ELT) by service (SVC) if number of trx by service is >5 within the last 4 ...

by Communicator in

FlashChart Drilldown Question which calls a new search

Hey, I want to switch off what seems to be a default function in Splunk. I am trying to drill down on the follo...

by Motivator in

Set Field based on another field

I am trying to create a field that contains information about the type of host based on the host field. For example, ...

by Path Finder in

Calculate time between two different events

I have log entries looking as follows: Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47...

by Communicator in

Subsearch based on date

I'm new to creating subsearches. I need to combine fields from two different sourcetypes based on a date. Event one h...

by SplunkTrust in

Dealing with bizarre embedded timestamp

Hey everyone. Right now I'm dealing with some CSV files that are set up in the following format: line 1: version head...

by Builder in

One search to source multiple dashboard tables

Couldn't see to find a question like this here, but maybe my search for it is no good. What I'd like to do is have...

by Communicator in

What is the best strategy to handing overlapping data?

Some sources will produce data that overlaps i.e. you get some of the data you already indexed. This can have quite a...

by Communicator in

Quickest Way to Search Large Dataset and Export Results

I'm trying to find the quickest way to run a large search against a large dataset which will have a large set of resu...

by Communicator in

inactive users and saved searches

I would like to find All Users that have not logged in for 90 days ans active scheduled searches associated with ...

by Communicator in

substr can't get the correct value?

Hi,all I want to use "substr" to get what I want. A=1420014 ... |eval A=if(substr(A, 1,2)="14",replace(A, "1...

by Path Finder in

find host reporting to various indexers.

I have hosts/forwarders reporting to multiple indexers using load balancing.I have 3 in Americas,2 in Aspac. I am ...

by Communicator in

Event count bucket starts from 2 AM (indipendent of earliest and latest)

Dear All, I'm doing a search as the following: sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=2...

by New Member in

exclude two ranges in a search

I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this: "deny tcp sourc...

by New Member in

New user - trying to work out a report - Followup questions

Appreciate the answer to my original question, but it leads me to a couple of additional issues: 0) As I write thi...

by Explorer in

Why do I get different results when I search my extracted field?

I have an extracted field called ruby_completed_call, that extracts the completion time from a ruby log: Processin...

by Splunk Employee in

Splunk Search

Discussions

Regex not working?

Compare three sourcetypes

Expanding on a search result automatically

Convert timestamp at search time for report?

Calculate averaage response time when number of trx > x within last y hours

FlashChart Drilldown Question which calls a new search

Set Field based on another field

Calculate time between two different events

Subsearch based on date

Dealing with bizarre embedded timestamp

One search to source multiple dashboard tables

What is the best strategy to handing overlapping data?

Quickest Way to Search Large Dataset and Export Results

inactive users and saved searches

substr can't get the correct value?

find host reporting to various indexers.

Event count bucket starts from 2 AM (indipendent of earliest and latest)

exclude two ranges in a search

New user - trying to work out a report - Followup questions

Why do I get different results when I search my extracted field?

Remove peer from Index Cluster and re-add after ma...

use source within map command

Join two field with similar values and stats by an...

How to display a unit format and a color format in...

Changing the background of Single Value Viz. with ...