Splunk Search

Discussions

Thread Info

Why doesn't the reducer get all events from the mapper function in my custom reporting command?

I am trying to write a custom reporting command that finds the top words. It seems to work, but I see some data isn't...

by Explorer in

How do I edit my eval statement to insert a specified number in ColumnB based on specific values found in ColumnA?

Hi, I wonder whether someone may be able to help me please. I'm trying to run a search which looks at a value in c...

by Motivator in

How to configure Splunk to parse and extract fields from my pseudo-XML sample data?

Hi Splunkers, I have a question regarding the input extraction of XML fields (with inputs and transforms). I have...

by Motivator in

Why am I getting error "Search peer XXX has the following message: received event for unconfigured/disabled/deleted index='YYY'..."?

Hi, I wonder if someone may be able to help me please. I'm starting to learn more about the administration aspect ...

by Motivator in

If you create a timechart with a span, and then set "earliest" and "latest" parameters, does one overwrite the other?

Hi, I wonder if someone could help me please with a search I have and I apologize in advance for the newbie questi...

by Motivator in

How do I edit my search to create a table or chart of percentages calculated from my data?

I have a log that looks like this { api: my_api, message: Events Publish Status event_failed_count: 0...

by Explorer in

How to remove everything after a specific character in a line and group by that value?

I'm trying to remove everything after the first colon that appears in a line and group by that value. An example o...

by Explorer in

How do I display ONLY percentages on a timechart?

I know how to include percent in timecharts, however, all the answers I see return the other values in the timechart ...

by Builder in

Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

Rename multiple fields to the same name using a * or a generic character. MY data set is producing a lot of data that...

by Influencer in

How can I create a Heat Map?

I have the following Table I have latitudes and longitudes of every city. How can I create a Heat Map based on va...

by Engager in

Field Extractor Utility: Why am I getting error "The extraction failed. If you are extracting multiple fields, try removing one or more fields..."?

Hi, I Have the following event in Splunk: Message=WriteLoadTimeToLog at offset 259 in file:line:column <filenam...

by Path Finder in

How to handle different field patters in the same sourcetype?

I'm trying to extract fields for a Barracuda Spam Firewall. For those deeply interested, they've politely documented ...

by Communicator in

Why am I getting chart error "The following options were specified but have no effect when a split-by clause is not provided:limit"?

I'm trying to chart the top hits to a search while the rest are rolled up into an 'OTHER' column. Ideally I'd like th...

by Engager in

How to replace a status with a new value?

I have search I'm running to change the status of a particular error that is a false negative: index=wertyu source...

by Builder in

Transaction with count of successive events

Hi, If I have several events like this: ID1 name1 ID2 name2 ID3 name1 ID3 name1 ID3 name1 ID4 name3 ID3 n...

by Explorer in

How to calculate daily values from sum values

Hi, I have values that are a total sum of all data processed. I need to calculate the daily values from the daily ...

by Explorer in

How do I write the regular expression to extract fields separated by a backslash?

Hi Community, I'm struggling with a regex expression. I'm trying to extract fields (seperated by \) into the three...

by Explorer in

Is there any documentation on what precision Splunk uses for arithmetic operations?

When I execute the following search index="does not matter" | stats count AS value | eval value=123456.0 | eval x...

by Communicator in

How can I show average, peak, and peak time in a single search?

Hi, my first post..I'm trying to display in a search the Average TPS (transactions per second), along with Peak TPS, ...

by New Member in

Scheduled Query - change query content

Background I have created a query that will allow me to view all tickets created within one month. As some of the 're...

by Path Finder in

Field extraction efficiency improvements

I am currently extracting 3 fields at index-time based on a custom eventtype. I did this a while ago and realize that...

by Path Finder in

need help in displaying specific fields from below output

Hi Need help in displaying Client and /use71-mobstor-bf1/vol070 with dedup, as logs has similar entries. Nov 2...

by New Member in

earliest=-1w does not work

Hi, I have the following simple search. sourcetype=ib:reserved1 source=ib:user:user_login index=ib_security earliest=...

by Path Finder in

Field extraction is off

I'm forwarding logs via syslog udp to a box and locally ingesting them through splunk. I don't think that contributes...

by Communicator in

How to use regex in eventtypes.conf

I have data in following formats: Nov 04 21:47:59 server1 gtu[22038]: 2833CA0D c (master) 1A 0B 81 2D 5F 66 36...

by Builder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Why doesn't the reducer get all events from the mapper function in my custom reporting command?

How do I edit my eval statement to insert a specified number in ColumnB based on specific values found in ColumnA?

How to configure Splunk to parse and extract fields from my pseudo-XML sample data?

Why am I getting error "Search peer XXX has the following message: received event for unconfigured/disabled/deleted index='YYY'..."?

If you create a timechart with a span, and then set "earliest" and "latest" parameters, does one overwrite the other?

How do I edit my search to create a table or chart of percentages calculated from my data?

How to remove everything after a specific character in a line and group by that value?

How do I display ONLY percentages on a timechart?

Rename multiple fields to the same name using a * or a generic character, so it can be done on mass.

How can I create a Heat Map?

Field Extractor Utility: Why am I getting error "The extraction failed. If you are extracting multiple fields, try removing one or more fields..."?

How to handle different field patters in the same sourcetype?

Why am I getting chart error "The following options were specified but have no effect when a split-by clause is not provided:limit"?

How to replace a status with a new value?

Transaction with count of successive events

How to calculate daily values from sum values

How do I write the regular expression to extract fields separated by a backslash?

Is there any documentation on what precision Splunk uses for arithmetic operations?

How can I show average, peak, and peak time in a single search?

Scheduled Query - change query content

Field extraction efficiency improvements

need help in displaying specific fields from below output

earliest=-1w does not work

Field extraction is off

How to use regex in eventtypes.conf

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Using Time Range with Bin

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...