Splunk Search

Discussions

Thread Info

Why are events not returned for a search on a search-time extracted field?

We have a field extraction in apps/search/local/props.conf like this: [my_glog_kv] ... EXTRACT-my_glog_kv = ^(?<se...

by Path Finder in

Regex help in filtering machines that were not compliant that now are....

I have events that detect compliance of machines via forescout data (we don't have the app installed) and I'd like to...

by New Member in

How do I separate the results of a transaction to separately show each event?

Hi at all, I have to separate the results of a transaction to separately show each event. I'd like to do this beca...

by SplunkTrust in

If I only need fields "Target Account Name" and "Subject Account Name", how can I write a search to exclude other fields from the list?

For example: Message: An attempt was made to change the password Subject: Security ID: ABC/DEF A...

by New Member in

How to create a new field and set it with a value of 5 minutes for each event?

Hello all, I'm making an alerts report and by now, I have the total number of Alerts for a month, let's set it as ...

by Contributor in

how to get average of time field?

I have following values in a field(CPU) 000 00:00:00.00 000 00:00:00.03 000 00:00:43.18 000 00:00:20.69 ...

by Path Finder in

How to transform a table and use column headers as field values?

Hi, I would like to do a transformation like this: Can you help how to achieve this? Thanks in advan...

by Motivator in

How to autofill rows in a table, even if there are no values produced by streamstats?

Hello, I have an output table like below from a streamstats call on my events: period total cummulative_to...

by Explorer in

How do I edit my search to get a count by error text?

Hi everyone, I am trying to do the following in Splunk, but it's not working: index=MRM eventtype=MRM_ERROR | e...

by New Member in

Is there an easy way to use blacklist in inputs.conf to filter the input itself in real-time like we would do for a Windows event log?

Blacklisting works to blacklist a file or directory... but is there an easy way using blacklisting in inputs.conf to ...

by Communicator in

How to use fields as tokens in scheduled report emails, but not in visualizations?

Dear experts, I defined the below mentioned pivot to generate a monthly report of the most frequently used URL pat...

by Explorer in

Why is MV_ADD=true extracting everything twice and producing duplicates in my search results?

My Event: Directory: /var/tmp/.X11-unix Mtime : 2015-01-06 06:26:36 +0000 | 2016-01-04 15:31:39 +0000 ...

by Communicator in

How to edit my search to add a third column to my table results if there are certain values in the first

I want to add a column "FinalType" in a statistical table, so when the EventType=ScoreLock and TxnType=Renewal, it sh...

by Communicator in

How can I increase the max number of searches on my dashboard in Splunk Enterprise?

I'm running Splunk Enterprise on my Windows machine and am facing an issue in loading my dashboard fully. The dashboa...

by Engager in

Why are we getting error "Server has invalid Kerberos principal" when running a search that triggers MapReduce?

With Hunk, we're getting an invalid Kerberos principal when we try to run a search that triggers MapReduce. The strea...

by Path Finder in

How to use dedup on a field, but aggregate all other values in another field?

I am running a search to identify all users and the URLs they have connected to. The result includes duplicate users,...

by New Member in

How do I filter my search to only display users that have appeared a minimum of 5 times?

Hi There, I have a field that identifies users, e.g. userID. I also have a field that is common in every log, e.g....

by New Member in

How to group and add the count for each value of a field?

I am currently trying to group together unique products, and have the username listed under each product, however, I ...

by Explorer in

Why is the Search and Reporting app Data Summary showing EARLIEST EVENT as 15 years ago?

Hello everyone I'm trying to track down the reason my Data Summary in the Search app is reporting BILLIONS of even...

by Builder in

Why am I unable to combine multivalue fields in my search?

HI, I have a search in which I am interested in three fields: index=my_computer sorucetype=asia_data message="N...

by Explorer in

How to calculate response time for my sample data?

172.22.220.15 - XXX@XXX.com [05/Jan/2016:01:19:36 -0600] "GET HTTPS://XXX.allianceweb2.XXXX.com/AERWEB/dwr/interface/...

by New Member in

How to get the count (Exceptions) for last 5 days in a single table?

This is my expected result: Exceptions Day1 Day2 Day3 Day4 Day5 Abc 5 4 3 1 0 Start ...

by Path Finder in

How to convert SID to Active Directory friendly name for an alert?

I'm new to Splunk and trying to configure an alert so when Windows Event ID 4760 occurs. I have the basic syntax crea...

by Engager in

How do I join two searches that both include rex field extractions?

Hi, I wonder whether someone may be able to help me please. I have the following two searches: index=main a...

by Motivator in

How to edit my search to show a line of an average over the last 30 days on a column graph?

Hi helpful people, I wish to display on a column graph an average line for my search. My current search is as foll...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Why are events not returned for a search on a search-time extracted field?

Regex help in filtering machines that were not compliant that now are....

How do I separate the results of a transaction to separately show each event?

If I only need fields "Target Account Name" and "Subject Account Name", how can I write a search to exclude other fields from the list?

How to create a new field and set it with a value of 5 minutes for each event?

how to get average of time field?

How to transform a table and use column headers as field values?

How to autofill rows in a table, even if there are no values produced by streamstats?

How do I edit my search to get a count by error text?

Is there an easy way to use blacklist in inputs.conf to filter the input itself in real-time like we would do for a Windows event log?

How to use fields as tokens in scheduled report emails, but not in visualizations?

Why is MV_ADD=true extracting everything twice and producing duplicates in my search results?

How to edit my search to add a third column to my table results if there are certain values in the first

How can I increase the max number of searches on my dashboard in Splunk Enterprise?

Why are we getting error "Server has invalid Kerberos principal" when running a search that triggers MapReduce?

How to use dedup on a field, but aggregate all other values in another field?

How do I filter my search to only display users that have appeared a minimum of 5 times?

How to group and add the count for each value of a field?

Why is the Search and Reporting app Data Summary showing EARLIEST EVENT as 15 years ago?

Why am I unable to combine multivalue fields in my search?

How to calculate response time for my sample data?

How to get the count (Exceptions) for last 5 days in a single table?

How to convert SID to Active Directory friendly name for an alert?

How do I join two searches that both include rex field extractions?

How to edit my search to show a line of an average over the last 30 days on a column graph?

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

October Community Champions: A Shoutout to Our Contributors!

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions