Splunk Search

Discussions

Thread Info

Search generated too much data...

Has anyone run into this message? "Search generated too much data for the current display configuration, results h...

by Path Finder in

How to consolidate events into one event by using a multi-value field to lookup values?

Trying to take a multi-value field using that to lookup values then placing the return information into the correct f...

by New Member in

How to increase truncation limit to display all results in a chart?

Hello Splunkers, These results may be truncated. This visualization is configured to display a maximum of 1000 res...

by Contributor in

How to prevent my timechart search results from being truncated to display all data points?

I am attempting to generate an area chart for the past 15 days using the following search: index=test sourcetype=a...

by Path Finder in

Undocumented Search Operator TERM()

It seems that the undocumented TERM() operator can give quite a performance boost to searches. E.g. I ran a search...

by SplunkTrust in

How to modify my search to get result shown in a visualization chart?

Am using this search index=level3 host=Test | chart count over "Opened" by "Assignment group" I am getting th...

by Communicator in

Stats count with lookups

Hello, I have to get the individual count of three lookups A,B,C. How can I show the count of each lookup n Dashbo...

by Builder in

How to modify my search to find IP addresses that hit exactly one URL?

I'm trying to find IP addresses that hit a specific url and no other. I tried to use set diff but it's not returning ...

by Explorer in

How to assign index of an app to another.

Hi, I have an app called ngcdn and an index (we_accesslog_extsqu) for that app which is looking to a directory. No...

by Contributor in

How to merge a search result with multiple fields and a dbquery with multiple columns matching on one (or more) fields or columns?

I have a table in Oracle that monitors user logins to web apps. When a user accesses the webpage, I see the following...

by Engager in

How to combine multiple transactions and still see the events grouped by transaction?

I've created two transaction types, one named mail that finds all of the postfix events with the same queue_id; and s...

by New Member in

I'm trying to find the top 50 email senders. Is my search correct?

index=mail sourcetype="symantec:mail:syslog" sender "ML-DELIVERY" | stats values(sender) as sender by msg_id | events...

by New Member in

How can I find forwarders that do not send data to all indexers?

Hi is there an easy way to find forwarders that are not sending data to all available indexers? We see, that some ...

by Motivator in

How to edit my command to convert UTC time to EST time?

Trying to figure out why converting time, which is stored in UTC, is not being converted correctly when going to EST....

by New Member in

How to obtain most recent event per host using rex and table commands?

My problem is I don't think stats will work for what I'm trying, or my syntax is wrong. Either way, hit a stumbling b...

by Explorer in

What is span, timechart, minspan, and useother doing in my search?

Hi, I'm having trouble understanding some portions of my search, I was wondering if someone could help me out. ...

by Communicator in

How to group and count data from string?

I have the following query: sourcetype=XXX Some query for * took * seconds to load And this is a result of que...

by Engager in

How can I identify field extractions that are causing performance problems?

Is there a log configuration option that will have splunkd logging when poorly written field extractions are impactin...

by Contributor in

Index viewable in Events but not in Statistics

I can see events from two indexes in the Events section, but my Statistics shows only events from one of the indexes....

by New Member in

Case statement tiered matching omitting some results

Hello fellow Splunkers, Pretty new to using case statements in Splunk and I've run into an odd problem that I have...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Search generated too much data...

How to consolidate events into one event by using a multi-value field to lookup values?

How to increase truncation limit to display all results in a chart?

How to prevent my timechart search results from being truncated to display all data points?

Undocumented Search Operator TERM()

How to modify my search to get result shown in a visualization chart?

Stats count with lookups

How to modify my search to find IP addresses that hit exactly one URL?

How to assign index of an app to another.

How to merge a search result with multiple fields and a dbquery with multiple columns matching on one (or more) fields or columns?

How to combine multiple transactions and still see the events grouped by transaction?

I'm trying to find the top 50 email senders. Is my search correct?

How can I find forwarders that do not send data to all indexers?

How to edit my command to convert UTC time to EST time?

How to obtain most recent event per host using rex and table commands?

What is span, timechart, minspan, and useother doing in my search?

How to group and count data from string?

How can I identify field extractions that are causing performance problems?

Index viewable in Events but not in Statistics

Case statement tiered matching omitting some results

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

multi-level nested JSON to table?

Matching index field value with lookup field value

extract fields from json-wrapped postfix logs?

How to configure alert when a service is in failed...

how to identify '\n' in Splunk rex