Splunk Search

Discussions

Thread Info

How to create a stacked column chart with count(_time) split by index (_internal, main) for each host?

I don't understand why this should be so difficult....okay, here is my search: host=* index=_internal OR index=mai...

by Engager in

How to recognize flat patterns in separate time periods?

This is a continuation of How to recognize a flat pattern in a given time period which @lguinn solved with a combinat...

by SplunkTrust in

Removing events with duplicate fields from transaction command

Hi all, I am writing a query to detect brute force attempts, where the username is different in each request. index...

by Explorer in

Why are the search and query tags in my dashboard XML failing?

Hi, I wonder whether someone may be able to help me please. I've put together the following in the Dashboard X...

by Motivator in

Query to get daily amount of data in GB per index

I am trying to figure out a search to get the amount of data in GB coming into Splunk per index. When we have huge sp...

by New Member in

How to call an external lookup from the master search head, but execute it in a specific search peer?

I have an external lookup that is working fine, but due to firewall restrictions, I need to force the external lookup...

by Motivator in

Bucketing by day for a table of result with eventstats

We've got summary index working great, but we need to back fill in some data from before we started the automated rep...

by Path Finder in

How to combine or join 2 sources (.csv format) with exactly the same extracted fields?

How is it possible to combine or join 2 sources (.csv format) with excactly the same extracted fields? source1: co...

by Explorer in

Is it possible to do faceted search with Splunk, similarly to what we do with Solr?

I'm new to Splunk and I have been searching for a way to do faceted search, similarly to what I have been doing with ...

by Explorer in

Using a subsearch with inputlookup to filter results returns errors

Hi guys, Im trying to filter a list of messages coming from my index by checking the sender for membership in a gr...

by Path Finder in

How do I edit my search to get a total sum of list(count)?

I've got this search working to show me allowed (!=blocked) network activity that lists the dest_ip, and dest_port, g...

by Path Finder in

How to create a chart overlay of last weeks CPU utilization with this week's CPU utilization?

I am attempting to overlay last weeks CPU with this weeks CPU utilization, to give a side by side contrast. Curre...

by Motivator in

How do I edit my search to add a second field (value) to my chart?

I have this string and want to add second value " accountNumber" to the chart. How I can do that? Current string: ...

by Communicator in

How to pre-calculate a value per day and store it in a lookup to find averages in later searches?

Currently we have a search: index="ecom" eventName | eventstats dc(sessionId) as totalnumberofsessions | search ev...

by Path Finder in

How to write the regex to extract and list values occurring after a constant string?

The following were my search results: processor.ProcSavePriceInfoObjects.writeProperties(ProcSavePriceInfoObjects....

by Builder in

Instead of running ./splunk start or restart out of the /opt/splunk/bin directory, does anyone know how to add an alias in .bashrc?

Instead of having to run ./splunk start or ./splunk restart out of the /opt/splunk/bin directory, does anyone have an...

by Path Finder in

How to create a scatter graph of chain stores on the y-axis with a dot over each city a store is located long the x-axis?

I have Splunk indexing a file that contains information about the geographical location of stores: city, chain, nu...

by Contributor in

How to write a search to ignore a matching line, but not other lines in event to filter out false positives for an alert?

I'm logging Rails requests and have taught Splunk about our logging format. When there's a new release of our app, I ...

by Explorer in

Why is my rex command after upgrade to 6.3 not working

Hello I'm using this Regex command: rex max_match=25 "\s+(?P<UserName>[^ ]+\s*\w*)\s+(?P<Status>[Allow|Deny]+)\...

by Contributor in

Why are my json fields extracted twice? (redux)

I came across http://answers.splunk.com/answers/174939/why-are-my-json-fields-extracted-twice.html which seemed to de...

by New Member in

How to create a timechart with charting.legend.labels, but maintain the x-axis label format and color two lines red and blue?

I have a timechart with two lines (sum and max of values). Have a problem with the display format of the x-axis. It i...

by Explorer in

Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the right hand side

I have 2 queries in same format out of which query#1 is working and query#2 is not working and throwing error " Unifi...

by Engager in

How do you configure splunk to extract fields from SMTP Message Transaction Logs?

We currently use Cisco IronPorts and are sending the Message Transaction Logs via syslog to Splunk. I couldn't find t...

by New Member in

Can I apply an inputs.conf WinEventLog stanza by regex or IP range with a whitelist?

Can we, because of Windows SID translations needing to be pointed to specific DomainController based on IP, point our...

by Explorer in

How to schedule real-time search with a cron schedule in Splunk 6.2.1

I am trying to convert real-time searches in the dashboard to scheduled real-time searches to reduce performance over...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to create a stacked column chart with count(_time) split by index (_internal, main) for each host?

How to recognize flat patterns in separate time periods?

Removing events with duplicate fields from transaction command

Why are the search and query tags in my dashboard XML failing?

Query to get daily amount of data in GB per index

How to call an external lookup from the master search head, but execute it in a specific search peer?

Bucketing by day for a table of result with eventstats

How to combine or join 2 sources (.csv format) with exactly the same extracted fields?

Is it possible to do faceted search with Splunk, similarly to what we do with Solr?

Using a subsearch with inputlookup to filter results returns errors

How do I edit my search to get a total sum of list(count)?

How to create a chart overlay of last weeks CPU utilization with this week's CPU utilization?

How do I edit my search to add a second field (value) to my chart?

How to pre-calculate a value per day and store it in a lookup to find averages in later searches?

How to write the regex to extract and list values occurring after a constant string?

Instead of running ./splunk start or restart out of the /opt/splunk/bin directory, does anyone know how to add an alias in .bashrc?

How to create a scatter graph of chain stores on the y-axis with a dot over each city a store is located long the x-axis?

How to write a search to ignore a matching line, but not other lines in event to filter out false positives for an alert?

Why is my rex command after upgrade to 6.3 not working

Why are my json fields extracted twice? (redux)

How to create a timechart with charting.legend.labels, but maintain the x-axis label format and color two lines red and blue?

Error in 'search' command: Unable to parse the search: Comparator '>' is missing a term on the right hand side

How do you configure splunk to extract fields from SMTP Message Transaction Logs?

Can I apply an inputs.conf WinEventLog stanza by regex or IP range with a whitelist?

How to schedule real-time search with a cron schedule in Splunk 6.2.1

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!