Splunk Search

Ask a Question

Discussions

Thread Info

Shouldn't this map command work?

|stats count|eval cip='foo'|map search="search index=* Address=$cip$" It errors out saying "Error in 'map': Did no...

by Path Finder in

How to use Splunk to detect web attacks with PHP IDS regex rules?

I'm noodling the thought of using Splunk to detect Web attacks (similarly to Scalp) via the Apache HTTP logs. Scal...

by Path Finder in

How to find the average of a duration field in the time format %H:%M:%S:%3N ?

Using only source and a keyword, my data comes in like this: 07/29/2015-08:50:14.524 - WebContainer : 0 - [com.cgi...

by Explorer in

transforms to extract fieldname and value from cb ioc fields

I have a transform setup which seems simple enough, but does not seem to be working at all: regex101 says that the re...

by Motivator in

What is the difference between these eval commands in a timechart?

Hi, I'm wondering why I'm getting different results here: 1. ... | timechart span=1d count(eval(if(value>"1"...

by Motivator in

Splunk DB Connect 1: How can I dynamically search from the lookup CSV file with dbquery?

I have a CSV file with three columns, say Name, Address, Lastname. I get Name from the dbquery, so I want to fetch al...

by New Member in

Bucket time span causing incorrect date entries

I have the following query: some query... | bucket _time span=1d | eval date=strftime(_time, "%b %d, %Y") | chart ...

by Communicator in

Why am I not able to see my extracted field in Splunk Web?

I am not able to see my extracted field. I can see the field created under splunk/etc/users/local Also, I added...

by Explorer in

How to extract and assign a timestamp from a multiline event?

How to extract and assign the timestamp from the below multiline event. Timestamp exists in the 4th line from last. ...

by Contributor in

How do I edit my transaction search to find the queue time for different steps in my sample data?

Hi, I am working in a market research company. We will send some online surveys to some samples. We have 3 steps t...

by Communicator in

How do I optimize my regex for a field extraction to improve efficiency and searchability?

I am working on field extraction in splunk and I have come up with the below regex (spunk regex does not work the ...

by Motivator in

How to filter out rows for individual tables by Metric date?

Hello, I have a handful of tables that contain monthly reported data. Each table starts at a different Metric time...

by Explorer in

How do I extract and separate an arbitrary number of field values with regex?

input: myCommand -myArgs taska taskb taskc myCommand -myArgs taska myCommand -myArgs taska taskb taskc taskd ...

by Path Finder in

Did folderize stop working?

I had an old Splunk saved search from several versions ago which successfully used folderize. However, when I ran ...

by Path Finder in

Is it possible in Splunk to trigger a search, generate a report, and email it or save the report in some location?

Hi Team, I would like to know if it is possible in Splunk to trigger a search (with regular expressions), generate...

by Builder in

Trying to find the index of a value within a multivalued field, why is is mvfind on the multivalue field not working?

Hi, I am trying to find the index of a value within a multivalued field. I assume mvfind is the correct eval funct...

by Engager in

I need to track the progress of students over time

Our event lists the answer to one question on a test. Our test numbers are unique to one set of test questions by one...

by New Member in

Can automated lookups be defined on a search head but not pushed to search peers?

I have a 60MB lookup file on my ES search head that is only used for automated lookups against data indexed locally o...

by Explorer in

Is there a way to use regex on a standalone string to pull out each value, then append "field!=" to the front to exclude these values from a search?

I have a large list of values for a field that I would like to exclude from my search. Rather than having a huge sear...

by Path Finder in

How to search two indexes to find if an event in index B does not occur within certain time range of an event in index A?

I hope the following makes sense...I have two indexes for separate application logs, index A and index B. I need help...

by Explorer in

How do I use the "AND" operator or any other way to list all values of a field that have both statuses FAIL and SUCCESS?

I have a search where the transaction status of a policy was set to FAIL. It was processed manually and now it has ch...

by Communicator in

How to search the sum of transactions where the times do not overlap?

I want to be able to show the sum of time that users have had licenses checked out (historically). But if a user has ...

by New Member in

How to combine my two searches for Windows WMI Data (Host, OS, Version, SP and Number of Installed updates) into one report?

Hello, I have two different searches that return the data that I would like to see in one report. However, I am ha...

by Builder in

How to search two events that occurred right before a specific event showing a certain error to analyze what happened?

Hello, When I search for some events (i.e index=main *password fail), I want to get the events with two lines befo...

by Explorer in

Multiple instances of Splunk w/ Boot-start

How can I have multiple splunk instances on linux and use boot-start? The command "./splunk enable boot-start" will o...

by Engager in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Shouldn't this map command work?

How to use Splunk to detect web attacks with PHP IDS regex rules?

How to find the average of a duration field in the time format %H:%M:%S:%3N ?

transforms to extract fieldname and value from cb ioc fields

What is the difference between these eval commands in a timechart?

Splunk DB Connect 1: How can I dynamically search from the lookup CSV file with dbquery?

Bucket time span causing incorrect date entries

Why am I not able to see my extracted field in Splunk Web?

How to extract and assign a timestamp from a multiline event?

How do I edit my transaction search to find the queue time for different steps in my sample data?

How do I optimize my regex for a field extraction to improve efficiency and searchability?

How to filter out rows for individual tables by Metric date?

How do I extract and separate an arbitrary number of field values with regex?

Did folderize stop working?

Is it possible in Splunk to trigger a search, generate a report, and email it or save the report in some location?

Trying to find the index of a value within a multivalued field, why is is mvfind on the multivalue field not working?

I need to track the progress of students over time

Can automated lookups be defined on a search head but not pushed to search peers?

Is there a way to use regex on a standalone string to pull out each value, then append "field!=" to the front to exclude these values from a search?

How to search two indexes to find if an event in index B does not occur within certain time range of an event in index A?

How do I use the "AND" operator or any other way to list all values of a field that have both statuses FAIL and SUCCESS?

How to search the sum of transactions where the times do not overlap?

How to combine my two searches for Windows WMI Data (Host, OS, Version, SP and Number of Installed updates) into one report?

How to search two events that occurred right before a specific event showing a certain error to analyze what happened?

Multiple instances of Splunk w/ Boot-start

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...

ジョブを消しても復活する現象について

splunk threat intelligence taxii data

Splunk DB connect add-on InfluxDB 2.6