Splunk Search

Discussions

Thread Info

Replace parts of a string

Hi! I'm trying to replace parts of a string, in order to make it more human-readable. Our logs contains strings like ...

by Path Finder in

Auto-run form Question

Hey, I am trying to produce a form that does not require the use of a search button in order to execute a search a...

by Motivator in

Quotes in CSV-formatted events

I am attempting to add CSV-formatted events to my index through the REST API. I've got it working mostly correctly, b...

by Path Finder in

"NOT IN" between two search query

Hi all, i need to select IP address from a search query that "are not" in another search query. How can i do this? th...

by Path Finder in

fschange on auto-rotated config files

So I have an application that auto-rotates its config files every time it is changed, and uses the following structur...

by Communicator in

Limitations with searchmatch() eval function?

Is there any weird issues with using multiple searchmatch() expressions within a single eval command? I have a tra...

by Super Champion in

How can you emulate a sub-subsearch?

Is there anyway of emulating a nested subsearch? I know its sometimes possible to rewrite a search to factor-out a su...

by Super Champion in

Matching both sides of two kv pairs over time

I have a small DTrace app that monitors ARP requests and replies, producing output like this: 2010 Sep 1 03:10:0...

by Path Finder in

Use date_hour date_minute for charting

Hi everyone. I'm trying to use the date_hour and date_minute fields (which reads perfectly the hours and minutes o...

by Explorer in

Search using outer join fails to return all matching events

Search fails to correctly return all matching events when performing outer joins. The search below illustrates the pr...

by Splunk Employee in

How do I configure multi-value fields for RFC 5424-compliant syslog events?

Splunk understands old school BSD-style syslog events effortlessly. For RFC 5424-style events, multiple data structur...

by Splunk Employee in

How do I set the major unit duration to 1 week

In a chart, I need to set major unit to be one week (i.e adjacant tick marks need to be one week apart). How do I do ...

by New Member in

Simultaneous queries/jobs limit

Hi I was wondering if there is a limit on the count of simultaneous queries/searches/jobs executed in a Splunk in...

by Path Finder in

Regex across two lines

I have the following output: DEV#: 0 DEVICE NAME: vpath0 TYPE: 2107900 POLICY: Optimized SERIAL: 123ba...

by Builder in

Search query login

Hi all, i need to do a query about the number of login failed and succeeded in a time period. I'm auditing linux and ...

by Path Finder in

How do force a search to finish before invoking a custom search command?

I'm building a custom search command that performs some visualizations on a dataset outside of Splunk. It has to pars...

by Communicator in

Diff of 2 searches

How would I go about running a search that compares the output to two searches and reports the difference between the...

by Path Finder in

regex and BREAK_ONLY_BEFORE

I have a script that sends something like the following to stdout: DEV#: 0 DEVICE NAME: vpath0 TYPE: 2107...

by Builder in

Distinct Count on Summary Index

Okay, my summary index looks like this: sourcetype="blah" | sistats count by email I'd like to run a q...

by Path Finder in

Show only events WITHOUT field

Is there a way to show events only if they do not contain a specified field. E.g. 40% of my selected events contain a...

by Engager in

Splunk Search

Discussions

Replace parts of a string

Auto-run form Question

Quotes in CSV-formatted events

"NOT IN" between two search query

fschange on auto-rotated config files

Limitations with searchmatch() eval function?

How can you emulate a sub-subsearch?

Matching both sides of two kv pairs over time

Use date_hour date_minute for charting

Search using outer join fails to return all matching events

How do I configure multi-value fields for RFC 5424-compliant syslog events?

How do I set the major unit duration to 1 week

Simultaneous queries/jobs limit

Regex across two lines

Search query login

How do force a search to finish before invoking a custom search command?

Diff of 2 searches

regex and BREAK_ONLY_BEFORE

Distinct Count on Summary Index

Show only events WITHOUT field

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >

LDAP query for users

Filtering mstats data using eventtypes and tags

Extracting fields from nested JSON event

Join field form inputlookup failed

Eval Input Token with Backslashes

Splunk Search

Discussions

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >