Splunk Search

Ask a Question

Discussions

Thread Info

Best way to combine these searches

The following query... index=os host=* (source=cpu NOT cpu="all") OR source=vmstat OR source=df | stats max(cpu) a...

by Communicator in

How to edit the syntax for my rex search to extract the folder name from a source path?

Hi everyone, I'm struggling with this rex expression: query | rex field=source "/var/syslog*(?<remote_source...

by Communicator in

Why am I getting an incorrect stats count from my transaction search?

Hi, Stats count does not count all instances of variables when I use it with transactions. Search string: i...

by New Member in

How to put _time to x axis in line chart on per hour basis?

Here is my search manager: var search1 = new SearchManager({ id: "rtCPUDaySearch", earlies...

by Explorer in

How to calculate a duration percentage in a transaction search for non-existent events?

I have this specific issue where I'm trying to calculate percentage of online time for a set of devices. I create...

by New Member in

Pass a value to a map subsearch and assign it to another field

How can I take a value from the base search an pass it to a map search like so: <base search> | map "search index=...

by Path Finder in

How can I diff the results of two most recent sources?

I'm currently trying to generate a report describing "what's changed" since the last report. Currently, my idea is to...

by Path Finder in

Search all fields for value

Hello All I am looking to search a number of fields (31) that may have the same value then count the number of tim...

by Explorer in

How to feed .xml data into Splunk to run searches on?

I have some .xml files at a location say: C/test/logs How can I configure Splunk to fetch those xml files and show...

by New Member in

Stats Count with Moving AVG for a given time

OK this one might be a challenge I 7 services that restart at midnight. I have a report that comes out at 7 AM tha...

by Motivator in

How to convert current graph numbers into actual names using a lookup?

Hi guys, So I currently have a search which has "the five most active OOID's by folder activity". The OOID (Organi...

by Communicator in

inputlookup not returning all rows

I have a csv file as a lookup, named "resources.csv." Looking at the actual file, it has about 30,000 lines. In the S...

by Path Finder in

How do I edit my timechart search to show all requested data?

I am running the following search: index=_internal source=*metrics.log earliest=07/01/2015:00:00:0 latest=08/10/...

by Builder in

Why am I getting "Regex: missing terminating ] for character class" with my line breaking configuration?

Hi, I am testing a feed, and it appears to be working properly, but I'm getting a "Regex: missing terminating ] fo...

by Champion in

How do I extract the date from the file name itself

I need to extract date from the log file name as my logs only have a timestamp and no date available. The date for...

by Explorer in

How do I delete events in one index that exist in another?

I've read up on delete and am familiar with the implications, but I'm having trouble figuring out how to mark events ...

by Path Finder in

Obtaining statistics for messages with different ID's

I have logs from two apps to analyze. General a session of app interaction (as it is represented in logs) looks like ...

by Engager in

How to add a row into table?

How can I add a row into a table either manually or through a look-up table? I would like to insert the row right bel...

by Explorer in

How do I edit this regex for proper field extraction dealing with both single and double spaces?

Having issues getting field extraction on Cisco ASA lines to work consistently without getting invalid information. F...

by Path Finder in

How to export dashboard charts with a statistics table of the values below?

I have a dashboard with pie chart, line charts etc., I can see the values by hovering the mouse on the charts. If I e...

by New Member in

Will Lookaheads/Lookbehinds Hurt Search Performance?

I have an index which processes around 10 million events per day. I did a few field extractions which had lookaheads ...

by SplunkTrust in

How to join two searches by closest time fields in my two indexes, not using the _time field?

Hi all, I am going to simplify my problem. I have two indexes with the following variables: index 1: time_in us...

by Engager in

After upgrading from Splunk 5 to 6.2.4, why are some searches that use a macro with a lot of eval case branches running 10 to 20 times slower?

Hello, Since we upgraded from Splunk 5 to Splunk 6.2.4, some of our searches run 10 to 20 times slower than before...

by Contributor in

How do I write a search to display a table with the count of each value for a field?

Hello, My data looks like: I currently have this search: source=myapp test123 | stats count by type T...

by Communicator in

How to configure props.conf and transforms.conf to filter out a Windows eventcode?

Hi guys, I am ingesting Windows event logs including event code 5156 which is chewing up a lot of license. I have ...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Best way to combine these searches

How to edit the syntax for my rex search to extract the folder name from a source path?

Why am I getting an incorrect stats count from my transaction search?

How to put _time to x axis in line chart on per hour basis?

How to calculate a duration percentage in a transaction search for non-existent events?

Pass a value to a map subsearch and assign it to another field

How can I diff the results of two most recent sources?

Search all fields for value

How to feed .xml data into Splunk to run searches on?

Stats Count with Moving AVG for a given time

How to convert current graph numbers into actual names using a lookup?

inputlookup not returning all rows

How do I edit my timechart search to show all requested data?

Why am I getting "Regex: missing terminating ] for character class" with my line breaking configuration?

How do I extract the date from the file name itself

How do I delete events in one index that exist in another?

Obtaining statistics for messages with different ID's

How to add a row into table?

How do I edit this regex for proper field extraction dealing with both single and double spaces?

How to export dashboard charts with a statistics table of the values below?

Will Lookaheads/Lookbehinds Hurt Search Performance?

How to join two searches by closest time fields in my two indexes, not using the _time field?

After upgrading from Splunk 5 to 6.2.4, why are some searches that use a macro with a lot of eval case branches running 10 to 20 times slower?

How do I write a search to display a table with the count of each value for a field?

How to configure props.conf and transforms.conf to filter out a Windows eventcode?

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!