Splunk Search

Discussions

Thread Info

What are the best way to merge a set of values that refer to the same thing in a field?

For example in a field "customer", I have the following events and values: Event 1: abc Event 2 :abc pte ltd I wan...

by Communicator in

Timecharting multiple lines..!

Hello, I have a question regarding timecharting multiple lines on one chart by Datacenter, but x-axis being Metric ti...

by Explorer in

External lookup script not functioning in search app

I have an external lookup using a python script. It is in its own app, but is shared to all apps with R/W access. The...

by Explorer in

Extract field with multi-values, is using an "OR" operator with two queries possible?

the errors messages in my logs have different formatting so I'm wondering if there is a way to combine the below two ...

by Path Finder in

Showing all fields in search (including empty)

Hi, I would like to know how to show all fields in the search even when results are all empty for some of the fie...

by Explorer in

How To List A Column Value Once in a Table?

I'm doing a project to detect click fraud. I created several extractions to take out the IP address, Web Request from...

by SplunkTrust in

Good setting for max_searches_per_cpu?

Hi, I'm getting this warning every hour, on top of the hour, when apparently quite a few scheduled searches are tr...

by Builder in

Average transaction duration by unique transaction id

index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" | transacti...

by Communicator in

Sourcetype volume increase search

I want to have an alert being raised when any of our top sourcetypes hourly indexing rises above a given monthly aver...

by Builder in

New users per month

Is it possible to find the earliest time for all users over all time. Then do a distinct count of users by month usin...

by Contributor in

Is it possible to use join with the output of a lookup in a search query?

Hi, I have a search query like the one below index=beacon BeaconType=userevent type=addonselected | join INI...

by Path Finder in

Searching from a data model using tstats, why am I getting "Error in 'TsidxStats': Invalid root event object for datamodel"?

I created a data model "Aggregate". I added an object which is a root search object named "usage". There is a search ...

by Communicator in

How to write the regex to extract semicolon delimited fields?

I have the following log statement, which uses semicolon delimiter and where i want to extract columns as specific fi...

by Path Finder in

How to detect and fill default value to empty-value field ?

Hello, When i did a search on my SQL data, there are a lot of empty-value fields, which don't contain anything, i ...

by Contributor in

Regex field extraction

Splunk Version 6.2.0 Splunk Build 237341 (MacOSX Yosemite) This is the line I'm looking to extract fields using re...

by New Member in

REGEX match on multiple conditions help

I need help with a REGEX that needs to match multiple conditions in a log event. The event looks like this: 02:...

by Engager in

Search multiple column in logs and give count of respective column

Hi, My question is divided into 2 parts - 1.) I have a log file in which there are about 20-22 columns but i wa...

by Communicator in

timestamp in the beginning

Why splunk adds the date and time to the beginning of a log. How to clean it? Jul 15 09:27:20 172.16.19.1 Jul 15 2...

by Path Finder in

Why is my lookup search query not returning expected results?

I've got a KeywordList.csv lookup table with 3 columns (URI, URI_Keyword, URI_KeywordType). URI is a pre-existing fie...

by New Member in

Not getting field automatically from lookup table

I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like; racf,username A123456,A ...

by Contributor in

How to do multiple searches at once?

Hi guys, I need to have multiple searches running that pull up a word from the same field and replace it with anot...

by Path Finder in

RStudio integration with Splunk

Is there any way to run Splunk queries from the RStudio IDE rather than from within the search bar?

by Explorer in

How to create a field from another field?

I have a field "F1" with values as following: I want to add a filed "F2" with value 'a' to all 'a*', with value 'b' ...

by Explorer in

Setting options for host regex not working as expected

We have a set of hosts that all begin with the letter 'm' and we want to set DATETIME_CONFIG = CURRENT for them. I...

by Engager in

Line Chart single value over time

I have a log containing memory usage over a period of time. How can I plot a line graph where the x-axis is the time,...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

What are the best way to merge a set of values that refer to the same thing in a field?

Timecharting multiple lines..!

External lookup script not functioning in search app

Extract field with multi-values, is using an "OR" operator with two queries possible?

Showing all fields in search (including empty)

How To List A Column Value Once in a Table?

Good setting for max_searches_per_cpu?

Average transaction duration by unique transaction id

Sourcetype volume increase search

New users per month

Is it possible to use join with the output of a lookup in a search query?

Searching from a data model using tstats, why am I getting "Error in 'TsidxStats': Invalid root event object for datamodel"?

How to write the regex to extract semicolon delimited fields?

How to detect and fill default value to empty-value field ?

Regex field extraction

REGEX match on multiple conditions help

Search multiple column in logs and give count of respective column

timestamp in the beginning

Why is my lookup search query not returning expected results?

Not getting field automatically from lookup table

How to do multiple searches at once?

RStudio integration with Splunk

How to create a field from another field?

Setting options for host regex not working as expected

Line Chart single value over time

Can’t make it to .conf25? Join us online!

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!