Splunk Search

Community Activity

Help Joining Indexes I have 2 indexes with a common field that I extracted (The JSession ID) So I want to join index=mainand index=access... by skoelpin SplunkTrust in Splunk Search 07-13-2015 0 5	0	5
Compare One Field over Two Times I want to see what is new for the past two weeks, that hasn't been seen in the past. The only part of the search that... by craigmueller New Member in Splunk Search 07-13-2015 0 4	0	4
When a search job runs for more than 10 minutes and the job-id expires, why doesn't the "Send job to background" option work? When my search runs for more than 10 min, 'job-id' expires since the default TTL value is 600 (10 min), so I get "unk... by splunker12er Motivator in Splunk Search 07-13-2015 0 7	0	7
How to compare two query result fields of the same query parameter Hi Example Line 1 : Fox is Jumping out of burrow in 10 seconds Line 2 : Fox is Jumping out of hole in 20 seconds... by maruthi_s New Member in Splunk Search 07-13-2015 0 2	0	2
How to get the top 3 counts for each index? Let me make an example to clarify: Now I have the search result like this: How can I get the top 3 counts of each ... by lys1030 Explorer in Splunk Search 07-13-2015 0 4	0	4
Is it possible to search "keyword", but not operate on _raw field of the event? Is there a way to use something like search "keyword", but not operate on the _raw field of the event, but let's say ... by abour Explorer in Splunk Search 07-13-2015 0 4	0	4
How to write a search to include 2 metrics on the same chart panel and alert when these metrics deviate by greater than 10%? My data looks like this (field names are: inputTime, metricName, value, key) 2015-07-09 08:01:03 num_bytes_sent 43... by lyndac Contributor in Splunk Search 07-13-2015 0 3	0	3
How to capture multiline events (with a regex)? Hi, I am trying to capture the multiline events from a Weblogic-similar log which satisfies all three conditions bel... by skender27 Contributor in Splunk Search 07-13-2015 0 2	0	2
How to extract a list and count over it? Hi folks, I need help. I'm trying to do a search that extracts one list of Unique Session ID's and then performs wit... by vitorvmiguel Explorer in Splunk Search 07-13-2015 0 15	0	15
Unable to get proper results for the Average field with my search Hi: I am unable to get proper result for the Average Field. Here is my search: index=entloggingnonprod_catchall_ba... by OMohi Path Finder in Splunk Search 07-13-2015 0 3	0	3
Send email if one event happens but the other doesn't after 24 hours I'm attempting to craft an alert that notifies myself and the user that requested access that they haven't revoked th... by mrmc Explorer in Splunk Search 07-13-2015 0 6	0	6
How to run same search for different source files? Hi Team, Again an urgent requirement. I have got a couple csv files with source name c:\\budapest.csv, c:\\singapore... by deepthi5 Path Finder in Splunk Search 07-13-2015 0 1	0	1
Universal Forwarder in AIX system not sending any data to splunk server, how to configure universal forwarder in AIX? I installed and configured Universal Forwarder in AIX but it does not send data to splunk server. I configured index ... by etaga New Member in Splunk Search 07-13-2015 0 2	0	2
I didn't use INDEXED_EXTRACTIONS, but why are fields for my IIS logs still getting extracted properly in Splunk 6.2.1? Hi all, I found blogs on IIS logs and Spunk 6. I didn't use the INDEXED_EXTRACTIONS, but why are fields still gettin... by rsathish47 Contributor in Splunk Search 07-13-2015 0 3	0	3
Why is the append command in my search showing incorrect results? Hi, My search looks like this: base search... \| timechart span=1d dc(user_id) AS daily_customers \| timechart span=... by HeinzWaescher Motivator in Splunk Search 07-13-2015 0 5	0	5
latest function in stats not working without earliest? Given the events: 2012-03-06 01:02:00 a=1 b=2 2012-03-06 02:03:00 a=2 b=3 and the query: * \| stats count latest(a... by vbumgarn Path Finder in Splunk Search 07-12-2015 4 9	4	9
How does data model acceleration work to help generate a report faster? How does data model acceleration help in generating a report faster? Creating a new data model from a 'root event' -... by splunker12er Motivator in Splunk Search 07-12-2015 0 4	0	4
Extract multivalue fields from multiline events Hi All, I'm trying to parse multiline structured tabular events like this: CPU Schedule Job ... by marcoscala Builder in Splunk Search 07-12-2015 0 5	0	5
Is it possible to get an estimated job completion time for a search? Search job Inspector: This search has completed and has returned 31232 results by scanning 434213123 events in 47.20... by splunker12er Motivator in Splunk Search 07-12-2015 0 1	0	1
How to manage memory consumption while returning data from a search using the Java SDK? This may be a silly question, but how does one manage memory while returning data from a search? The results are bei... by clomeli Engager in Splunk Search 07-11-2015 0 1	0	1
Format or Splitup a row of data ito three rows for reporting I am doing a search from two databases and comparing data from both. I am using the appenccols command to get the da... by hartfoml Motivator in Splunk Search 07-11-2015 0 2	0	2
Change bar chart bar color based on percentage value tag="*" LocID="-7" SbuID="-7" \| dedup tag \|eval x=substr(ResponseDisplay,1,3) \|eval y=substr(AvailabilityDisplay,1,3)... by zd00191 Communicator in Splunk Search 07-11-2015 0 1	0	1
Why is a bar chart not showing up with my search? tag="*" LocID="-7" SbuID="-7" \| dedup tag \|rename ResponseDisplay AS "Application Response", AvailabilityDisplay AS ... by zd00191 Communicator in Splunk Search 07-10-2015 0 5	0	5
lookup files not working even after changing the permissions Experts, I am tired of trying to make this work  . We have two instances, one is a distributed search with (1SH and... by Raghav2384 Motivator in Splunk Search 07-10-2015 1 6	1	6
Finding change in disk space Hello, Disk space on a series of servers is monitored every 10 minutes. What I want to do is run a search that says... by kholleran Communicator in Splunk Search 07-10-2015 0 4	0	4