Splunk Search

Discussions

Thread Info

How to edit my props and transforms.conf to filter out Windows Security Events with Logon Type:3?

Hi I want to drop all Windows Security Events (4624, 4625, etc) with Logon Type:3 My first idea is to make filter...

by Path Finder in

How do I handle fields with no value or a blank space in a rex field extraction so they show up as null?

I have a data source that is pipe delimited, but some of the fields contain no data or even a blank space. I've creat...

by Builder in

REGEX to filter out event records

At the indexer, we are trying to exclude event records from incoming windows logs that have Logon_Type=3. Below i...

by New Member in

Join Statement Not Retrieving All Records

Hi, I wonder whether someone may be able to help me please for which may seem a really dumb question. I'm using th...

by Motivator in

Is it possible in Splunk to display contents from external url

I have a url, by hitting which, i get some data. Is it possible in splunk to read that data and process it and displa...

by Contributor in

How to get each occurrence of the username in a search from my sample data, not just the first username?

This is my search: index="test" sourcetype="Cisco_Users" | rex field=_raw "(?<Host>\w+-\w+-\w+-\w+-?\d?\.\w+\.\w+...

by Path Finder in

chopping up lastlog

I have managed to get our linux hosts' lastlog data in our Splunk> (version 5.0.2, build 149561) easily enough, but w...

by Engager in

Joining multiple field value count using a common text

Hi, We have few appliances spread across various data centers feeding logs into Splunk. Each Data center has 2 or ...

by Builder in

How to use the value of one field to select/chart another field?

I have a json object (see below). I need to take the value of payload.chan (15 in this case) and using 15 select payl...

by Motivator in

How to dedup after | stats list(blah)?

Scenario: I am extracting sender domains with the following code: index=mail sourcetype=xemail [search index=...

by Contributor in

Extraction of a substring and comparison in a loop

Hi, I need to search for an element A present in one of the fields let's say field 1. Some of the values presen...

by Explorer in

How to set different colors for each row of my results in dashboard panel?

Hi, Can someone please advise, how we can set different colors in a dashboard for each single row? Our data lo...

by Path Finder in

The automatic timechart range changed after upgrading from Splunk 6.3.1 to 6.3.3. What can we set to revert to the old behavior?

We have certain source types where there is only data from months ago. When putting this into a timechart, the chart ...

by Communicator in

How to create a stacked bar graph showing total time and (total time-pending) stacked by filter?

I want to create a stacked bar graph showing 2 columns stacked by department: 1 column is the total time and the seco...

by Explorer in

Change the ''Waiting for data... '' message with a value or word

My search : index=test | where Value>=95 | stats count(Value) as Events by Host The result : if ther...

by Communicator in

How can I know when Splunk reaches the 10000 result limit in a search to output a certain message?

In my search, I calculate some values, but if I reach the 10000 result limit, I get wrong results. I would like chang...

by Path Finder in

How to create a table based on certain fields from the Output Results?

Hi Splunk Support, I'm trying to create a table based on certain fields from the Output Results: Search String...

by Explorer in

How to configure a universal forwarder to add search-time metadata to all events?

Hi Everyone, Our setup is a universal forwarder --> heavy forwarder --> indexer. I am looking to modify a universa...

by New Member in

Difference between earliest -2d and earliest -2d@d?

Hello, Could someone please delineate the difference between these two earliest commands: earliest=-2d earli...

by Explorer in

How do I edit my regex to extract this field from my sample event?

Want to extract only /ubi-v2/api/scoresummary from the below mentioned event in a field. Rex used: `| rex "(?<rem...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to edit my props and transforms.conf to filter out Windows Security Events with Logon Type:3?

How do I handle fields with no value or a blank space in a rex field extraction so they show up as null?

REGEX to filter out event records

Join Statement Not Retrieving All Records

Is it possible in Splunk to display contents from external url

How to get each occurrence of the username in a search from my sample data, not just the first username?

chopping up lastlog

Joining multiple field value count using a common text

How to use the value of one field to select/chart another field?

How to dedup after | stats list(blah)?

Extraction of a substring and comparison in a loop

How to set different colors for each row of my results in dashboard panel?

The automatic timechart range changed after upgrading from Splunk 6.3.1 to 6.3.3. What can we set to revert to the old behavior?

How to create a stacked bar graph showing total time and (total time-pending) stacked by filter?

Change the ''Waiting for data... '' message with a value or word

How can I know when Splunk reaches the 10000 result limit in a search to output a certain message?

How to create a table based on certain fields from the Output Results?

How to configure a universal forwarder to add search-time metadata to all events?

Difference between earliest -2d and earliest -2d@d?

How do I edit my regex to extract this field from my sample event?

Observability Highlights | January 2023 Newsletter

Security Highlights | January 2023 Newsletter

Platform Highlights | January 2023 Newsletter

Strptime not working for the time

How to use MLTK to tune DNS Query Length Outliers ...

Optimizing metrics based searches?

How to use fit command together with foreach?

How to detect T1036.002: Masquerading (Right-to-Le...