Splunk Search

Discussions

Thread Info

Calculating the percentage growth value of a field day to day

Hello everyone! I would like to know the percentage of growth of the field "wasted_MB" day by day, that is, the pe...

by Explorer in

Why is dedup not giving me the earliest event?

I'm attempting to consolidate records that share the same values in 3 fields, and I want to keep the event that has t...

by New Member in

Is there a way to ignore certain events

Is there a way to ignore splunk to read certain events: Here is a sample event that needs to be ignored: _!====...

by Path Finder in

How can I display a new calculated total field appended at the end of each event?

I would appreciate any comments. Search Case 1 host="HP" sourcetype="csv" Displays all fields for 8292 eve...

by Path Finder in

How can I edit my stats search to change the output format?

I have a formating question. When I run this: index=userdata | eval platform=case(rl_user_agent like "%iPhone...

by Path Finder in

Adding a field extraction causes other fields to disappear

I have come across a problem where the fields i have defined in my transforms.conf for a csv file are disappearing fr...

by Explorer in

Count of distinct events by multiple values?

This seems easy but for some reason I guess I don't know how to ask the question. I want a table that looks like t...

by Builder in

For each group of UIDs, how do I edit my search to filter out values from ColumnB that are not present in ColumnA?

earliest=-60d@d latest=-0d@d msg=login_daily | eval time=strftime(_time, "%m/%d/%y") | where cadt>1421366400 |stats c...

by Path Finder in

What token can I use in a timechart to pass the 'split by' clause in the $host$ token to another view in Simple XML?

I have created a dashboard in simple XML and I am attempting to make a dynamic drilldown leveraging the split by clau...

by Motivator in

How do i create another field based on existing naming convention

I have a raw event from where i want to capture a few specific fields already configured in splunk and want to create...

by Path Finder in

How do I create my own field based on events returned from a search?

I have Event Output below RPT: /DailyTestReport I want to create a field as RPT and Field value as "/DailyOper...

by New Member in

How do I configure a custom file delimiter

I only see 4 delimiter type available in plunk ( commas, tabs, pipes, and spaces) I have a file that has asterisks (*...

by New Member in

If year, month, day, hour, minute, and second are all different comma separated fields in my data, how do I assign the timestamp for a new sourcetype?

Hi, I am trying to create a new sourcetype in order to get the timestamp right. Year, month, day, hour, minute, s...

by Path Finder in

How to edit my transforms.conf to drop XML event data?

So I looked on the answer for this question and could not find it. (Look at code and sample below.) So the input is f...

by Explorer in

Search count of user logins using lookup table

I have a .csv file that has a list of users I'd like to search against to see how many times they've logged in. The ....

by Influencer in

Report on users who have run queries

Hi, Is there a report that will show me individuals that have run either a scheduled or interactive search? I see ...

by Champion in

How to retrieve current user in splunk?

I want to retrieve a current user in splunk web by run a query. thanks!

by Builder in

How to generate dynamic columns in a table that display the difference in data based on date?

Hi, I am new to splunk so bear with me please. I am trying to display data by each day in a chart and then righ...

by New Member in

Why am I receiving 'maxsearches limit reached' in SPLUNK after adding some alerts?

Yesterday morning SPLUNK was working fine. I added some alerts to it and suddenly it all started going wrong. At one ...

by Path Finder in

How to chart by count, but only if the count is over a given number?

I'm trying to get a graph based on this: timechart span=1h count by src_ip However, I only want to display res...

by New Member in

How to compare a list of unique MAC addresses from one search to filter matching MAC addresses in another search?

Hello everyone, I am currently trying to get a list of mac addresses that can't authenticate within the cisco ise....

by Engager in

Can I delete the first 10 columns from a search?

if I have 20 columns on display in the stats tab view after my search, can I just remove the first 10? Instead of hav...

by Motivator in

Why does Old sourcetype is shown even when it is removed from conf files

I have indexed data for Linux logs. I have created different sourcetypes for it in props.conf. Now I removed the conf...

by Path Finder in

can the 'avg' function take into account blank data points?

Is there a way that splunk can take into account receiving no value as a zero value, and then have the ‘average’ func...

by Motivator in

Latest value to be at midnight yesterday

Hello Splunk, How to precise a value for latest to be equal to midnight yesterday. Example: Today is 9-12-2013 and...

by Builder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Calculating the percentage growth value of a field day to day

Why is dedup not giving me the earliest event?

Is there a way to ignore certain events

How can I display a new calculated total field appended at the end of each event?

How can I edit my stats search to change the output format?

Adding a field extraction causes other fields to disappear

Count of distinct events by multiple values?

For each group of UIDs, how do I edit my search to filter out values from ColumnB that are not present in ColumnA?

What token can I use in a timechart to pass the 'split by' clause in the $host$ token to another view in Simple XML?

How do i create another field based on existing naming convention

How do I create my own field based on events returned from a search?

How do I configure a custom file delimiter

If year, month, day, hour, minute, and second are all different comma separated fields in my data, how do I assign the timestamp for a new sourcetype?

How to edit my transforms.conf to drop XML event data?

Search count of user logins using lookup table

Report on users who have run queries

How to retrieve current user in splunk?

How to generate dynamic columns in a table that display the difference in data based on date?

Why am I receiving 'maxsearches limit reached' in SPLUNK after adding some alerts?

How to chart by count, but only if the count is over a given number?

How to compare a list of unique MAC addresses from one search to filter matching MAC addresses in another search?

Can I delete the first 10 columns from a search?

Why does Old sourcetype is shown even when it is removed from conf files

can the 'avg' function take into account blank data points?

Latest value to be at midnight yesterday

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions