Splunk Search

Discussions

Thread Info

How to search for "DateClosed" entries in a relational database ticket system?

I have a home grown ticket system (relational database). It includes a "DateClosed" field that gets updated (obviousl...

by New Member in

Pivot: distinct values as mvcombine

Hi, I'm trying to convert a dashboard based on internal searches to one using data models. One thing I'm missing i...

by Builder in

Why do I keep getting an error extracting the timestamp from formatted text data?

Hi all, I'm having an issue with timestamp extraction. Trying to extract the timestamp from formatted text, and I...

by Path Finder in

With two data sources Source1 and Source2 , how to identify any Source1 record that does not have a corresponding Source2 record?

Hello, I have two data sources Active Directory (Source 1) and Change Approvals (Source 2). I need to identify any...

by Path Finder in

How to create a drilldown pass the data in the legend of a timechart?

I am relatively new to all things splunk. I am trying to set up a timechart that will pass a value onto another input...

by Path Finder in

Why is the field extraction configured in props.conf not showing on the search head for 2-3 days in my search head cluster?

I have a search head cluster (splunk 6.2) with two search head members (1 captain,1 search head,1 deployer) and one i...

by Engager in

Search query to send alert when a filesystem percentage usage is greater than 90%

Hi- I have the logs below in SPlunk. I wanted to create an alert when the UsePct is gretaer than 90%. Please help ...

by Path Finder in

Why my timechart is giving an additional column called "VALUE" ?

I am using the below query to create a timechart. sourcetype=xxx AND source = "xxxx" | rex "Operation:(?[A-Z]*)" ...

by New Member in

How to edit my search to add extra columns to my chart showing the average and max indexed volume per host?

Hello, I've been using the query provided at http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume to...

by Path Finder in

Why am I getting error "unknown search command index" with my subsearch?

Hello. I have a search that looks for event id's that are the result of a regex: index=app_sec_prod sourcetyp...

by Engager in

How to generate a lookup file with outputlookup in a specific app?

I am using | dbquery to get the lookup details and outputlookup to generate the lookup file, but it always generates ...

by Explorer in

Is there an alternative to subsearch or a way to raise the results limit?

So I finally got my query to work only to find out that subsearch has a limit to 10,000 results! Is there a way to ra...

by Path Finder in

Unable to rex string containing "&"

I am trying to rex a URL string. Here is an example: ManageAccount.do?ACTION=VIEW&id=27271905&acctViewType=transa...

by Path Finder in

Dedup using time range

Hi. I am creating a search and dashboard to display our last ten locked account events. This seems to work well as I ...

by Path Finder in

Why is my appendcols subsearch sorting incorrectly, causing data to display in the wrong rows of the table results?

I have a search as below : index="network_wireless" sourcetype="Wireless_Client_Count*" | rex "(?[^,]*),(?[^,]*...

by Engager in

Suggestions please on how to configure content against a csv updated daily

I'll state my problem first, then some of the posts, apps, and documents I've looked at already.... In AD, we have...

by Builder in

How to write a search to find servers that are not reporting?

On patch night some of my splunk servers are not starting. I can see the ones that are starting with this search ...

by Motivator in

What is the easiest way to get the percentage increase difference between two median values?

This works wonderfully to give me the count and median per server farm, per URL: index=wtf earliest=10/13/2014:10:...

by Explorer in

How to grab the second value of a delimited field with rex?

I have a field of the following form: mysplit=A.B Where A is a string of letters and B is a Number. I'm trying to ...

by Communicator in

How to count multiple events per line

Im trying to count how many events by category per email domain and do a total of events going to each domain. My que...

by Explorer in

How to change stats table format from 1x9 to 3x3?

In each log event, I have 3 fields that keep a record count of the number of rows inserted, updated and deleted. I am...

by Communicator in

how to get a search results in ascending order (time wise). every time its giving in different order..please help me....

*swt* "changed state to" */*/* | rex "(?i) Interface (?P[^,]+)" | rex "(?i)changed state to (?P.+)" | table host, AnI...

by Path Finder in

Is there a limit on the number of events returned from the transaction?

I run this command: index=dccmtdit sourcetype=DCCMT_Log4J_JSON | transaction DpsNum maxevents=-1 It returns: 4...

by Path Finder in

Dynamic column name

Hi, My search is like given below and my column names are source file names. As the source file name consists of dire...

by Builder in

How to edit my search to aggregate values from a single sample rather than all events in the time range?

Hi , I have a scripted input in my app which is polling data every 60 minutes. This data brings a particular field...

by Engager in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to search for "DateClosed" entries in a relational database ticket system?

Pivot: distinct values as mvcombine

Why do I keep getting an error extracting the timestamp from formatted text data?

With two data sources Source1 and Source2 , how to identify any Source1 record that does not have a corresponding Source2 record?

How to create a drilldown pass the data in the legend of a timechart?

Why is the field extraction configured in props.conf not showing on the search head for 2-3 days in my search head cluster?

Search query to send alert when a filesystem percentage usage is greater than 90%

Why my timechart is giving an additional column called "VALUE" ?

How to edit my search to add extra columns to my chart showing the average and max indexed volume per host?

Why am I getting error "unknown search command index" with my subsearch?

How to generate a lookup file with outputlookup in a specific app?

Is there an alternative to subsearch or a way to raise the results limit?

Unable to rex string containing "&"

Dedup using time range

Why is my appendcols subsearch sorting incorrectly, causing data to display in the wrong rows of the table results?

Suggestions please on how to configure content against a csv updated daily

How to write a search to find servers that are not reporting?

What is the easiest way to get the percentage increase difference between two median values?

How to grab the second value of a delimited field with rex?

How to count multiple events per line

How to change stats table format from 1x9 to 3x3?

how to get a search results in ascending order (time wise). every time its giving in different order..please help me....

Is there a limit on the number of events returned from the transaction?

Dynamic column name

How to edit my search to aggregate values from a single sample rather than all events in the time range?

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout

dashboard time token with multiple ealiest/latest ...

Rearrange the stats output.

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...