Splunk Search

Discussions

Thread Info

Help with RegEX

Hello to all.. I am attempting (partially succesfully so far) to extract some text. The problem I am having is tha...

by Communicator in

Reordering columns not working through API

I want to reorder my columns. I tried both table and fields, and they seemed to work through the web UI, but when I t...

by New Member in

Question regarding join

Beginner here, I'm trying to do the following in one query 1) Get all unique users and the count of users 2) Using ...

by Path Finder in

Round a stats count with K abbreviation

I have a field, Count, which is adding up to several thousand. I don't care that it is 74,743, though. I just want to...

by Path Finder in

Search to group by Country, City having count sorted for Country and City

Hello, I try to create stats to have all countries and cities that communicate with my servers. I made this sea...

by Path Finder in

Regex for matching service path

Hello, I want to exclude all the WinEventLogs for service C:\Windows\System32\svchost.exe which doesnt contain the...

by Path Finder in

How to pass a variable to timechart span

Hi, I'm trying to determine the span parameter for timechart dynamically, but I can't find a way to get it to work...

by Path Finder in

Mutiple subsearches

How does splunk work with multiple sub-searches? If I want to have two sub-searches which one is evaluated first? Is ...

by Communicator in

Using lookups to categorize field values into certain categories, how do I prepare for a field value that is not in the lookup?

I am thinking of using lookups for categorizing field values into certain categories, as below. Using lookups is prob...

by Motivator in

How to edit my search to graph a list of values with different colored bars or lines?

Hello Guys, I am new to Splunk so please bear with me. I am having an issue and couldn't find any resolution yet. ...

by New Member in

How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

Hi, To make a long story short i have some logs that are key value pairs, like so: foo="bar" dog="cat" frog="bat" ...

by Explorer in

Unable to determine why an inline regex using rex works, but not when configured as a field extraction.

I am trying to track email sending logs, using information that we adjust in the message_id while sending a message. ...

by Explorer in

How to use rex to extract a field that starts with another field value?

Hi. I'd like to rex a field that starts with another field value. EX: ****Data UA=Mozilla/5.0 (Linux; And...

by Communicator in

REGEX extract field at certain position

I am attempting to extract fields from a file which was created to be human readable, so it has fields aligned at cer...

by Explorer in

Why am I able to return a list of fields with the fields command in a search, but not with the table command?

Any ideas around this? When I use the fields command in this search: some search | fields Activity1, Activity2... ...

by Communicator in

what is the difference between "... | timechart count by host" and "... | timechart span=1d count by host" ?

The two queries: search sourcetype="access*" host="www*" | timechart count by host and search sourcetype="access*" ho...

by Explorer in

After upgrading to Splunk 6.2.2, when I create a new lookup definition, why can't I select it in the automatic lookup menu?

Hi, after updating to 6.2.2 I tried to set up a new automatic lookup. I've created the lookup definition, but I ca...

by Motivator in

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?

Hi, I have a tcp data stream that has embedded hosts that I need to transform, and I'm hoping to get some regex he...

by Champion in

Valid iseval macro doesn't expand when used in "span="

Hi, I have defined a macro that returns an amount of seconds with "s" appended to it, based on a start and end tim...

by Path Finder in

How do I chart a single field using a django binding

I have splunk monitoring on a network port, a remote application logs an ASCII number to that port. How do I create a...

by New Member in

How do I search for changes in group membership data over time?

I am collecting group membership data daily into Splunk and I need to know how to search for changes that occur over ...

by Engager in

How to write a search to audit when an eventtype is changed?

Can anyone recommend a search to audit when an eventtype definition is changed?

by Path Finder in

Scaling y axis to +/- 5 of data set?

Displaying outside temperature with timechart. The graph show 0~100, but my entire data set is 70~90. Is there a way ...

by Path Finder in

Distinct count a field only when other field meets certain criteria

Now I have a table like below. ID, Result, SerNum, Place 1, success, AAAAA, XXXXX 2, success, BBBBB, YYYYY 3, fail...

by Explorer in

Search Heads complain about " Archiver - Archiving large_file". Should I have mounted bundles in search head clustering or not?

Just moved to a new 6.2.2 Search Head Cluster (SHC) from a Search Head Pool (SHP) which had mounted bundles enabled. ...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Help with RegEX

Reordering columns not working through API

Question regarding join

Round a stats count with K abbreviation

Search to group by Country, City having count sorted for Country and City

Regex for matching service path

How to pass a variable to timechart span

Mutiple subsearches

Using lookups to categorize field values into certain categories, how do I prepare for a field value that is not in the lookup?

How to edit my search to graph a list of values with different colored bars or lines?

How to extract key value pairs where each value has non-standard "quoters" (ex: foo='bar', dog='cat')?

Unable to determine why an inline regex using rex works, but not when configured as a field extraction.

How to use rex to extract a field that starts with another field value?

REGEX extract field at certain position

Why am I able to return a list of fields with the fields command in a search, but not with the table command?

what is the difference between "... | timechart count by host" and "... | timechart span=1d count by host" ?

After upgrading to Splunk 6.2.2, when I create a new lookup definition, why can't I select it in the automatic lookup menu?

How to configure props and transforms with the proper regex to capture and assign hosts from a TCP data stream?

Valid iseval macro doesn't expand when used in "span="

How do I chart a single field using a django binding

How do I search for changes in group membership data over time?

How to write a search to audit when an eventtype is changed?

Scaling y axis to +/- 5 of data set?

Distinct count a field only when other field meets certain criteria

Search Heads complain about " Archiver - Archiving large_file". Should I have mounted bundles in search head clustering or not?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!