Splunk Search

Discussions

Thread Info

Search Query Assistance - break data into table.

I am working on a search that will take a massive list of user groups and table the servers under such group. An exa...

by Engager in

outputlookup timechart followed by inputlookup timechart

Let's say that I do an outputlookup after a timechart command. Now I have a csv file that should be formatted for the...

by Motivator in

Is there an opposite to dedup?

Basically I have a field "Name" and I want to keep all events with duplicate "Name"s. So exactly the opposite of dedu...

by Path Finder in

regex (Invalid regex: no named extraction at position 5 )

I have problem with saving regex for extracting class name Here is my regex (?i)\[([0-9a-zA-Z\.\s\-]*(\[[0-9]*\])?[0-...

by Explorer in

Lookup with fieldname as a value instead of column-header

Hi guys I have a CSV file with following structure: +--------+-----------+------------+ | DEV_ID | attr_name | ...

by Communicator in

Is it possible to set field name and value with rex? (Similar to $1::$2 in transforms.conf)

Is it possible to set field name and value with rex - or some other command - on the search bar? I have a large X...

by Motivator in

table operation is showing only top record

I have a bash script which list the Application name and its version as follows in a file which is indexed by Splunk ...

by New Member in

Transactions using different identifying fields

Attached is some data that you should be able to use to reproduce what I am trying to achieve. Events.csv – extrac...

by Contributor in

how can i see more fields after counting by another field ?

Hi , I have this query : sourcetype= Filed=X [search sourcetype= Filed=X | iplocation IPAddress | stats dc(Country) ...

by Path Finder in

How do I use the map search in django?

{%searchmanager id="test" search='eventcount summarize=false index=$input_index$ | fields index | map search="|metada...

by New Member in

How to use lookup with wildcards to filter events

Hello, I have two log sources (AD logs and approval logs) which I am performing a correlation on (via a join). Eac...

by Path Finder in

Is there an app to perform text mining searches, adhoc and based on lookup criteria/table, with the ability to export the results in Excel?

I am looking for a tool to perform text mining searches, adhoc and based on lookup criteria/table, and the ability to...

by Path Finder in

How to display the entire string when it has something like Foo=123|456 ?

I am logging something like: Foo=123|456 When I query Splunk to get me Foo, it only prints 123 and it ignores |456. ...

by Engager in

combine table results

I'm sorry, I am not even sure how to ask this question or whether the subject line really explains what I am after. ...

by Builder in

Search and Alert Question: Summarize found events, set threshold, alert only on new events.

So my question is based on something I am trying to do, but my splunk-foo is not powerful enough to figure this out! ...

by Explorer in

How to get a timechart to display data for the entire selected time range including 0 data points?

I am doing a search in Splunk over a time period (from Jan 25th to present). I expect that no data be present on Janu...

by Explorer in

Is it possible to join on one OR another field with a single join command?

I have two sets of data that I'm trying to join. Both data sets have a field for SystemMessageId value, but in the se...

by Builder in

lose one event if another one exists using dedup

Hi Guys I am trying to automatically create a lookup table based on results from searches, part of the search will...

by Path Finder in

How to disable real-time searches that run when logging in to Splunk: '| metadata type=sourcetypes | search totalCount > 0'

I want to disable these searches that run automatically when a user is in the search view or launcher view.

by Champion in

How to concatenate a string with a value containing special characters?

Hello Everyone, I have a file containing Account ="xxx/\xxx/\xxx/\xx" value and this needs to be concatenated with...

by Path Finder in

Using subsearches to get highest value

Hello, I have a search that tables certain values from my data fields, although i wish to create a new field on all e...

by Builder in

How to convert earliest and latest into String values?

I would like to convert a earliest and latest time and concatenate in a string value, so I could have that in my Dash...

by Path Finder in

Splunk objects configuration management/CMDB

Hello, I am looking for a solution to manage my splunk objects (searches, event type, macros, lookups, etc). There ar...

by Engager in

When searching for status errors, how to remove the most frequent error from results to properly display the others in a visualization?

I'm creating dashboards for the error status. We currently have 3 different statuses (200,404, and 0). The '200' stat...

by SplunkTrust in

Is it possible to pass variables in props.conf with my current configuration?

I was wondering if it was possible to write a props.conf something similar to the following: props: [sourcetype...

by Contributor in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Search Query Assistance - break data into table.

outputlookup timechart followed by inputlookup timechart

Is there an opposite to dedup?

regex (Invalid regex: no named extraction at position 5 )

Lookup with fieldname as a value instead of column-header

Is it possible to set field name and value with rex? (Similar to $1::$2 in transforms.conf)

table operation is showing only top record

Transactions using different identifying fields

how can i see more fields after counting by another field ?

How do I use the map search in django?

How to use lookup with wildcards to filter events

Is there an app to perform text mining searches, adhoc and based on lookup criteria/table, with the ability to export the results in Excel?

How to display the entire string when it has something like Foo=123|456 ?

combine table results

Search and Alert Question: Summarize found events, set threshold, alert only on new events.

How to get a timechart to display data for the entire selected time range including 0 data points?

Is it possible to join on one OR another field with a single join command?

lose one event if another one exists using dedup

How to disable real-time searches that run when logging in to Splunk: '| metadata type=sourcetypes | search totalCount > 0'

How to concatenate a string with a value containing special characters?

Using subsearches to get highest value

How to convert earliest and latest into String values?

Splunk objects configuration management/CMDB

When searching for status errors, how to remove the most frequent error from results to properly display the others in a visualization?

Is it possible to pass variables in props.conf with my current configuration?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions