Splunk Search

Discussions

Thread Info

Count Occurrence of string from raw log

I am trying to count occurrences of events from raw logs. Basically, if the log contains the string "MediaFailed", th...

by Explorer in

How do I sum 2 field extractions if only one field extraction exists per log?

Hi So I've used Field Extractions to name 2 different fields in my logs: "dealtCurrency" and "dealtCurrencyDefault...

by Path Finder in

Need help with multiple field extractions

Wanted to know the best way to extract multiple fields along with their associated values. I have a log that I need t...

by New Member in

How to configure transforms.conf and regex to only index lines that do not start with "aa" and send these lines to an index called "AAA"?

Hi, I have a file which has a data in which many lines are starting with "aa", so I don't want to index all the li...

by Contributor in

Extract Multiple Fields with Regex

I would like to extract fields in the response field dynamically by using "<_KEY_1" "<_VAL_1>" in transforms.conf ...

by Explorer in

Why Hunk's field extractor behaves differently in Smart Mode vs Fast Mode?

My data files are in Avro, and I have a props.conf that looks like [source::/logs/...] sourcetype = api [api] KV_...

by Path Finder in

Is there anyway to modify a field name automatically at search time configuring props.conf and transforms.conf?

Is there anyway I can modify a field name at search time ? I have a field "client__phone" (with double underscores...

by Explorer in

How to chart when using multiple matches

I have a search which matches multiple values and produces two events as a list. I'd like to basically make it so tha...

by Engager in

Extract the fields from JSON in search time and write a search

_raw = {"studentsmarks":{"subject":"science","university":"university1","examdate":"10-12-14"},"students":[{"college"...

by Motivator in

how to do group by daily percentage

Can you please tell me, how to do daily percentage, here is the overall percentage query, index="idxweblog" source...

by Builder in

_internal DB takes up a lot of space (~200 gb)

Hello, We have an installation of Splunk with a third party Splunk app which reads W3C log files. This is the thir...

by Engager in

How to get proper _time extraction for 2 different date formats in a single sourcetype?

I have a SPLUNK 6.2 instance ingesting data with the following 2 date formats using a single sourcetype. 01/12/14,...

by Path Finder in

How to eliminate zero values

I am executing the following search query: eventtype="some_error"| timechart span=1h count(eventtype) The result s...

by Explorer in

Selecting which fields to plot based on subsearch

Hi, I am trying to create a timechart which data would be based on a subsearch. Here is what I have so far : inde...

by Engager in

How to pass the value returned from a subsearch to "earliest" in the main search?

Hi, I want to pass the return value of a subsearch to "earliest" in a search. What is the correct way to do it? W...

by Explorer in

Join behaving weird

The two queries I believe are similar but still i get very different number of results. I have changed the subsearch ...

by New Member in

How to add values of multiple variable, where the number of variable differs in different events

i have a field in my log as "BookCount 10 /BookCount" if a Library pass contains more than one members then the field...

by Communicator in

About Lookup Table (outputlookup)

ルックアップテーブルについて質問です。 outputlookup関数の引数において<tablename>がありますが、この場合「テーブルに書き込む」とのことですが、どこに持ちますでしょうか。 <filename>の場合は.csv...

by Explorer in

What is the best way to solve this key pair field value issue?

I have a data set with multiple key pair field values that start with the same key name. Data source is W...

by Communicator in

which ports to open for ufw?

Hi, I am installing a ufw in a firewalled environment and need to open some ports. Is this correct? For deploym...

by Champion in

How to write a search to compare and find the difference between monthly results over a period of time?

We have the below splunk query to get the availability report. How to compare monthly availability results? Example: ...

by Builder in

Joining logs on a field

I have several log messages that are joined by a single field, id - each of the messages will include that field. Wha...

by New Member in

Dynamic field extraction with multiple values; Cisco ISE Posture checks

From our Cisco ISE we get Posture report events, each event can have multiple PostureReports. PostureReport=Encas...

by Builder in

How to get top 10 users with their avg & stdev response time and group the rest of the users as OTHER value?

I need the count, average response time, and stdev response time for top 10 users. I also want to group the rest of u...

by New Member in

How use a not local csv file as lookup ?

Hi, I use a csv file as a lookup in a search command like this : sourcetype="airmantool" | rex ".\s(?[A-Z]+)\s+...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Count Occurrence of string from raw log

How do I sum 2 field extractions if only one field extraction exists per log?

Need help with multiple field extractions

How to configure transforms.conf and regex to only index lines that do not start with "aa" and send these lines to an index called "AAA"?

Extract Multiple Fields with Regex

Why Hunk's field extractor behaves differently in Smart Mode vs Fast Mode?

Is there anyway to modify a field name automatically at search time configuring props.conf and transforms.conf?

How to chart when using multiple matches

Extract the fields from JSON in search time and write a search

how to do group by daily percentage

_internal DB takes up a lot of space (~200 gb)

How to get proper _time extraction for 2 different date formats in a single sourcetype?

How to eliminate zero values

Selecting which fields to plot based on subsearch

How to pass the value returned from a subsearch to "earliest" in the main search?

Join behaving weird

How to add values of multiple variable, where the number of variable differs in different events

About Lookup Table (outputlookup)

What is the best way to solve this key pair field value issue?

which ports to open for ufw?

How to write a search to compare and find the difference between monthly results over a period of time?

Joining logs on a field

Dynamic field extraction with multiple values; Cisco ISE Posture checks

How to get top 10 users with their avg & stdev response time and group the rest of the users as OTHER value?

How use a not local csv file as lookup ?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

breaking multiple mv fields into single events bas...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...

Write Splunk log with Laminas