Splunk Search

Ask a Question

Discussions

Thread Info

Inline Variable Definitions and Expansions With Eval

Hiya, I swear I knew how to do this without macros, which seem like overkill, but I've lost it. Here's a simple ex...

by Path Finder in

Classify results into a defined group

I need to group results and give it another name as a result. For example, I have the following fruits and the num...

by Explorer in

Useing Transaction To Track VPN Open Sessions

I am tracking open session VPN activity VPN activity can be over long periods of time. I am traking the user activ...

by Motivator in

How to augment |top output with additional searches/results?

I'd like to combine/add/include the results of a search to each item of a top 10 search for data like: msg="error ...

by New Member in

Left Join not Returning all Results on Right Side

Ok, y'all, I'm completely flummoxed. Simplified: I have two sourcetypes ("a" and "b"). Each sourcetype has 500,000...

by Explorer in

How to shift a timechart's bucket span=1d to start at a point other than 12AM?

Hi, I want to use Timechart to track daily use, but sometimes the daily data won't arrive until 12 AM (time to compil...

by Path Finder in

Create multivalue field from single number

For a simple example of the concept, let's consider Linux file permissions encoding of read, write and execute into a...

by Motivator in

How to edit my search to get a tabular report for the last 30 days?

I am trying to create a report table like the following: Exception Name 1Jan 2Jan 3 Jan ....30Jan Exception 1 100 ...

by Explorer in

Count Occurrence of string from raw log

I am trying to count occurrences of events from raw logs. Basically, if the log contains the string "MediaFailed", th...

by Explorer in

How do I sum 2 field extractions if only one field extraction exists per log?

Hi So I've used Field Extractions to name 2 different fields in my logs: "dealtCurrency" and "dealtCurrencyDefault...

by Path Finder in

Need help with multiple field extractions

Wanted to know the best way to extract multiple fields along with their associated values. I have a log that I need t...

by New Member in

How to configure transforms.conf and regex to only index lines that do not start with "aa" and send these lines to an index called "AAA"?

Hi, I have a file which has a data in which many lines are starting with "aa", so I don't want to index all the li...

by Contributor in

Extract Multiple Fields with Regex

I would like to extract fields in the response field dynamically by using "<_KEY_1" "<_VAL_1>" in transforms.conf ...

by Explorer in

Why Hunk's field extractor behaves differently in Smart Mode vs Fast Mode?

My data files are in Avro, and I have a props.conf that looks like [source::/logs/...] sourcetype = api [api] KV_...

by Path Finder in

Is there anyway to modify a field name automatically at search time configuring props.conf and transforms.conf?

Is there anyway I can modify a field name at search time ? I have a field "client__phone" (with double underscores...

by Explorer in

How to chart when using multiple matches

I have a search which matches multiple values and produces two events as a list. I'd like to basically make it so tha...

by Engager in

Extract the fields from JSON in search time and write a search

_raw = {"studentsmarks":{"subject":"science","university":"university1","examdate":"10-12-14"},"students":[{"college"...

by Motivator in

how to do group by daily percentage

Can you please tell me, how to do daily percentage, here is the overall percentage query, index="idxweblog" source...

by Builder in

_internal DB takes up a lot of space (~200 gb)

Hello, We have an installation of Splunk with a third party Splunk app which reads W3C log files. This is the thir...

by Engager in

How to get proper _time extraction for 2 different date formats in a single sourcetype?

I have a SPLUNK 6.2 instance ingesting data with the following 2 date formats using a single sourcetype. 01/12/14,...

by Path Finder in

How to eliminate zero values

I am executing the following search query: eventtype="some_error"| timechart span=1h count(eventtype) The result s...

by Explorer in

Selecting which fields to plot based on subsearch

Hi, I am trying to create a timechart which data would be based on a subsearch. Here is what I have so far : inde...

by Engager in

How to pass the value returned from a subsearch to "earliest" in the main search?

Hi, I want to pass the return value of a subsearch to "earliest" in a search. What is the correct way to do it? W...

by Explorer in

Join behaving weird

The two queries I believe are similar but still i get very different number of results. I have changed the subsearch ...

by New Member in

How to add values of multiple variable, where the number of variable differs in different events

i have a field in my log as "BookCount 10 /BookCount" if a Library pass contains more than one members then the field...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Inline Variable Definitions and Expansions With Eval

Classify results into a defined group

Useing Transaction To Track VPN Open Sessions

How to augment |top output with additional searches/results?

Left Join not Returning all Results on Right Side

How to shift a timechart's bucket span=1d to start at a point other than 12AM?

Create multivalue field from single number

How to edit my search to get a tabular report for the last 30 days?

Count Occurrence of string from raw log

How do I sum 2 field extractions if only one field extraction exists per log?

Need help with multiple field extractions

How to configure transforms.conf and regex to only index lines that do not start with "aa" and send these lines to an index called "AAA"?

Extract Multiple Fields with Regex

Why Hunk's field extractor behaves differently in Smart Mode vs Fast Mode?

Is there anyway to modify a field name automatically at search time configuring props.conf and transforms.conf?

How to chart when using multiple matches

Extract the fields from JSON in search time and write a search

how to do group by daily percentage

_internal DB takes up a lot of space (~200 gb)

How to get proper _time extraction for 2 different date formats in a single sourcetype?

How to eliminate zero values

Selecting which fields to plot based on subsearch

How to pass the value returned from a subsearch to "earliest" in the main search?

Join behaving weird

How to add values of multiple variable, where the number of variable differs in different events

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

MLTK - What algorithm should I use?

How to show the line when its value is NULL with ...

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions