Splunk Search

Start a Conversation

Discussions

Start a Conversation

Thread Info

Why do I only see 10 results/columns in my count table?

When I run this search - source="*conn.log" | rex field=_raw "\.IP = '(?<connectionIp>[^']+)" | fields host, conne...

by Splunk Employee in

How do I report on message volume over time

We are attempting to create a report that compares message traffic for the past two complete weeks. We have this ...

by Splunk Employee in

Managing Eventtypes and Tags

Any recommended best practices for managing eventtypes and their corresponding tags? I've found the Splunk Common ...

by Path Finder in

"Invalid Regex: no named extraction" in the interactive field extractor

What is wrong with this regex? (?P<AUTH_PIN_TYPE>[^ ]+)( [^ ]+){2}$ The interactive field extractor gives this...

by Path Finder in

How do I refer to the first, nth or last value of a multivalue field?

I am using the transaction command to sessionize web access log events and therefore have made referer, uri etc. into...

by Explorer in

How do I group and identify a set of events based on a time range?

Let say I have events coming in everyday and I want to group the events as Monday's events, Tuesday's events, and so ...

by Splunk Employee in

How to best determine IP range membership?

Use Case: Find Juniper firewall events where the source/destination IP (Src_Zone/Dst_Zone) does or does not belong in...

by Splunk Employee in

Can the transaction command be used to group events where different fields have the same value?

Use Case: Correlate logon events from a Windows desktop to events on the domain controller. Sample (shortened) eve...

by Splunk Employee in

Can I alert when the value of a field changes?

I've got an application that logs status events. The values in these events generally will not change. Is there a sea...

by Splunk Employee in

Error on using eval in a subsearch

What is wrong with the way I'm using eval here? source="/some.audit.log" "End" "/foo/baz" | rex field=_raw "(?P<Re...

by Path Finder in

How do I search for a single specific event?

Sometimes I come across an event in my index that I'd like to refer to later, either as part of an investigation or t...

by Contributor in

I know the data is in the index, why didn't my scheduled search find all of the events?

I have a saved seach setup to check every minute for file changes. I have the start time set for [-1m] to search back...

by Splunk Employee in

suppressing adjacent events with duplicate field values

I have a log which often has redundant events, where "redundant" is defined as 2+ events, on subsequent lines, where ...

by Contributor in

Will having lots of extracted fields increase my index size?

I need to understand how adding fields to raw data will increase our index size growth. We are in the process of addi...

by Splunk Employee in

How do I share all of the field extractions defined in a given app with all other apps?

I need to share all of the field extractions in my app with all of the other apps on the system. What is the most eff...

by Splunk Employee in

What is the format of the Sources.data file?

$SPLUNK_HOME/var/lib/splunk/defaultdb/db/Sources.data On a fresh install I see this file has something like this:...

by Splunk Employee in

Feature Request: troubleshooting/debugging for field extraction config files

[UPDATE: from the answer below, it sounds like what I'm looking for is not supported in the product today. I'm tackin...

by Contributor in

how to filter only desired fields from fetched events?

In SQL-speak, "how to specify the columns in SELECT clause"? Normally, Splunk does the equivalent of SELECT *, which ...

by Splunk Employee in

Finalize action for searchscript?

I wrote a search operator that takes actions external to splunk. It has to take an action to 'complete' its operation...

by Splunk Employee in

how to tell if I have multiline events?

Because wc -l of the input doesn't match my event count, and I'm trying to troubleshoot.

by Splunk Employee in

Splunk Search

Discussions

Why do I only see 10 results/columns in my count table?

How do I report on message volume over time

Managing Eventtypes and Tags

"Invalid Regex: no named extraction" in the interactive field extractor

How do I refer to the first, nth or last value of a multivalue field?

How do I group and identify a set of events based on a time range?

How to best determine IP range membership?

Can the transaction command be used to group events where different fields have the same value?

Can I alert when the value of a field changes?

Error on using eval in a subsearch

How do I search for a single specific event?

I know the data is in the index, why didn't my scheduled search find all of the events?

suppressing adjacent events with duplicate field values

Will having lots of extracted fields increase my index size?

How do I share all of the field extractions defined in a given app with all other apps?

What is the format of the Sources.data file?

Feature Request: troubleshooting/debugging for field extraction config files

how to filter only desired fields from fetched events?

Finalize action for searchscript?

how to tell if I have multiline events?

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >

variable passed into subsequent search

how to make a search for two or more source file w...

How to check macro using sourcetype

SEDCMD to remove text

Fields with '=' as value stored in summary index a...

Splunk Search

Discussions

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey.Earn $50 in Amazon cash! Full Details! >

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Full Details! >