Splunk Search

Discussions

Thread Info

How to edit my search to get unique values based on JobName or jobid?

Hi I am displaying a table which shows: table JobName, jobid, start, end ,diff using the following search...

by Communicator in

How to write a search to track the time when service assignment changes between multiple hosts?

We have a system where, when a service name (a unique service name referenced by service=service_N where N=1 to 20) d...

by New Member in

How to add values from search to subsearch results?

I am looking for some help with a search. Below is an alert that runs every hour. It looks for some stuff in a index ...

by New Member in

Is there a way to find out the location of a given macro in a search head clustering environment?

I am new to a search head clustering environment. I found macros being used and I am trying to find out where these m...

by Explorer in

Mapping fields and values using regex and transforms.conf

I have a very ugly log file that I need to run a regex against and have it match as many times as possible to map the...

by Communicator in

Would creating fields at index-time improve search optimization for a 15 month dataset?

I've read the docs in the splunk manual on parse-time indexed fields. http://docs.splunk.com/Documentation/Splunk/6.1...

by Explorer in

How to make a Splunk table visualization more interactive?

Hi, We are thinking of using Splunk to display data from many sources in a table view. I searched a lot and did...

by Explorer in

How to extract the _time value into a separate field?

I have one index of iis logs which extracts the timestamp into a "timestamp" field. I have another index which reads ...

by Path Finder in

Is there a search to delete logs completely from an indexer after 3 months in an indexer clustering environment?

I have an indexer cluster environment and need to delete the logs completely from the indexer: source=* sourcetype...

by Explorer in

My eval statement works in the Search App, but why does it not work when it is created via Settings, Fields, Calculated Field or via props.conf?

I'm able to create the following calculated field in the Search app. .... | eval KCQueueDuration = (strptime(KCQSt...

by Explorer in

Has anyone created a scheduled search that notifies you if an app/add-on installed on search peers has an updated version on Splunkbase?

Running a distributed environment, and certain servers of mine have internet access, but my deployment server and sea...

by Communicator in

Search where hosts have an unrelated sourcetype

I was refining an existing search/dashboard panel when I discovered that my hosts do not reliably follow a pattern. W...

by Engager in

How do I return only 5 ACCOUNT_IDs from my "chart list(ACCOUNT_ID) by script" search?

chart list(ACCOUNT_ID) by script I am getting a chart with script and list of ACCOUNT_ID. I want only 5 ACCOUNT...

by Engager in

How do I get an automatic lookup to populate a table, even if there are null values in the event logs for the matching field?

Hello - This is my first time asking a question here. I receive a lot of answers by reading others' questions (thank ...

by Path Finder in

Is there a way to use a wildcard in field names when running a search? (ex: field*_name=X for field1_name, field2_name, etc)

I have csv data indexed in Splunk. The fields are unique, but have some patterns: As an example, the following fir...

by Explorer in

When using the MAP and TAIL commands in my search, why do events not match the statistics table?

When I run the MAP search below, the events that I get back do not match the ones used to generate the statistics tab...

by Path Finder in

How do I bring results from my subsearch into my outer search's table? (Subsearch in outer search of join.)

Looked at join and append. Tried both, couldn't get them working. I need your eyes to help me here! This is my cur...

by Builder in

How to extract the start and end date/time from my sample data, then calculate the duration of a job?

Hi I have to extract start date, end date, and the duration of a job based on the following two events: Starte...

by Communicator in

Splunk forwarder to add custom fields for multiple logs

I have to setup Splunk for 100 servers, each server will have 5-10 JVMs, Each JVM generates 3-4 log files. I would li...

by New Member in

Why is a field extracted with rex always empty in a table?

I have two log statements: daily.cron run at startTime daily.cron complete at endTime. I am trying to extract t...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to edit my search to get unique values based on JobName or jobid?

How to write a search to track the time when service assignment changes between multiple hosts?

How to add values from search to subsearch results?

Is there a way to find out the location of a given macro in a search head clustering environment?

Mapping fields and values using regex and transforms.conf

Would creating fields at index-time improve search optimization for a 15 month dataset?

How to make a Splunk table visualization more interactive?

How to extract the _time value into a separate field?

Is there a search to delete logs completely from an indexer after 3 months in an indexer clustering environment?

My eval statement works in the Search App, but why does it not work when it is created via Settings, Fields, Calculated Field or via props.conf?

Has anyone created a scheduled search that notifies you if an app/add-on installed on search peers has an updated version on Splunkbase?

Search where hosts have an unrelated sourcetype

How do I return only 5 ACCOUNT_IDs from my "chart list(ACCOUNT_ID) by script" search?

How do I get an automatic lookup to populate a table, even if there are null values in the event logs for the matching field?

Is there a way to use a wildcard in field names when running a search? (ex: field*_name=X for field1_name, field2_name, etc)

When using the MAP and TAIL commands in my search, why do events not match the statistics table?

How do I bring results from my subsearch into my outer search's table? (Subsearch in outer search of join.)

How to extract the start and end date/time from my sample data, then calculate the duration of a job?

Splunk forwarder to add custom fields for multiple logs

Why is a field extracted with rex always empty in a table?

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials

Combine two searches on different sources based on...

Use the lookup table into a macro with parameters

How to configure alert when a service is in failed...

how to identify '\n' in Splunk rex

How to combine results of inputlookup and a search...