Splunk Search

Community Activity

Add and remove text from a field at extraction time Hi, Is there a way to add text to a field that matches a specific pattern? Example: log: 2014-09-12 13:40:12,359 ... by splunkmasterfle Path Finder in Splunk Search 09-12-2014 0 4	0	4
Routing to null queue in a cluster not working I have a number of Snort sensors that are sending syslog events to a Splunk forwarder. That forwarder in turn forwar... by responsys_cm Builder in Splunk Search 09-12-2014 0 2	0	2
Escaping Underscore inside "like" All, I'm trying to write a search that does something like the following: [some search] \| eval option=case(like(fie... by bruceclarke Contributor in Splunk Search 09-12-2014 0 2	0	2
Multivalue Chart I have to write a time chart in a day how many different event value happened. [- logToABTest() response ABTestLog ... by rahulbhatt04 Engager in Splunk Search 09-12-2014 1 1	1	1
Problems filtering results using lookup field I have an automatic lookup that works ok but when I try to filter results by selecting a field that comes from the lo... by ruiaires Path Finder in Splunk Search 09-12-2014 1 2	1	2
How to write regex for field extraction to match two log entries? Folks, I have the following REGEX: (?:[^:\n]*:){4}\d+\.\d+\w+,(?P<ComponentName>[^,]+),(?P<EventCode>[^,]+),(?P<Mess... by gartnerj Explorer in Splunk Search 09-12-2014 1 8	1	8
How to add the results of a chart? source=XXXXX \| lookup customer_journey.csv "Page Name" as "Page Name" output "Customer Journey Name" as Transaction "... by realajay89 Explorer in Splunk Search 09-12-2014 1 13	1	13
Can I insert or update a table from a search in Splunk with DB Connect? Can I INSERT or UPDATE a table from a search in Splunk with DB Connect? by pedromvieira Communicator in Splunk Search 09-11-2014 0 1	0	1
How to show XX lines per sourcetype per host Hi, I want to look at the format for a number of hosts that are using the same sourcetype (I suspect that the format... by a212830 Champion in Splunk Search 09-11-2014 0 6	0	6
ODBC - How to pass parameter to a Saved Search Query Is there a way to pass parameter to a saved search from an ODBC connection in Excel? (since only saved searches can ... by Noorzaie Explorer in Splunk Search 09-11-2014 0 3	0	3
How to write regex to extract my fields at search-time? Hi, I have these entries in the log. I am trying to extract fields FINISHED and ERROR_RUNNING for this. But I am abl... by gudavasr Path Finder in Splunk Search 09-11-2014 0 7	0	7
Tabled _time - Find differences between each event I have a tabled results of _time. Each one is an event and I want to find a difference for each event and have the va... by ben_leung Builder in Splunk Search 09-11-2014 1 3	1	3
Epoch Search String Multiply Hello! Can anyone please help me with this Search-String? I have an Epoch Data inside my query like this: **index=m... by vtsguerrero Contributor in Splunk Search 09-11-2014 0 3	0	3
How to search the number of distinct users by index over the past 3 months? I am in need of a search that will display the number of Distinct users by index over the past 3 months. I have creat... by tcalhoon Explorer in Splunk Search 09-11-2014 0 3	0	3
Is there a function to get the week day from any given epoch time? I know how to get the week day from raw events, the week day is stored in the field date_wday. However, I wonder if t... by manus Communicator in Splunk Search 09-11-2014 2 2	2	2
Why are graphs not representative of counts from my search? How to join main and subsearch to compare results? I have the main search returning results appropriately in the "Events" tab however, visualization returns incorrect g... by lbogle Contributor in Splunk Search 09-10-2014 0 2	0	2
Is there a way to reverse comparison order of week over week results using timewrap? I am using timewrap to return week over week results. I need to be able to change the order of comparison from week1,... by DaveAsh Engager in Splunk Search 09-10-2014 0 3	0	3
Is it possible to have a search string so long that it can't be parsed in Splunk 6.0 or higher? Is this still a possibility with Splunk 6.0 and higher? "The search process can't parse the search string. In the se... by rroberts Splunk Employee in Splunk Search 09-10-2014 2 3	2	3
Eval usage limit? Is there a limit to the number of eval functions that can be used in a single search? It appears that using more than... by kmattern Builder in Splunk Search 09-10-2014 0 7	0	7
Minimum free disk space reached for /opt/splunk/var/run/dispatch I am receiving the following message in Splunk 6.01 "Minimum free disk space reached (5000MB) for /opt/splunk/var/run... by splunkingsplun1 Explorer in Splunk Search 09-10-2014 1 4	1	4
Merge fields and magic happens Looking for a simple approach to combine two fields into one. Ref: ES / Audit / Incident Review Audit There is no r... by dcasey Engager in Splunk Search 09-10-2014 0 4	0	4
Why does a join of a search and subsearch on _time with matching values fail? I tried to join a search and subsearch on _time with the join command, but this failed, even though the resulting tim... by manus Communicator in Splunk Search 09-10-2014 1 4	1	4
How to calculate page bounce rate as a single value percentage? I'm trying to display bounce rate as a single value percent. Does anyone have any idea on how I can do it? As of of,... by ashnet16 Path Finder in Splunk Search 09-10-2014 0 1	0	1
How to format timechart table data? I have a query similar to index=beacon BeaconType=pageview \| timechart span="1d" count by Country giving ... by ewanbrown Path Finder in Splunk Search 09-10-2014 0 2	0	2
Why does props.conf stanza with the full path name extract fields from the source, but not with my regex? I have created source stanza and tried to extract fields within the source. The path of the source is : C:\Users\xb... by Mubarish Path Finder in Splunk Search 09-10-2014 1 5	1	5