Splunk Search

Discussions

Thread Info

How to return associated fields based on stats command

I'm trying to return the associated fields based on a stats command. My stats command determines the minimum field va...

by Explorer in

How to write the regex in my search to extract first part of uri path in access logs?

Below is the string I need to extract ROM_RAMESH from and similarly there are multiple client info so I need a regula...

by Path Finder in

What is the regex for a comma followed by a character as a field delimiter, but a comma followed by blank space is not?

I have the following excerpt of exchange logs. There are more fields before and after this excerpt. ,awells@atcorp...

by Explorer in

Splunk DB Connect: How to log results of dbquery?

I've connected to an MS SQL database using DB Connect and have a query running that successfully extracts table data....

by Explorer in

Restricting users from search

We have a situation where we need to restrict users to be able to search during a specific period of time. Removing s...

by Influencer in

Regex for field extraction

I am having a source file with the two below mentioned format. However I need to extract a same field but whose posit...

by Communicator in

If an event with "removed" appears, how to exclude all other events with the same ID from search results?

The events look like this: DATE=2015-01-19;TIME=10:34:20;STATUS=INFO;ID=57689;JOB=;ACTION=updateCounter;REASON=No...

by New Member in

Can we use eventtypes defined in splunk in lookups?

Hi, I have defined an eventtype in Splunk for a particular search. I defined a lookup which had this eventtype as ...

by Explorer in

Graphing network I/O over _time on a timechart, how to create an overlay to highlight a specific period in _time value?

I'm graphing out network I/O over _time on a timechart (Area Chart). Is there any easy way to have an overlay to high...

by New Member in

Why is stats "first" function showing multiple results for a field?

I have the following data. Each one has a different date entry. DATE ACCOUNT_NUMBER SOLUTION NAME ADDRESS...

by Explorer in

How to configure props.conf to index txt files as one new event when text "CTRL AS:" appears, not by timestamps?

Hello everybody! I could use some help with this project that I've been working with... I have some .txt files whi...

by Contributor in

Inputs.conf composed regex vs wildcard: Why is my whitelist monitor configuration not working?

Why is this monitor whitelist not working ? [monitor:///opt/logs/] whitelist = (connectors/connectors\-\d\-boot|ap...

by Builder in

Is anyone utilizing deduplication at the storage level (SAN) for Splunk data and how does it perform?

Is anyone utilizing deduplication on storage arrays for Splunk volumes, and how does it perform?

by New Member in

How to create a table with a static column A and dynamic column B based on search values?

I want to create a table as: Column A, Column B LoginFailure, YES LoginSuccess, NO Account Lockout, YES Basical...

by Engager in

Why am I getting "No Results" using rex in a subsearch?

Hello, I'm trying to do something more complicated than this search, but the more complicated scenario includes re...

by Contributor in

Stats showing count of 1 result vs NOT that result

I am super new to using the powerful eval command but cannot quite get my head around the syntax. Can someone help me...

by Path Finder in

Is it possible to remove a string from _raw in a search using wildcards with the replace command?

Hello, I'm trying to remove a string from the _raw of my search with the replace command and was wondering if wild...

by Path Finder in

Why does my search work in the Search app, but not in a dashboard?

Hello. I have a search which first collects the top 3% of "S3_call_error2", then searches within that list to retu...

by Communicator in

Drill down using multiple conditions

I have a pie chart with multiple slices, clicking on each slice will take you to Custom URL, please see the simple xm...

by Path Finder in

How to combine the results of my two searches in one graph?

I have these two simple searches and I would like to combine them on one graph to display both "passed" and "failed" ...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to return associated fields based on stats command

How to write the regex in my search to extract first part of uri path in access logs?

What is the regex for a comma followed by a character as a field delimiter, but a comma followed by blank space is not?

Splunk DB Connect: How to log results of dbquery?

Restricting users from search

Regex for field extraction

If an event with "removed" appears, how to exclude all other events with the same ID from search results?

Can we use eventtypes defined in splunk in lookups?

Graphing network I/O over _time on a timechart, how to create an overlay to highlight a specific period in _time value?

Why is stats "first" function showing multiple results for a field?

How to configure props.conf to index txt files as one new event when text "CTRL AS:" appears, not by timestamps?

Inputs.conf composed regex vs wildcard: Why is my whitelist monitor configuration not working?

Is anyone utilizing deduplication at the storage level (SAN) for Splunk data and how does it perform?

How to create a table with a static column A and dynamic column B based on search values?

Why am I getting "No Results" using rex in a subsearch?

Stats showing count of 1 result vs NOT that result

Is it possible to remove a string from _raw in a search using wildcards with the replace command?

Why does my search work in the Search app, but not in a dashboard?

Drill down using multiple conditions

How to combine the results of my two searches in one graph?

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

How to search multiple strings from lookup and pro...

Help on tstats search?

Matching index field value with lookup field value

extract fields from json-wrapped postfix logs?

How to configure alert when a service is in failed...