Splunk Search

Discussions

Thread Info

How to count the difference in a rolling number in events across multiple hosts?

The following example events are indexed by Splunk: Dec 1 00:47:58 serverName data-collector[1234]: #A_RECV# 1234,...

by Splunk Employee in

Is it possible for an external lookup to match on either of two fields rather than both?

I'm trying to create a dashboard that will add vulnerability data from OSVDB to the results of a Nessus scan. I've cr...

by Communicator in

Question about analyzefields search command

The analyzefields seems to be interesting in its ability to correlate across multiple fields, but I cannot determine ...

by Communicator in

Is it possible to use lookup tables that don't have a header row?

I'm working with a number of files in a CSV comma delimited format that don't contain header rows. Is it possible to ...

by Communicator in

Lookup table performance question

I am experimenting with some searches that will need to do lookups on some fairly big tables (30 MB or more). I'm won...

by Communicator in

Search using Stats, String Dates, Counts and Sorting

What I am trying to do is to get a listing of the last 7 days (that logs were entered - not necessarily the last 7 ca...

by Path Finder in

stats by date_hour add zero count for hours with no events

Hi folks, I'm working on a search to return the number of events by hour over any specified time period. At the mo...

by Explorer in

How do you compare multiple related fields in one search?

I'd like to compare the configuration of several nodes using a single search. Each node has multiple keys expressed a...

by Communicator in

Eval variable1=variable2 is True or False?

Folks... I am extracting two variables at search time and trying to report when the two variables are not the same. A...

by Explorer in

sitop storing all the top information

Is there a way to limit the amount of summary events stored by sitop. I have scheduled search running every night wit...

by Path Finder in

how to add fields to web access log

Hi all, Similar This question is similar to http://answers.splunk.com/questions/10093/teaching-splunk-the-field...

by New Member in

SplunkforSquid Logformat

Is there a specific logging format that I should set in the SplunkforSquid app to get the proper field extraction? I ...

by Path Finder in

Using transforms.conf to create a new field

I have events which include: .... relevant=False .... and I'd like to transform those at search time into a fi...

by Splunk Employee in

Search IP in access_log for multiple user agents

I'm looking for spiders, which I can identify by abusive rates using transactions. For example: SPLUNK_SEARCH='source...

by New Member in

"AND" a field over multiple events

I'm having a tough time conceptualizing this, and was hoping someone could get my brain kickstarted. I have multiple ...

by Splunk Employee in

Extracting JSON from POST data

I've got log data that includes JSON text that's sent up using POST to a Web server. A raw regex pattern to match the...

by Communicator in

field picker field order

How to not list field picker fields in alphabetic order? The field picker order looks to be alphabetic. Based on the ...

by Engager in

How do I make a subsearch run faster...or is the search itself incorrect?

When I run the following subsearch over an hours time it takes many minutes, if it completes at all. When run over Re...

by Communicator in

Entering Tags Not a New User (why can't I create tags? I'm not a "new user")

How come I can't create tags? It keeps telling me that I'm a new user but I'm not. And why does a title have to be at...

by Builder in

Can a field extraction and lookup share the same field name?

Is it possible for a field generated by an automatic lookup to share the same name as a field generated by an extract...

by Communicator in

Join/Transaction with field comparison operators

I have some data sources in splunk that are XML formated. The initial request: <query id=12345-54321> <Request_1 i...

by Explorer in

Removing intervals from span?

I am trying to report a statistic over the last X Business Days (7 or 30) by multiple hosts. The result chart should ...

by Explorer in

Splunk search returning inconsistent results

The following search which spans an hour returns 10,000 events which are all included in the final time bucket (ie 10...

by Explorer in

saved search's excel spreadsheet limit cut off at 100 rows

Hello - I am sending the results of a saved search/query to an email destination but the results seem to get cut o...

by New Member in

IndexScopedSearch Error

Hi We recently upgraded our Splunk instance from 4.0.10 to 4.1.4. After the upgrade we are seeing the following e...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to count the difference in a rolling number in events across multiple hosts?

Is it possible for an external lookup to match on either of two fields rather than both?

Question about analyzefields search command

Is it possible to use lookup tables that don't have a header row?

Lookup table performance question

Search using Stats, String Dates, Counts and Sorting

stats by date_hour add zero count for hours with no events

How do you compare multiple related fields in one search?

Eval variable1=variable2 is True or False?

sitop storing all the top information

how to add fields to web access log

SplunkforSquid Logformat

Using transforms.conf to create a new field

Search IP in access_log for multiple user agents

"AND" a field over multiple events

Extracting JSON from POST data

field picker field order

How do I make a subsearch run faster...or is the search itself incorrect?

Entering Tags Not a New User (why can't I create tags? I'm not a "new user")

Can a field extraction and lookup share the same field name?

Join/Transaction with field comparison operators

Removing intervals from span?

Splunk search returning inconsistent results

saved search's excel spreadsheet limit cut off at 100 rows

IndexScopedSearch Error

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout

Search result evaluates to true when it is false

dashboard time token with multiple ealiest/latest ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...