Splunk Search

Community Activity

"NOT IN" between two search query Hi all, i need to select IP address from a search query that "are not" in another search query. How can i do this? th... by pinzer Path Finder in Splunk Search 09-02-2010 0 8	0	8
fschange on auto-rotated config files So I have an application that auto-rotates its config files every time it is changed, and uses the following structur... by adamw Communicator in Splunk Search 09-02-2010 0 1	0	1
Adding time in a search I would like to add the total amount of time an cs_id spends on the web daily. Ironport provides logs where the time... by sptelars New Member in Splunk Search 09-02-2010 0 1	0	1
Limitations with searchmatch() eval function? Is there any weird issues with using multiple searchmatch() expressions within a single eval command? I have a trans... by Lowell Super Champion in Splunk Search 09-02-2010 4 2	4	2
How can you emulate a sub-subsearch? Is there anyway of emulating a nested subsearch? I know its sometimes possible to rewrite a search to factor-out a s... by Lowell Super Champion in Splunk Search 09-02-2010 0 5	0	5
Collect's addtime=true/false : What does it do? I've got certain events that I want to send to collect. I see the addtime option (defaults to true). What does it d... by the_wolverine Champion in Splunk Search 09-01-2010 0 2	0	2
Matching both sides of two kv pairs over time I have a small DTrace app that monitors ARP requests and replies, producing output like this: 2010 Sep 1 03:10:08 ... by pde Path Finder in Splunk Search 09-01-2010 0 2	0	2
Use date_hour date_minute for charting Hi everyone. I'm trying to use the date_hour and date_minute fields (which reads perfectly the hours and minutes of ... by vtrujillo Explorer in Splunk Search 09-01-2010 0 2	0	2
Search using outer join fails to return all matching events Search fails to correctly return all matching events when performing outer joins. The search below illustrates the pr... by Jaci Splunk Employee in Splunk Search 09-01-2010 1 3	1	3
How do I configure multi-value fields for RFC 5424-compliant syslog events? Splunk understands old school BSD-style syslog events effortlessly. For RFC 5424-style events, multiple data structu... by hulahoop Splunk Employee in Splunk Search 09-01-2010 0 3	0	3
How do I set the major unit duration to 1 week In a chart, I need to set major unit to be one week (i.e adjacant tick marks need to be one week apart). How do I do ... by sriram_sathyamo New Member in Splunk Search 09-01-2010 0 1	0	1
Simultaneous queries/jobs limit Hi I was wondering if there is a limit on the count of simultaneous queries/searches/jobs executed in a Splunk ins... by sranga Path Finder in Splunk Search 08-31-2010 0 2	0	2
Regex across two lines I have the following output: DEV#: 0 DEVICE NAME: vpath0 TYPE: 2107900 POLICY: Optimized SERIAL: 123bac ... by Branden Builder in Splunk Search 08-31-2010 0 11	0	11
Search query login Hi all, i need to do a query about the number of login failed and succeeded in a time period. I'm auditing linux and ... by pinzer Path Finder in Splunk Search 08-31-2010 0 2	0	2
How do force a search to finish before invoking a custom search command? I'm building a custom search command that performs some visualizations on a dataset outside of Splunk. It has to pars... by Marinus Communicator in Splunk Search 08-31-2010 0 6	0	6
Diff of 2 searches How would I go about running a search that compares the output to two searches and reports the difference between the... by Pete_Bassill Path Finder in Splunk Search 08-31-2010 1 3	1	3
regex and BREAK_ONLY_BEFORE I have a script that sends something like the following to stdout: DEV#: 0 DEVICE NAME: vpath0 TYPE: 210790... by Branden Builder in Splunk Search 08-30-2010 1 5	1	5
Distinct Count on Summary Index Okay, my summary index looks like this: sourcetype="blah" \| sistats count by email I'd like to run a query agai... by sondradotcom Path Finder in Splunk Search 08-30-2010 1 1	1	1
Show only events WITHOUT field Is there a way to show events only if they do not contain a specified field. E.g. 40% of my selected events contain a... by landzaat Explorer in Splunk Search 08-30-2010 12 1	12	1
How to configure forwarder to send different information to 2 different indexers Hi, We now have a setup in which we use splunk like this. Forwarders deployed on windows Domain Controllers, that re... by DyJohnnY Explorer in Splunk Search 08-30-2010 1 4	1	4
Lookup full text of Cisco event and display in new window? I have a search time field extraction for CISCO system messages named MsgClassID. I uploaded from Manager a CISCOevt_... by MikeyG Explorer in Splunk Search 08-28-2010 0 1	0	1
Percent of Total I'm trying to figure out how to calculate a percent of total such that: search string \| stats count percent by email... by sondradotcom Path Finder in Splunk Search 08-28-2010 3 3	3	3
Search Application Summary page slow to load We index data from about 2000 different hosts. logs are relayed in via a TCP syslog source. Whenever a user goes to ... by gfriedmann Communicator in Splunk Search 08-28-2010 0 2	0	2
How do you filter Windows Event Log? I've tried to filter native event logs being indexed using the [WinEventLog...] sourcetype. Here are the config: pr... by BunnyHop Contributor in Splunk Search 08-28-2010 1 5	1	5
field extraction of usually ommited info Hi, i have a couple of logfiles where there is one important "field" that splunk does not recognize because it is no... by dominiquevocat SplunkTrust in Splunk Search 08-27-2010 1 3	1	3