Splunk Search

Community Activity

Eval time between events for transaction by group? Hi, I'd like to do a report that tells me how long a forwarder hasn't been active. I use transaction to join similar ... by gljiva Path Finder in Splunk Search 07-21-2010 2 5	2	5
Run search to determine if forwarder has splunkweb enabled? Is there a search string that would report on the status of splunkweb on each forwarding host? by muebel SplunkTrust in Splunk Search 07-20-2010 3 2	3	2
One-liner to print scheduled searches? Is there a command via splunk.exe or some other /bin tool that would output all scheduled searches in a particular in... by muebel SplunkTrust in Splunk Search 07-20-2010 2 2	2	2
Evaluate search with lookup field? Hi, I'm having problem with evaluating expression using lookup field. I create a lookup fileld by executing this sear... by gljiva Path Finder in Splunk Search 07-20-2010 0 2	0	2
Joining Transactions Hello, I have two searches that use transactions to get part of a table of results that I want. Firstly, index="... by Hazel Communicator in Splunk Search 07-20-2010 1 5	1	5
quick fields question. Time connected/time disconnect? I want my table to show a column with what time a username connected to the network and another column showing when t... by riderofyamaha Explorer in Splunk Search 07-19-2010 0 6	0	6
Splunk Searching Commands/Strings Im fairly new to splunk (and linux for that matter) but I am trying to find a Web Page or Manual or whaeter that will... by ljeffery New Member in Splunk Search 07-19-2010 0 1	0	1
Rewriting value of field if value is negative Hi, I would like to rewrite bogus field values that are negative to 0. For example I would like to run the followin... by mcwomble Path Finder in Splunk Search 07-17-2010 0 1	0	1
Follow event from source forwarder to indexer; how to troubleshoot a missing sourcetype I just set up a new splunk forwarder on a linux host. One of the inputs is a monitor of the /var/log/messages file. ... by muebel SplunkTrust in Splunk Search 07-16-2010 1 3	1	3
Splunkd won't restart after power failure I'm running Splunk 4.1.3 on Windows 2008 R2 x64 and had a poweroutage. The splunkd service will not restart. Crash ... by meatago Explorer in Splunk Search 07-16-2010 0 1	0	1
How can I configure REGEX to recognize/match on a multi-line event? I have a REGEX configured (in transforms.conf) that works with my single line events, but appears to be failing on al... by the_wolverine Champion in Splunk Search 07-16-2010 1 3	1	3
Which of these two searches is more performant or optimized, if at all? Which search below is better or optimal from a performance perspective and why? sourcetype="mysoucetype" AND field1=... by maverick Splunk Employee in Splunk Search 07-16-2010 4 3	4	3
Timechart and Chart display buggy column "count" when using "limit=0" I've noticed that on Splunk 4.1.3 the timechart and chart commands, when used with "limit=0", the "count" aggregation... by Paolo_Prigione Builder in Splunk Search 07-15-2010 0 2	0	2
mktime/strptime error (not working as documented) I have a field in some events that contains a time as a string. The times are in the format "2010-07-15-13", which t... by npt05001 Engager in Splunk Search 07-15-2010 0 2	0	2
Unable to delete events? I've tried to delete events for a particular source,say source="tcp:1234" \| delete The operation was successful.How... by remy06 Contributor in Splunk Search 07-15-2010 2 4	2	4
Multi-column stats: average and count for a column I am building a search to find the average amount of time an action takes: sourcetype="timelog" \| stats avg(reque... by isnoop New Member in Splunk Search 07-15-2010 0 1	0	1
How can I exclude a subset of tags from my metadata search? I run a metadata search that populates a summary page to link to all of my tags. The goal of the summary page is to ... by Simeon Splunk Employee in Splunk Search 07-14-2010 1 1	1	1
Parsing us and ms times (e.g. q=15ms) We have a log line that looks like: Jul 14 15:47:34 127.0.0.1 1 [000004ff000216970000489c] Serv foo.com 158578_40df3... by Oren Explorer in Splunk Search 07-14-2010 0 1	0	1
How to get the values inside search hello, my problem is: when I type the query in the search bar, such as: source="number.txt" it will so like that:... by sony_1688 New Member in Splunk Search 07-13-2010 0 5	0	5
Lookup error after upgrading to 4.1 I get a lookup error "does not exist" after i upgraded to 4.1 almost in all apps, also my browser goes not responding... by mohmed935 Engager in Splunk Search 07-13-2010 0 1	0	1
Complicated (to me anyways) query. I have an Apache Access log which I'm searching for any .cgi or .pl file hit with the latest date it's been hit. Som... by Brian_Osburn Builder in Splunk Search 07-12-2010 2 2	2	2
Relationship between Splunkweb Manager config and .conf files? I have a saved search that I modified in the Splunkweb Manager. I look at the same search in the savedsearch.conf fi... by muebel SplunkTrust in Splunk Search 07-12-2010 1 5	1	5
compare the number of events from 2 subsearches in different indexes I would like to create an alert if the number on events is different in two subsearches. subsearch1 = "index=index1 ... by imrago Contributor in Splunk Search 07-12-2010 1 1	1	1
Stop recurring alerts I have setup alerts based on a scheduled search in the logs. The application writes a log messages every minute while... by sureshchinta Explorer in Splunk Search 07-12-2010 1 1	1	1
Changing timechart field name I could renamed the field of timechart. For example: Changed count to 'YYY' . But,I couldn't renamed the '_time' fiel... by benny8021 New Member in Splunk Search 07-10-2010 0 1	0	1