Splunk Search

Community Activity

Compare 2 fields Basically I have a line of data that looks like this: Jun 28 14:15:10 sc4-app04.mcafeesecure.com portal: ACCESS Clic... by mcafeesecure Explorer in Splunk Search 06-29-2010 3 3	3	3
I'm being audited. Can i give my auditor a list of hosts and the indexes their data is in? An auditor is requesting that we furnish them with a list of all servers logging to splunk and the index they are bei... by Michael_Wilde Splunk Employee in Splunk Search 06-29-2010 1 2	1	2
Editing logs at index time I have splunk indexing a local file that is being continuously written to and I need the first word in each event to ... by mawwx3 Explorer in Splunk Search 06-28-2010 0 4	0	4
How to collapse unneeded lines in the search result for a very long event? Search string "mismatch". The single event is about 2-3K lines or more. In the lines of text there are 5 lines with ... by zliu Splunk Employee in Splunk Search 06-28-2010 1 6	1	6
Windows security event log regex help I need a regex that can process all security events with eventid 540 that don't contain $, SYSTEM, or ANONYMOUS LOGON... by chowell Explorer in Splunk Search 06-28-2010 0 2	0	2
Help on Errror stats - The argument '>' is invalid I am scheduling this search(Daily Indexed Volume): index=_internal source=metrics.log splunk_server="" \| eval MB=k... by apro Path Finder in Splunk Search 06-28-2010 0 2	0	2
Making a lookup optional? (Or, how to build a multi-level lookup?) I have a scenario where I would like to do a two-layered lookup. I'm essentially doing an IP address lookup against ... by Lowell Super Champion in Splunk Search 06-25-2010 6 4	6	4
Create field names automatically from line in file Below are the first 7 lines of a file that I want to index. The additional lines all look like line 7. Can I have it ... by nate1 Explorer in Splunk Search 06-25-2010 1 2	1	2
Metadata filtered by eventtype Can I use eventtype=myevent with \|metadata? example: \| metadata type=hosts \| eventtype=group_A I know tags work, ... by thall79 Communicator in Splunk Search 06-25-2010 0 1	0	1
find total unique sources over the last 30 days? I have what I think should be a simple search, but I'm not quite able to come up with a way to do it. Ultimately I g... by mfrost8 Builder in Splunk Search 06-25-2010 1 3	1	3
Correlating a start and stop event with transaction I'm trying to correlate start and stop events and having a much harder time than what the documentation implies in or... by ericdp Explorer in Splunk Search 06-25-2010 1 5	1	5
How to omit categories of log entries When we are browsing log files for problems, we often don't know exactly what we're looking for. But in a short peri... by r31floyd Engager in Splunk Search 06-25-2010 0 4	0	4
What is the syntax for finding top value of some field and increasing the limit? index="whatever" INFECTION \| top limit="15" misc by src When I attempt this search, the limit qualifier seems to be... by the_wolverine Champion in Splunk Search 06-24-2010 0 4	0	4
Restricting search results to or excluding Extracted Fields Hello, I would like to filter a search result, of irrelevant data, to display less information so its easier to spot... by Carmageddon New Member in Splunk Search 06-24-2010 0 10	0	10
metadata search for distributed environment I have 4 servers in a distributed environment. I use server a to login and do the search. When I use the search \| me... by sanju005ind Communicator in Splunk Search 06-24-2010 0 2	0	2
Debugging Custom Splunk Search Commands I have taken iplocation.py as a skeleton for a simple custom search command that adds another column to the search re... by enielson Explorer in Splunk Search 06-23-2010 4 2	4	2
REST calling last scheduled search Is there a way to have REST look up the latest results from a scheduled search and return them, not re-running the se... by Jason Motivator in Splunk Search 06-23-2010 2 1	2	1
How do I get the diff.py command to work? I moved my Splunk instance to another machine and I'm getting the following error message: 2010-06-15 16:20:24,739 ER... by rsimmons Splunk Employee in Splunk Search 06-23-2010 0 1	0	1
Cannot use auto_finalize_ec in search I find the document about auto finalize in this page http://zh-hant.splunk.com/base/Documentation/latest/Developer/RE... by Jaci Splunk Employee in Splunk Search 06-23-2010 1 2	1	2
Multivalue Regex capture If I have an event with more than one IP addres in it, how can I write a regex that will capture all of the IP's? Ex... by Derek Path Finder in Splunk Search 06-23-2010 0 1	0	1
Working with eventtypes: how to solve duplicated rows into results Good morning, I'm developing for a customer a very simple search. tag=mysourcetype tag=myeventtype startdaysago=7 ... by nik_splunk Path Finder in Splunk Search 06-23-2010 0 5	0	5
Pros and Cons: External lookup script vs custom search command? What are the pros and cons to using an external lookup script vs a custom search command when the purpose is simply t... by Lowell Super Champion in Splunk Search 06-22-2010 1 1	1	1
Calculate diff between two entries in a transaction? I'm trying to calculate the amount of time between two events and I'm having a lot of trouble. Because of some requi... by ericdp Explorer in Splunk Search 06-22-2010 0 2	0	2
one-way distributed searches Given servers A and B, how do you search both A AND B from server A, but disallow B from searching against A? by amrit Splunk Employee in Splunk Search 06-22-2010 3 3	3	3
How do I display percentage of 500 errors on a per-URI basis? So, I have a big set of web stats for a given time in a search. Basically, I want it broken down by uri_path and for ... by kdankmyer Engager in Splunk Search 06-21-2010 1 3	1	3