Splunk Search

Discussions

Thread Info

How to exclude or select events based on value from key/value array?

Hi All, Our JSON payload looks like as shown below. The msg.details array can have any number key/value pairs in a...

by Explorer in

Why is eval failing after join?

index=na160 starttime="02/02/2023:00:00:00" endtime="02/02/2023:24:00:00" requestId="TID:131610985000004c2d"|stats co...

by Engager in

How to rename Splunk column names?

Hi, I have a query that evaluates the value of a variable like this *...|eval var1= var2*10|....* where var...

by Communicator in

Is there a delay in the Splunk API server 'seeing' events?

Is there a delay in the Splunk API server 'seeing' events that are already indexed?I use the Splunk API to query logs...

by Engager in

How to match fields from logs with CSV and create an alert?

I get logs from a system which has a field that contains names. Lets say Abc.xyz is the name of the field. I have a l...

by Explorer in

How to monitor deviation to log volume?

I am trying to monitor drop in events per index. What is the best way to get a baseline and detect deviation to the v...

by Explorer in

Lookup filtering performance on very large lookups

This is not a question, rather I am sharing something that I discovered with a Splunk OnDemand support call. I tho...

by Explorer in

How to create Splunk search to check the last 15 minutes then increment by 1 minute?

For example: i have been hitting the pavement trying to figure out a search query for events that happened between...

by Observer in

How to separate values in a field to new fields?

I have a lookup with a field called IP. The field has values that have multiple IPs in them an I would like to sperat...

by Path Finder in

search

Please need help with this command - Average response time with 10% additional buffer ( single number) – Use “Eval”...

by Explorer in

How to use fillnull or similar before an eval?

As I write this I realize that what I want is likely not possible using this method. I want a fillnull (or similar) ...

by Path Finder in

How to force delete savedsearch results after x time , disable " AutomIatic lifetime extensions"?

Is there a setting that stops the "AutomIatic lifetime extensions" (https://docs.splunk.com/Documentation/Splunk/9....

by Contributor in

Detect host connecting to malicious domains - PaloAlto + AD join statement

Hi, I am trying to get a list of workstations trying to connect to malicious DNS using PaloAlto and Windows AD logs...

by Contributor in

How to parse XML and props.conf?

This is very similar to a lot of XML parsing questions, however I have read through ~20 topics and am still unable to...

by Explorer in

How to search with cidrmatch with multiple subnets?

Hello everyone, I got such table after search ipsubnets10.0.0.2 10.0.0.0/24 10.0.0.3 10.0.0.0/24 172.24....

by Contributor in

Why does REST API return nested json as string not json?

Hi,I am using the REST API to pull data from splunk, using the output_mode=json.The data that is returned is a mix of...

by Path Finder in

How to match string which include random numbers with a lookup?

Hello Team,i have the following problem.Inside my data i have a String like:Error in Data | 5432323 from endpoint 543...

by Path Finder in

Why is UF not reporting to DS?

Hi, I have 10 hosts, from this only 3 hosts are reporting to DS and 7 are not reporting.when i searched with _interna...

by Path Finder in

How to group events based on a fields with predefined values?

I need to group by a field where all possible values should be shown in the result.For example, the below snippet gro...

by New Member in

How to fill count number of previous month when there is no data?

Hi Splunk community, I have a chart display the number of users in each month. There was no data coming in in Octo...

by Path Finder in

What does <time_unit> default to?

Because of a typo we had the following in our query: earliest=-1@d Since Splunk query actu...

by Communicator in

How to achieve a field extraction where field differs in location per log row but still has structure?

I have an OpenCanary which is using a webhook to deliver data into my Splunk instance. It works really well but my...

by Path Finder in

Can't I use backslashes in Splunk searches?

I have a Splunk query as below which pulls some events. index="windows_events" TargetFileName="*startup*" ...

by Builder in

How do I write this search with a mvindex with a conditional?

Hello, I have the below SPL with the two mvindex functions. mvindex position '6' in the array is supposed to ap...

by Path Finder in

How to use field inside quoted search as a variable?

Hi, I have the following joined Splunk query: index="myIndex" source="mySource1" | fields _time, _raw | rex "Na...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to exclude or select events based on value from key/value array?

Why is eval failing after join?

How to rename Splunk column names?

Is there a delay in the Splunk API server 'seeing' events?

How to match fields from logs with CSV and create an alert?

How to monitor deviation to log volume?

Lookup filtering performance on very large lookups

How to create Splunk search to check the last 15 minutes then increment by 1 minute?

How to separate values in a field to new fields?

search

How to use fillnull or similar before an eval?

How to force delete savedsearch results after x time , disable " AutomIatic lifetime extensions"?

Detect host connecting to malicious domains - PaloAlto + AD join statement

How to parse XML and props.conf?

How to search with cidrmatch with multiple subnets?

Why does REST API return nested json as string not json?

How to match string which include random numbers with a lookup?

Why is UF not reporting to DS?

How to group events based on a fields with predefined values?

How to fill count number of previous month when there is no data?

What does <time_unit> default to?

How to achieve a field extraction where field differs in location per log row but still has structure?

Can't I use backslashes in Splunk searches?

How do I write this search with a mvindex with a conditional?

How to use field inside quoted search as a variable?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!