Splunk Search

Discussions

Thread Info

How to create regex that will pick up on a value contained in [ ] brackets?

Hi all, I'm attempting to develop a regex that will pick up on a value contained in [ ] brackets (see below): L...

by Explorer in

Trouble extracting GUIDS and how to make a new field with rex?

Trying to get these UUID/GUIDs to extract from the message field. Hoping to create a rex to extract everything after ...

by Explorer in

Merge all values in two fields in a new one?

I have read all the posts about "merging fields" and none of the options work for me. I have events where the same...

by Explorer in

How to apply alert based on search in Splunk?

Hi All, these are the logger info counts which are generated in splunk Total numner where inds-a 20Total numne...

by Explorer in

How to not display the weekend in a chart?

hi I want to not display the week end in my chart for example, if i use a time picler range of 7 days, I just w...

by Motivator in

Issue in combined field values?

I am having issue with "Status" values as below and screenshot, please find below json and search query. Please ad...

by Explorer in

Sometimes if we are doing base search, if not handled properly, you will see page loading, how do you handle it?

Hi, Sometimes if we are doing base search, if not handled properly, you will see page loading, how do you handle it...

by Path Finder in

Convert normal search to tstats?

Dears, We need your support to convert below search to tstats search. (index=os_windows OR index=works...

by Explorer in

Why is search for hosts not sending logs and no longer showing results?

Hello, We have been using this query to list out hosts that are not sending logs since past 24h. It has been workin...

by Builder in

Group events based on content of field?

I have the following table of activities: InternalExternalDirection1.1.1.12.2.2.2Outbound3.3.3.34.4.4.4Inbound5.5....

by Explorer in

How to remove double quotes from events ?

sample event "USR_LOGIN","USR_EMP_NO","USR_LAST_NAME","USR_FIRST_NAME","USR_DISPLAY_NAME","USR_STATUS","USR_EMAIL"...

by New Member in

How to annotate when a transition happens?

I want to add an annotation to a dashboard every time we switch from blue servers to green servers or green to blue. ...

by Path Finder in

What are the limitations on subsearch?

Hi, What are the limitations on subsearch? Please give one or two, please? This is an interview question. Regar...

by Path Finder in

ISO 8601 TimeStamp Extraction / Formatting and Source Type Config

Hi all, I have a timestamp in a format I havn't dealt with before and I am struggling to get it converted to my tim...

by Explorer in

How will search head know which index has data?

Hi, How will search head know which index has data? It's an interview question. Kindly help me. Regards Suman P...

by Path Finder in

How to search for Phantom (SOAR) playbook runs and results?

I have some Phantom playbooks performing tasks that I want to monitor on a Splunk dashboard - runs/day, distinct task...

by Engager in

How to return events with or without a value in a specific field?

Hi all! I'm trying to create a table with case_number and session as the two columns. Any event without a case_n...

by Path Finder in

Help with regex search?

Hi Team, Thanks in advance, Need a quick help in Regex query, Input values: KUL6LJBJ62YDBLR6LC7BLNJRHRI6...

by Communicator in

How to get only latest record for each specific column?

sample data _timesourcenameappIdstate10/8/207:53:27.090 AMxyzTransform-x-2020-10-081001success10/8/207:53:16.890 A...

by Explorer in

What is the splunk search query to find oldest (first) event generated on an index?

what is splunk search query to find the oldest ( first ) event generated on a index ?

by Path Finder in

How do you find the earliest event in an index by sourcetype and source?

Hi I have index = A sourcetype = A and source = /tmp/A.app.log I want to find the earliest event (date and tim...

by Builder in

Help to pass time to subsearch?

Hi, I have SPL which includes just using bunch of lookups and producting following data: _timeturnaround_timediff_...

by Explorer in

How to group some of field value into new fields value?

Hi peeps, Need help to do some query. Basically I'm trying to group some of field value in the 'Category' field in...

by Path Finder in

A field is lost in a message sent in raw?

Good afternoon!I send a message like this: curl --location --request POST 'http://test.test.org:8088/services/coll...

by Communicator in

How to create a query to identify blocked IP's by firewall and the reason?

Hi, I am working with firewall logs in external IP's , I want to collect blocked IP's from the firewall, and blocked...

by Engager in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to create regex that will pick up on a value contained in [ ] brackets?

Trouble extracting GUIDS and how to make a new field with rex?

Merge all values in two fields in a new one?

How to apply alert based on search in Splunk?

How to not display the weekend in a chart?

Issue in combined field values?

Sometimes if we are doing base search, if not handled properly, you will see page loading, how do you handle it?

Convert normal search to tstats?

Why is search for hosts not sending logs and no longer showing results?

Group events based on content of field?

How to remove double quotes from events ?

How to annotate when a transition happens?

What are the limitations on subsearch?

ISO 8601 TimeStamp Extraction / Formatting and Source Type Config

How will search head know which index has data?

How to search for Phantom (SOAR) playbook runs and results?

How to return events with or without a value in a specific field?

Help with regex search?

How to get only latest record for each specific column?

What is the splunk search query to find oldest (first) event generated on an index?

How do you find the earliest event in an index by sourcetype and source?

Help to pass time to subsearch?

How to group some of field value into new fields value?

A field is lost in a message sent in raw?

How to create a query to identify blocked IP's by firewall and the reason?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...