Splunk Search

Ask a Question

Discussions

Thread Info

Left Join: How to display missing data in a table using Join?

Hi There, I have a requirement where i have an index with two different sources. index=a sourcetype=a1 index...

by Path Finder in

How to extract a field from raw json?

Hi Team, From the below raw JSON string in Splunk, I am trying to display only correlationId column in a table, ca...

by Path Finder in

What is the relation between the Splunk inner/left join and the ones in relational databases?

What's the relation between the Splunk inner/left joins and the ones in relational databases, functionality and termi...

by Ultra Champion in

Filter a search result with lookup values- What command is most appropriate for this?

Hi, I have a search query where a field is named "user_email".I also have a lookup table where I have a list of em...

by Explorer in

How do I list the events if there are more than 1 item in array?

how do i list the events that in an array has more than 1 item? 1) a:[ {"data1":"abc"},{"data1":"def"}] 2) a:[ ...

by Explorer in

How to create a table based on two queries?

I have two queries I am trying to join the results together. The first query has the organization details and the sec...

by New Member in

How to search to get value from the last event?

Hello folks, I have Logger lines as below: job MONITOR-DESYNC-3-20I-ERNC: { "chain":"PR1", "nbProperties":1345, "...

by Explorer in

Overlaying data from multiple devices, or being able to select which device to view?

Further to my previous post here, which was generously solved by ITWhisperer: Solved: Help with search to use for d...

by Path Finder in

How to list out saved searches which are used index=* instated of using index fully qualified name?

Hi all,we have hundreds of saved searches,but the problem is while creating savedsearches they were used index= * ...

by Explorer in

How to search for the time difference between last event and now?

I have installedAt field which gives the application's installation time. If I run a Splunk search for the last 7 ...

by Contributor in

Help with search to use for dashboard - link key-value pairs

Hi Folks - I would appreciate some help to create a dashboard. I want a simple line chart that shows how a value c...

by Path Finder in

Why is the search with NOT take less time compared to search using IN?

Hello Everyone, I have two queries to exclude events one using NOT and other one using IN, both the queries returnin...

by Loves-to-Learn in

How to create a dashboard with event ID below to application usecube ?

Hi, i would to create a dashboard with event ID below to application usecube 4720 A user account was created...

by New Member in

Can I write this search with stats instead of left join?

Hi All, I have a join query that works perfectly fine for my use case, but I was trying to see if I can write this us...

by Path Finder in

Help with Searching Events with different OS platform table fields

Hello, I have recently starting learning about Splunk and been stuck while attempting to make the search display for ...

by New Member in

How to run an index to generate events through an input lookup table?

Hi all, I wish to generate login times for a list of users which are specified in a lookup table titled user_list.csv...

by Engager in

How to compare events with "milestone" lookup?

I have a really simple task but haven't figured out how. This is a simple table of milestones milestone1milestone2...

by SplunkTrust in

Splunk search based on lookup time?

Below query, I have used and it is saving in output lookup format. Lookupname - S1_installedtime Query - i...

by Contributor in

How to delete row values if condition is not met in a table?

Hi all, I need to write a query that checks whether (Daily AH <= Daily Po <= Daily Risk <= Daily File <= Daily In...

by Path Finder in

How to convert time in another timezone?

Hello everyone! I have time in such format 2022-09-02T18:44:15, this time in GMT+3, and I need to change convert t...

by Contributor in

How to output of search results of one index as inputs to another search using a different index?

I search Netflow firewall denied traffic on port 53 using the netflow index. Based on the IPs found (source and DNS d...

by Explorer in

How to get extracted fields count per index?

Hi,Trying to get the count of extracted fields per index. I am using the following search for this: index=*|f...

by Builder in

How to display/access parameters after grouping?

For example I have getting splunk logs with 4 fields TimeEventtime 1service = "service1" | operation = "sampl...

by New Member in

How to find duration between multiple events for multiple occurrences?

Hi all, I'm hoping that someone can help / point me in the right direction. I have two events which are being fed ...

by Explorer in

How can I get just one avg count per day? (With time span = 3h I get 3 counts per day)

Using the below query to get the daily avg user in during biz hours: index=pan_logs sourcetype=json_no_timestamp ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Left Join: How to display missing data in a table using Join?

How to extract a field from raw json?

What is the relation between the Splunk inner/left join and the ones in relational databases?

Filter a search result with lookup values- What command is most appropriate for this?

How do I list the events if there are more than 1 item in array?

How to create a table based on two queries?

How to search to get value from the last event?

Overlaying data from multiple devices, or being able to select which device to view?

How to list out saved searches which are used index=* instated of using index fully qualified name?

How to search for the time difference between last event and now?

Help with search to use for dashboard - link key-value pairs

Why is the search with NOT take less time compared to search using IN?

How to create a dashboard with event ID below to application usecube ?

Can I write this search with stats instead of left join?

Help with Searching Events with different OS platform table fields

How to run an index to generate events through an input lookup table?

How to compare events with "milestone" lookup?

Splunk search based on lookup time?

How to delete row values if condition is not met in a table?

How to convert time in another timezone?

How to output of search results of one index as inputs to another search using a different index?

How to get extracted fields count per index?

How to display/access parameters after grouping?

How to find duration between multiple events for multiple occurrences?

How can I get just one avg count per day? (With time span = 3h I get 3 counts per day)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...