Splunk Search

Discussions

Thread Info

Set Field based on another field

I am trying to create a field that contains information about the type of host based on the host field. For example, ...

by Path Finder in

Calculate time between two different events

I have log entries looking as follows: Nov 16 08:37:47 psdkxt05 MID=xxx005I;XID=;SID=;UID=;STM=2010-11-16 08:37:47...

by Communicator in

Subsearch based on date

I'm new to creating subsearches. I need to combine fields from two different sourcetypes based on a date. Event one h...

by SplunkTrust in

Dealing with bizarre embedded timestamp

Hey everyone. Right now I'm dealing with some CSV files that are set up in the following format: line 1: version head...

by Builder in

One search to source multiple dashboard tables

Couldn't see to find a question like this here, but maybe my search for it is no good. What I'd like to do is have...

by Communicator in

What is the best strategy to handing overlapping data?

Some sources will produce data that overlaps i.e. you get some of the data you already indexed. This can have quite a...

by Communicator in

Quickest Way to Search Large Dataset and Export Results

I'm trying to find the quickest way to run a large search against a large dataset which will have a large set of resu...

by Communicator in

Determine whether a time-based field falls within the last 7 days

I'm having a tough time searching for this, sorry if it's been asked many times. I have an event that carries a few t...

by Engager in

inactive users and saved searches

I would like to find All Users that have not logged in for 90 days ans active scheduled searches associated with ...

by Communicator in

substr can't get the correct value?

Hi,all I want to use "substr" to get what I want. A=1420014 ... |eval A=if(substr(A, 1,2)="14",replace(A, "1...

by Path Finder in

find host reporting to various indexers.

I have hosts/forwarders reporting to multiple indexers using load balancing.I have 3 in Americas,2 in Aspac. I am ...

by Communicator in

Event count bucket starts from 2 AM (indipendent of earliest and latest)

Dear All, I'm doing a search as the following: sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=2...

by New Member in

exclude two ranges in a search

I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this: "deny tcp sourc...

by New Member in

New user - trying to work out a report - Followup questions

Appreciate the answer to my original question, but it leads me to a couple of additional issues: 0) As I write thi...

by Explorer in

Why do I get different results when I search my extracted field?

I have an extracted field called ruby_completed_call, that extracts the completion time from a ruby log: Processin...

by Splunk Employee in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Set Field based on another field

Calculate time between two different events

Subsearch based on date

Dealing with bizarre embedded timestamp

One search to source multiple dashboard tables

What is the best strategy to handing overlapping data?

Quickest Way to Search Large Dataset and Export Results

Determine whether a time-based field falls within the last 7 days

inactive users and saved searches

substr can't get the correct value?

find host reporting to various indexers.

Event count bucket starts from 2 AM (indipendent of earliest and latest)

exclude two ranges in a search

New user - trying to work out a report - Followup questions

Why do I get different results when I search my extracted field?

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

BotS member needed !

To set up alert using saved search and map command

How to compare 2 lookups and highlight any changes...

How to change pie chart font color from within Spl...

Users with the same roles, in the same app, and sa...