Splunk Search

Ask a Question

Discussions

Thread Info

How do you use timewarp in specific?

Let's say I have this query index = x |stats count as Total, sum(AMMOUNT) as TAmmount BY MERCHANT, SUBMERCH...

by Communicator in

Extract count of each value of a field and create a timechart from it using stats

I have a field "skill" which takes multiple values: I want to extract the count of each of the values of ski...

by Engager in

Insert Timerange picker value in query

Hi, I want to insert Timerange picker value like $time$ in my query for a Dynamic input. Requesting help with the que...

by Explorer in

SPL: Use regex replacement string multiple times

Hello *,I am looking for an SPL that reads the first part of a string via regex and replaces all occurrences of a cer...

by Explorer in

Match IP address with IP in Lookup table and alert

Hello, We are using ES and we have a lookup file downloaded which has a mix of standalone ip's and CIDRs/Subnets/. ...

by Builder in

Error: Cannot expand lookup field due to a reference cycle in the lookup configuration

OK, this is odd Search: index=myindex Works and returns a field "Name", happily listing all values of Name as ...

by Explorer in

rex field? - extraction

Hi, I want to extract the following term from this message: (MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac]) that...

by Engager in

rename row1 after transpose

hi team, as titled, how to rename 'row1' to 'number' after transpose. I tried rename and replace, but doesn't work. ...

by Path Finder in

Extracting Account Name:

Oct 28 20:08:57 XXX.XXX.com Microsoft-Windows-Security-Auditing[4]: EventID: 4663 An attempt was made to access an ob...

by Engager in

Why is this "earliest" not working?

index=myindex | eval createdepoch = strptime(created, "%Y-%m-%d")| eval _time = createdepoch| search earliest=-90d@d ...

by Explorer in

Convert point in time events to timeseries with Data points

I have the following data. That I am trying to convert to a time series by Type with the last Status brought forward....

by Engager in

rex operation -- Regex: syntax error in subpattern name (missing terminator)

Hi, I'm continuously receiving the error Regex: syntax error in subpattern name (missing terminator) when attemptin...

by New Member in

how to exclude the subsearch result from main search

hello, Can anyone tell me how to exclude the subsearch result from main search?I want to exclude the result that fa...

by Explorer in

Evalaute field from different areas

Hi, I would like to determine a field from different areas of a log. eg see below for my expectations. Note: You c...

by Engager in

Calculate sum of duration for Sub calls

I have data in the following structure received for every event. Some events have just one or two sub calls and some ...

by Explorer in

How to add new data in lookup from SPL query output ?

My lookUp is a KV Store lookup. It has three column 'is_active' , 'user', 'robot'.I have a SPL query that gives me ...

by Contributor in

Account deleted query

| datamodel "Change_Analysis" "Account_Management" search | where 'All_Changes.tag'="delete" AND 'All_Changes.user'!=...

by Engager in

Can you use an if statement for the value of two different fields?

Hello, I'm a bit new to Splunk, so I'm still learning. I have created two fields, an opscounter, and a deopcounte...

by Observer in

Regex expression to extract fields

I have two fields below that show up in our log files. I used Splunk tool to create the Regex to extract the fields ...

by Explorer in

mvexpand multi-value fields when not null

Hi all. I'm trying to create a table from AWS WAF logs. There is a section of the log that is called ruleGroupList{...

by Engager in

Search help - find total sum of lengths of array

My current search returns a series of events like: {'field1' : {'field2' : [obj1, obj2, obj3]}} {'field1' : {'fi...

by Loves-to-Learn in

Filtering out HTTP/1.1 200 logs from being forwarded to splunk.

Hi, We have a large amount of data in /opt/app/axtract_fe1/var/log/apache2/main_collector_access-*.log file, and we...

by Loves-to-Learn in

command "where" not working

the "where" command checks only one condition doesn't work like that my search: . . . . | where NOT (id_old...

by Communicator in

How do I properly configure schedule search/cron/alert times?

This question is based on a comment from @woodcock on this post: https://community.splunk.com/t5/Splunk-Search/Wh...

by Path Finder in

Test

by Explorer in

Get Updates on the Splunk Community!

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

BORE at .conf25

Boss Of Regular Expression (BORE) was an interactive session run again this year at .conf25 by the brilliant ...

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

Splunk Search

Discussions

How do you use timewarp in specific?

Extract count of each value of a field and create a timechart from it using stats

Insert Timerange picker value in query

SPL: Use regex replacement string multiple times

Match IP address with IP in Lookup table and alert

Error: Cannot expand lookup field due to a reference cycle in the lookup configuration

rex field? - extraction

rename row1 after transpose

Extracting Account Name:

Why is this "earliest" not working?

Convert point in time events to timeseries with Data points

rex operation -- Regex: syntax error in subpattern name (missing terminator)

how to exclude the subsearch result from main search

Evalaute field from different areas

Calculate sum of duration for Sub calls

How to add new data in lookup from SPL query output ?

Account deleted query

Can you use an if statement for the value of two different fields?

Regex expression to extract fields

mvexpand multi-value fields when not null

Search help - find total sum of lengths of array

Filtering out HTTP/1.1 200 logs from being forwarded to splunk.

command "where" not working

How do I properly configure schedule search/cron/alert times?

Test

Index This | What’s a riddle wrapped in an enigma?

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

Help Fix My Search

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

Splunk Search

Are you a member of the Splunk Community?

Discussions