Splunk Search

Discussions

Thread Info

how to optymize my query

Below quite simple query to fill drop down list in my dashboard. index=gwcc | eval file=lower(mvindex(sp...

by Path Finder in

Running search for 1000s of IOCs at once?

I would like to create a dashboard which would run a search daily to check network traffic against a list of about 18...

by Engager in

tstats returns a count of zero when using an OR clause

For some reason my |tstats count query is returning a result of 0 when I add an OR condition in my where clause if th...

by Explorer in

How can I combine a field value , if the other 3 field values are the same

Hi, How can I combine a field value , if the other 3 field values are the same Ex:- If the field1 , field2 , fiel...

by Engager in

How to get P90 latency from combine trace_ids of one query to be fed to a second query.

If I have two queries: 1. index=poc container_name=app horizontalId=orange outputs events with the tr...

by Engager in

How to change table CSS using Classes instead of Ids

As the title suggests, I want to change the CSS style of a table within Splunk dashboard using classes instead of id....

by Path Finder in

Splunk Search Optimization

Hi Team,As per business requirement, need to get below details from same autosys batch and corresponding outputs to b...

by Explorer in

HTTP header connection failed

When we are trying to run a report in deployment server to get the hosts that are reporting to Splunk, it is giving b...

by Engager in

How to document what is present in the index

My apologies for such a noob question. I literally got dropped into a Splunk environment and I know little to nothin...

by Path Finder in

Display only certain properties

Good day, I have a query to check my Entra logs to see what Conditional access policies gets hit. The returns results...

by Path Finder in

How to extract a JSON field from another JSON?

Hi, I would like to extract a field from a JSON logs which is in a prettier format already. I would like to extract...

by Engager in

Isolate a Search head - search head user account

Hi I found this 2011 chat "72798" on Splunk to "considering adding the concept of an "search head user account" on th...

by Explorer in

Splunk Search Query to fill empty columns of data with data from other rows

I'll first insert my whole splunk search query and show whats it showing and whats the expected result ...

by Loves-to-Learn Everything in

Don't have "sse_host_to_country" AND "gdpr_user_category" lookup file in search

Hi Community, I got trouble when want to activate Use Case "User Login to Unauthorized Geo" it said Error because i...

by Contributor in

How can I completely delete a user in Splunk ES?

Hello, As an admin, I deleted a user in Splunk Web, but when I try to add a user during an investigation, I still s...

by Explorer in

data extraction

hello I am getting a field port in event .ports="['22', '68', '6556']"how can i display them in separate rows.

by Contributor in

How can I escape dollar-signs to use "map" or "sendemail" inside of a macro or workflow?

All 4 things use the $argument$ syntax. I am trying to use sendemail inside of a macro and have tried \$search\$, $$s...

by Esteemed Legend in

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

Need some help in extracting Group Membership details from Windows Event Code 4627. As explained in this answer, ...

by Builder in

Concurrency group by clause

I have an application to analyse phone call data from multiple locations. I want to generate a report that provide...

by Explorer in

Extracting and Compare Folder Path From CSV

Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure o...

by Path Finder in

How to use the concurrency command to timechart the top 10 concurrencies by field sourceip?

I have the following event that needs to calculate concurrency: Event, starttime=yyyy-mm-dd hh:mm:ss, duration=, s...

by Path Finder in

Users still showing after being deleted

I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI...

by Explorer in

How to define max for a Fillergauge in dashboard studio?

I'm missing something and it's probably blatantly obvious....I have a search returning a number but I want to have a ...

by Path Finder in

I want rex command to return empty string if no match

Let's say I have the following SPL query. Ignore the regexes, thery're not important for the example: index=ab...

by Path Finder in

How to check who has updated a lookup

Hi all, I have one lookup which was having around 1000 entries recently someone has updated the lookup and all entr...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

how to optymize my query

Running search for 1000s of IOCs at once?

tstats returns a count of zero when using an OR clause

How can I combine a field value , if the other 3 field values are the same

How to get P90 latency from combine trace_ids of one query to be fed to a second query.

How to change table CSS using Classes instead of Ids

Splunk Search Optimization

HTTP header connection failed

How to document what is present in the index

Display only certain properties

How to extract a JSON field from another JSON?

Isolate a Search head - search head user account

Splunk Search Query to fill empty columns of data with data from other rows

Don't have "sse_host_to_country" AND "gdpr_user_category" lookup file in search

How can I completely delete a user in Splunk ES?

data extraction

How can I escape dollar-signs to use "map" or "sendemail" inside of a macro or workflow?

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

Concurrency group by clause

Extracting and Compare Folder Path From CSV

How to use the concurrency command to timechart the top 10 concurrencies by field sourceip?

Users still showing after being deleted

How to define max for a Fillergauge in dashboard studio?

I want rex command to return empty string if no match

How to check who has updated a lookup

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions