Splunk Search

Discussions

Thread Info

How can I escape dollar-signs to use "map" or "sendemail" inside of a macro or workflow?

All 4 things use the $argument$ syntax. I am trying to use sendemail inside of a macro and have tried \$search\$, $$s...

by Esteemed Legend in

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

Need some help in extracting Group Membership details from Windows Event Code 4627. As explained in this answer, ...

by Builder in

Concurrency group by clause

I have an application to analyse phone call data from multiple locations. I want to generate a report that provide...

by Explorer in

Extracting and Compare Folder Path From CSV

Hello, working on monitoring if someone has moved a file outside a specific folder inside a preset folder structure o...

by Path Finder in

How to use the concurrency command to timechart the top 10 concurrencies by field sourceip?

I have the following event that needs to calculate concurrency: Event, starttime=yyyy-mm-dd hh:mm:ss, duration=, s...

by Path Finder in

Users still showing after being deleted

I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI...

by Explorer in

How to define max for a Fillergauge in dashboard studio?

I'm missing something and it's probably blatantly obvious....I have a search returning a number but I want to have a ...

by Path Finder in

I want rex command to return empty string if no match

Let's say I have the following SPL query. Ignore the regexes, thery're not important for the example: index=ab...

by Path Finder in

How to check who has updated a lookup

Hi all, I have one lookup which was having around 1000 entries recently someone has updated the lookup and all entr...

by Path Finder in

MFA Fatigue Attack

I am currently working on creating an alert for a possible MFA fatigue attack from our Entra ID sign in logs. The log...

by New Member in

Retrieving all fields that have a certain value

My events have a few fields that are of the type: field_Name=failed What query should I write to get all that fields ...

by Path Finder in

Extract the words after Result=xxx

ACCU_DILAMZ9884 Failed, cueType=Splicer, SpliceEventID=0x00000BBC, SessionID=0x1A4D3100 SV event=454708529 spot=VAF00...

by Engager in

Need help with a regex please. (Defining an action by user)

I have a standard printed statement that shows something like this:[29/Aug/2024:23:59:48 +0000] "GET /rest/LMNOP[29/A...

by Engager in

Difference between outputlookup and outputcsv

Could anyone tell me the difference between outputlookup and outputcsv? If there no differences, is there any spec...

by Communicator in

Search commands to monitor Forinet Firewalls ?

Hi Guys, Has anyone done a search were you can monitor the CPU on the Fortinet Firewalls? Its on the App but do...

by Engager in

Specify span option value in bin command with map

I try to use lookup to specify span option value in bin command with map | inputlookup mylookupup.csv | fie...

by Engager in

Regular Expression

hi i want to extract purple part.[Time:29-08@17:53:05.654] [60569222] 17:53:05.654 10.82.10.245 local3.notice [S=2952...

by Contributor in

Need to find where index was used in lookups, reports, alerts and dashboards.

The data coming into one of our indexers recently changed. Now the format is different, and the fields are different....

by Engager in

Help joining the 2 below searches

Hi - We have a requirement to join the below eval statement searches, would it be possible if someone could assis...

by Observer in

undefined

by Loves-to-Learn Everything in

Notepad++ SPL syntax highlighting

Hi All I did a look around for a syntax definition for SPL in Notepad++ and didn't find one. Attached is my attempt...

by Communicator in

searching in splunk indexes

Hello everyone! How can we solve the problem of searching for secrets in all or some splunk indexes so that splunk is...

by Explorer in

Why is the map command a risky command?

Other than poor speed and performance, is there a reason why the map command is considered dangerous? The official ...

by Path Finder in

regx

Hi , I want to extract this line from an event.RAISE-ALARM:acProxyConnectionLost: [KOREASBC1] Proxy Set Alarm Proxy S...

by Contributor in

Skipped search

Hi All, I am able to see only 4 status, why am I not able to see status=skipped and status = continued

by Builder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How can I escape dollar-signs to use "map" or "sendemail" inside of a macro or workflow?

How to prevent regex from matching till end of event? Extracting Group names from EventCode 4627

Concurrency group by clause

Extracting and Compare Folder Path From CSV

How to use the concurrency command to timechart the top 10 concurrencies by field sourceip?

Users still showing after being deleted

How to define max for a Fillergauge in dashboard studio?

I want rex command to return empty string if no match

How to check who has updated a lookup

MFA Fatigue Attack

Retrieving all fields that have a certain value

Extract the words after Result=xxx

Need help with a regex please. (Defining an action by user)

Difference between outputlookup and outputcsv

Search commands to monitor Forinet Firewalls ?

Specify span option value in bin command with map

Regular Expression

Need to find where index was used in lookups, reports, alerts and dashboards.

Help joining the 2 below searches

undefined

Notepad++ SPL syntax highlighting

searching in splunk indexes

Why is the map command a risky command?

regx

Skipped search

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Splunk Search

Are you a member of the Splunk Community?

Discussions