Splunk Search

Discussions

Thread Info

Finding last event

What is the best (the most efficient) way of finding last (the most recent) events for certain hosts? For example,...

by Communicator in

How to compare when a field value changes from current to previous?

I am looking to find events where IP address changes from previous to current, however using fist(ip) and last(ip) mi...

by Path Finder in

Can you alter the Splunk search used for an alert?

Can you alter the Splunk search used for an alert? I don't see any way to alter it. I am being asked to choose a p...

by Explorer in

extract custom filed and display value in the table output

Queryindex=java networkenv=prod stackenv=prod source="/opt/jboss/standalone/customengine.log"|convert ctime(time) as ...

by Explorer in

Filtering NULL values from multivalue field

I have a transaction with mvlist set to true which results in a table where a number of fields display multiple NULL ...

by Engager in

How can i aline the field output in the table so that it ll not take more space.

Hi everyone, How can i aline the field output in the table so that it ll not take more space. if you see in the sc...

by Path Finder in

Is there a way to remove extra separator(s) when using the strcat command?

I have a search that is using the strcat command to string together text fields. My data looks something like this ...

by Contributor in

Extract field with regex issue

I'm trying to only extract the value of 'value' with regex. 2020-03-04 12:14:26,363 - measurement:34- sensor=43, ...

by Explorer in

subquery not returning results

Hi, I have two queries one from 1stindex and another from 2ndindex both are separately are giving correct outputs ...

by Communicator in

How to write the logic for below condition?

I have a situation where i will get the success message log when there is response, and there won't be any log in cas...

by New Member in

eval command for two types of error

Hi, I have this query : index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https:/...

by Path Finder in

Fire Alert Based on Stats

I have a stats query that I would like to fire only when a new value for a field comes in. I have my alert set up lik...

by New Member in

How to remove value in event field?

Hi, I have processes logs like this: event1: {"snapshot":[{"name":"systemd"},{"name":"gvfsd-trash"},{"name":...

by Engager in

Trouble creating a search to return other events that happened within a time period of a subsearch

I'm trying to write a query that search for a users ID, shows what buildings they have accessed and who else has acce...

by Engager in

Issue with strptime

I am trying to convert a date / time into 24 hour format using strptime. Here's the example:OpenedAt = 5/4/2019 9:04:...

by Engager in

Show percentage on pie chart out of 100%

I have event logs with a % in them and I want to break them apart and show them on their own: My event log looks l...

by New Member in

How to ignore fill null values in the result?

In below scenario i want to ignore two vales are null in the result. index=test |stats count by ErrorDetail ErrorM...

by Communicator in

How to count min max time by user?

Hello, I am trying to pull min and max time for each user: index="iptv_rdkb" [|inputlookup usersfile.csv] | fie...

by New Member in

How can I delete search data result incoming within 5 minutes?

Hi. When I search a 'time' field, there are two result values like '2020/04/30 18:00' and '2020/04/30 18:03' I just ...

by Path Finder in

How to fill auto-fill missing dates in a time range and fill null with previous value?

Hello everyone, I need help with a query. I have a table with the following fields: _time USERNUMBER WEIGH...

by Explorer in

Splunk Search

Discussions

Finding last event

How to compare when a field value changes from current to previous?

Can you alter the Splunk search used for an alert?

extract custom filed and display value in the table output

Filtering NULL values from multivalue field

How can i aline the field output in the table so that it ll not take more space.

Is there a way to remove extra separator(s) when using the strcat command?

Extract field with regex issue

subquery not returning results

How to write the logic for below condition?

eval command for two types of error

Fire Alert Based on Stats

How to remove value in event field?

Trouble creating a search to return other events that happened within a time period of a subsearch

Issue with strptime

Show percentage on pie chart out of 100%

How to ignore fill null values in the result?

How to count min max time by user?

How can I delete search data result incoming within 5 minutes?

How to fill auto-fill missing dates in a time range and fill null with previous value?

Search That Looks Back in Time and Checks Fields

Generate timechart with normalized/rescaled data p...

mvexpand issues and alternative needed

Continue on dbxquery Failure

How to display a unit format and a color format in...