Splunk Search

Discussions

Thread Info

Alert to detect email spoofing - Sender address and reply to address different

Morning Splunk Gurus's, I wonder if you can solve a question I have? If an email is sent to you and the senders em...

by New Member in

Can Monitor files and directories and HTTP Event Collector use the same name of source data type

My application wants to sent dat to SPLUNK via Monitor files and directories and meantime via HTTP Event Collector. M...

by Observer in

How do I create splunk query to get the total percentage of the two results

I'm new to splunk and need further guidance to be able to accomplish my dashboard for Pi-Hole: Could some expert g...

by Explorer in

How to Use Eval to add 2 Field Values

Search -- |source1 | stats count(source1.field1) by (source1.field2) | sort 0 source1.field2 Search Output ...

by Path Finder in

How to combine 2 stats count O/P to be displayed in one for use in Overlay Chart

search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098" Y-098 || Count 1.Ins...

by Path Finder in

Sending Logs to splunk from logstash

Hi i am trying to send logs to splunk with HEC using logstash, but configuration is not working. A curl from the serv...

by New Member in

List all created users with their roles.

Hi, I would like to see roles of created users not roles of user which created account, is there a way to to this?...

by New Member in

Using dedup in multi-month query

I'm trying to create a timechart showing the count of events over 6 months. The query is index=itemdb `macrotest`...

by Path Finder in

List, Raw and Table log format selection not appearing

After I run my query, I am unable to see the logs it pulls under events. I can't see them using the raw, list or tabl...

by Communicator in

Using value in lookup as source in search

Hello, I am new to Splunk so apologies if this question seems overly simple. Currently I have a search where in...

by Engager in

How to keep the number on the right side after changing the commas with space to match canadian number format?

Hello Splunker! I added the "tostring + commas" to a number to get the thousand separator. Work's fine. The proble...

by Engager in

How to Detect Pass the Hash

Hello there! I am trying to build a Splunk alert to detect Pass the Hash. In another post it was recommended to try u...

by Explorer in

What is the difference between a "Finalized" search and a "Done" search?

After upgrading to v8.0.1 we noticed that many of our long-running scheduled searches are ending up in a "Finalized" ...

by Esteemed Legend in

get percentage of specific field over volume

I have two query 1: sourcetype=A error=499 2: sourcetype=B X=* I would like to make timechart of % of A on B. ...

by New Member in

FIltering a record out based on stats values

Greetings all. I have this: | stats dc(Indexer) AS conntected_indexers values(Indexer) as Connected by connectT...

by Builder in

ダッシュボードだと結果が正しく表示されない

お世話になります。 search文の場合は、結果が正しく表示されるのですが、そのソースコードをそのままダッシュボードに張り付けると、一部の項目が表示されない事象が発生しています。ダッシュボード表示にすると結果が変わる事象ははど...

by New Member in

Using inputlookup value as source in search

Hello, I'm new to Splunk so sorry if this seems like a basic question. Previously, in my search I was listing v...

by Engager in

Difference between two date by field

Hello,This is my query | loadjob savedsearch="myquery" |where strftime(_time, "%Y-%m-%d") = "2020-02-24" |eval sh...

by Explorer in

Logs after ingestion are not readable

HI All , I am ingesting cloudwatch logs through s3->sns->sqs , on heavy forwarder using the aws add on using sqs ...

by Explorer in

Join only returns 1 value

The search below looks up a serial number in another index, there will be multiple values to "x", but currently it on...

by Communicator in

My search is slow. I was wondering how should I convert my search into a macro?

My search is running slow. I have a live dashboard and it is populated by a query in my search. I am new to Splunk bu...

by Explorer in

Need help in some time conversion

HI all, Need help in getting below code adjust to get the value as expected. index=nw_syslog "DDOS_PROTOCOL_VIO...

by Communicator in

Does the Windows TA nullify the Windows field called Error Code?

It's similar to Windows TA not Parsing "Error_Code" from 4776 Logs My take on that is - The TA does the followi...

by Motivator in

How to populate a null field if certain field equals ***

Hi Folks Have an issue where some of my log entries contain null fields in which i need to populate in order to ru...

by Path Finder in

Cant generate proper table with percentage and BY clause together

Hi! First question and relative newbie, so bear with me!  I created below query to show the number of missing server...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Alert to detect email spoofing - Sender address and reply to address different

Can Monitor files and directories and HTTP Event Collector use the same name of source data type

How do I create splunk query to get the total percentage of the two results

How to Use Eval to add 2 Field Values

How to combine 2 stats count O/P to be displayed in one for use in Overlay Chart

Sending Logs to splunk from logstash

List all created users with their roles.

Using dedup in multi-month query

List, Raw and Table log format selection not appearing

Using value in lookup as source in search

How to keep the number on the right side after changing the commas with space to match canadian number format?

How to Detect Pass the Hash

What is the difference between a "Finalized" search and a "Done" search?

get percentage of specific field over volume

FIltering a record out based on stats values

ダッシュボードだと結果が正しく表示されない

Using inputlookup value as source in search

Difference between two date by field

Logs after ingestion are not readable

Join only returns 1 value

My search is slow. I was wondering how should I convert my search into a macro?

Need help in some time conversion

Does the Windows TA nullify the Windows field called Error Code?

How to populate a null field if certain field equals ***

Cant generate proper table with percentage and BY clause together

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!