Splunk Search

Ask a Question

Discussions

Thread Info

List all created users with their roles.

Hi, I would like to see roles of created users not roles of user which created account, is there a way to to this?...

by New Member in

Using dedup in multi-month query

I'm trying to create a timechart showing the count of events over 6 months. The query is index=itemdb `macrotest`...

by Path Finder in

List, Raw and Table log format selection not appearing

After I run my query, I am unable to see the logs it pulls under events. I can't see them using the raw, list or tabl...

by Communicator in

Using value in lookup as source in search

Hello, I am new to Splunk so apologies if this question seems overly simple. Currently I have a search where in...

by Engager in

How to keep the number on the right side after changing the commas with space to match canadian number format?

Hello Splunker! I added the "tostring + commas" to a number to get the thousand separator. Work's fine. The proble...

by Engager in

How to Detect Pass the Hash

Hello there! I am trying to build a Splunk alert to detect Pass the Hash. In another post it was recommended to try u...

by Explorer in

What is the difference between a "Finalized" search and a "Done" search?

After upgrading to v8.0.1 we noticed that many of our long-running scheduled searches are ending up in a "Finalized" ...

by Esteemed Legend in

get percentage of specific field over volume

I have two query 1: sourcetype=A error=499 2: sourcetype=B X=* I would like to make timechart of % of A on B. ...

by New Member in

FIltering a record out based on stats values

Greetings all. I have this: | stats dc(Indexer) AS conntected_indexers values(Indexer) as Connected by connectT...

by Builder in

ダッシュボードだと結果が正しく表示されない

お世話になります。 search文の場合は、結果が正しく表示されるのですが、そのソースコードをそのままダッシュボードに張り付けると、一部の項目が表示されない事象が発生しています。ダッシュボード表示にすると結果が変わる事象ははど...

by New Member in

Using inputlookup value as source in search

Hello, I'm new to Splunk so sorry if this seems like a basic question. Previously, in my search I was listing v...

by Engager in

Difference between two date by field

Hello,This is my query | loadjob savedsearch="myquery" |where strftime(_time, "%Y-%m-%d") = "2020-02-24" |eval sh...

by Explorer in

Logs after ingestion are not readable

HI All , I am ingesting cloudwatch logs through s3->sns->sqs , on heavy forwarder using the aws add on using sqs ...

by Explorer in

Join only returns 1 value

The search below looks up a serial number in another index, there will be multiple values to "x", but currently it on...

by Communicator in

My search is slow. I was wondering how should I convert my search into a macro?

My search is running slow. I have a live dashboard and it is populated by a query in my search. I am new to Splunk bu...

by Explorer in

Need help in some time conversion

HI all, Need help in getting below code adjust to get the value as expected. index=nw_syslog "DDOS_PROTOCOL_VIO...

by Communicator in

Does the Windows TA nullify the Windows field called Error Code?

It's similar to Windows TA not Parsing "Error_Code" from 4776 Logs My take on that is - The TA does the followi...

by Motivator in

How to populate a null field if certain field equals ***

Hi Folks Have an issue where some of my log entries contain null fields in which i need to populate in order to ru...

by Path Finder in

Cant generate proper table with percentage and BY clause together

Hi! First question and relative newbie, so bear with me!  I created below query to show the number of missing server...

by Explorer in

Is it possible to get more than 90days logs in splunk ?

I need to get the logs which are older than 90days in splunk but our retention policy is 90days only. So, If it is po...

by New Member in

Break individual events from json array

Hello, I have been working on breaking events which come from the Splunk Rest api addon output. Default "_json" so...

by Explorer in

Alert if there are no logs (by host and by sourcetype)

Hello, We scheduled a search that alerts us if we do not receive logs from any of our hosts since >5 minutes. It l...

by Communicator in

NULLの場合に他のフィールドの値を代入したい

お世話になります。以下のようなデータがあります。 issue.id,Key 1111 2222 null 3333 issue.idがNUｌｌの場合Keyの値をissue.idに代入したいのですが、どのようにすればよろし...

by New Member in

How to remove unfinished buckets from "bin" command

I am using a bin command on _time field to have 10 minute sections of data. Like below: |bin _time span=10m minspa...

by Explorer in

Why is disk used in my SEARCH HEAD too high?

I can check that 80% of my disk is used in my Search Head. How to decrease it and what exactly is taking up space? Th...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

List all created users with their roles.

Using dedup in multi-month query

List, Raw and Table log format selection not appearing

Using value in lookup as source in search

How to keep the number on the right side after changing the commas with space to match canadian number format?

How to Detect Pass the Hash

What is the difference between a "Finalized" search and a "Done" search?

get percentage of specific field over volume

FIltering a record out based on stats values

ダッシュボードだと結果が正しく表示されない

Using inputlookup value as source in search

Difference between two date by field

Logs after ingestion are not readable

Join only returns 1 value

My search is slow. I was wondering how should I convert my search into a macro?

Need help in some time conversion

Does the Windows TA nullify the Windows field called Error Code?

How to populate a null field if certain field equals ***

Cant generate proper table with percentage and BY clause together

Is it possible to get more than 90days logs in splunk ?

Break individual events from json array

Alert if there are no logs (by host and by sourcetype)

NULLの場合に他のフィールドの値を代入したい

How to remove unfinished buckets from "bin" command

Why is disk used in my SEARCH HEAD too high?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

In Splunk studio, is it possible to populate a tex...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions