Splunk Search

Community Activity

	What is the difference between a "Finalized" search and a "Done" search? After upgrading to v8.0.1 we noticed that many of our long-running scheduled searches are ending up in a "Finalized" ... by woodcock Esteemed Legend in Splunk Search 02-28-2020 0 3	0	3
	get percentage of specific field over volume I have two query 1: sourcetype=A error=499 2: sourcetype=B X=* I would like to make timechart of % of A on B. Basi... by pratik151 New Member in Splunk Search 02-28-2020 0 1	0	1
	FIltering a record out based on stats values Greetings all. I have this: \| stats dc(Indexer) AS conntected_indexers values(Indexer) as Connected by connectType ... by aferone Builder in Splunk Search 02-28-2020 0 2	0	2
	ダッシュボードだと結果が正しく表示されないお世話になります。 search文の場合は、結果が正しく表示されるのですが、そのソースコードをそのままダッシュボードに張り付けると、一部の項目が表示されない事象が発生しています。ダッシュボード表示にすると結果が変わる事象ははどのよ... by 1014502 New Member in Splunk Search 02-28-2020 0 2	0	2
	Using inputlookup value as source in search Hello, I'm new to Splunk so sorry if this seems like a basic question. Previously, in my search I was listing vario... by eoghanmcd Engager in Splunk Search 02-28-2020 0 2	0	2
	Difference between two date by field Hello,This is my query \| loadjob savedsearch="myquery" \|where strftime(_time, "%Y-%m-%d") = "2020-02-24" \|eval show... by tahasefiani Explorer in Splunk Search 02-28-2020 0 2	0	2
	Logs after ingestion are not readable HI All , I am ingesting cloudwatch logs through s3->sns->sqs , on heavy forwarder using the aws add on using sqs ba... by deepakgaonkar Explorer in Splunk Search 02-28-2020 0 0	0	0
	Join only returns 1 value The search below looks up a serial number in another index, there will be multiple values to "x", but currently it on... by arrowecssupport Communicator in Splunk Search 02-28-2020 0 4	0	4
	My search is slow. I was wondering how should I convert my search into a macro? My search is running slow. I have a live dashboard and it is populated by a query in my search. I am new to Splunk bu... by bmendez0428 Explorer in Splunk Search 02-28-2020 0 1	0	1
	Need help in some time conversion HI all, Need help in getting below code adjust to get the value as expected. index=nw_syslog "DDOS_PROTOCOL_VIOLATI... by jerinvarghese Communicator in Splunk Search 02-28-2020 0 2	0	2
	Does the Windows TA nullify the Windows field called Error Code? It's similar to Windows TA not Parsing "Error_Code" from 4776 Logs My take on that is - The TA does the following -... by danielbb Motivator in Splunk Search 02-28-2020 0 0	0	0
	How to populate a null field if certain field equals *** Hi Folks Have an issue where some of my log entries contain null fields in which i need to populate in order to run ... by smithjnick Path Finder in Splunk Search 02-28-2020 0 6	0	6
	Cant generate proper table with percentage and BY clause together Hi! First question and relative newbie, so bear with me!  I created below query to show the number of missing server... by martinmasif Explorer in Splunk Search 02-28-2020 0 4	0	4
	Is it possible to get more than 90days logs in splunk ? I need to get the logs which are older than 90days in splunk but our retention policy is 90days only. So, If it is po... by chandu141084 New Member in Splunk Search 02-28-2020 0 4	0	4
	Break individual events from json array Hello, I have been working on breaking events which come from the Splunk Rest api addon output. Default "_json" sour... by dvarghes Explorer in Splunk Search 02-28-2020 0 5	0	5
	Alert if there are no logs (by host and by sourcetype) Hello, We scheduled a search that alerts us if we do not receive logs from any of our hosts since >5 minutes. It loo... by woodentree Communicator in Splunk Search 02-28-2020 0 7	0	7
	NULLの場合に他のフィールドの値を代入したいお世話になります。以下のようなデータがあります。 issue.id,Key 1111 2222 null 3333 issue.idがNUｌｌの場合Keyの値をissue.idに代入したいのですが、どのようにすればよろしいでしょ... by 1014502 New Member in Splunk Search 02-27-2020 0 2	0	2
	How to remove unfinished buckets from "bin" command I am using a bin command on _time field to have 10 minute sections of data. Like below: \|bin _time span=10m minspan=... by rohitmaheshwari Explorer in Splunk Search 02-27-2020 0 1	0	1
	Why is disk used in my SEARCH HEAD too high? I can check that 80% of my disk is used in my Search Head. How to decrease it and what exactly is taking up space? Th... by muez Explorer in Splunk Search 02-27-2020 0 2	0	2
	Getting counts of each search result over time I am trying to determine a way to search for user logins over time to get an idea of application usage. If I have a ... by chadwell Explorer in Splunk Search 02-27-2020 0 2	0	2
	Help with props.conf with lookup? All, I have a lookup, which I in turn want to do a couple aliases on. But doesn't seem to work. I get clienthost ba... by daniel333 Builder in Splunk Search 02-27-2020 0 3	0	3
	How to mask a password in a log coming from an HTTP Event Collector I am trying to mask a password that is inside a log coming from HTTP Event Collector. I configure my props.conf with... by dnavia29 New Member in Splunk Search 02-27-2020 0 8	0	8
	iplocation.py file missing from $SPLUNK_HOME/etc/apps/search/bin/ Hello Eveyone, I am trying to use iplocation command to search for ip address info within my network. My search is as... by rahulkumarfgf Explorer in Splunk Search 02-27-2020 0 5	0	5
	What is the most elegant way to convert from float to currency in SPL? Miraculously in 2020 there still hasn't been a Splunk Answer that details an elegant way to convert from float to cur... by nick405060 Motivator in Splunk Search 02-27-2020 0 1	0	1
	Alternative solution for join with bad performance I need to do a search on multiple indexes/events and need to do a join on different fields from both. Below query wor... by amdhindsa New Member in Splunk Search 02-27-2020 0 3	0	3