Splunk Search

Discussions

Thread Info

need help with rex to extract responseMessage as ==> Declined - Do not Honor so that I can stats count by rspCode and respMesage with detail

2019-12-03 17:31:27.633 INFO ,aabbe872bbf3f848,aabbe872bbf3f848,false] 15 --- [nio-8080-exec-5] c.u.f.p.api.impl.: In...

by Explorer in

How to regex over nested jsons with foreach and rex?

Hi everyone, Currently I have a log record in the form of nested jsons, not arrays of jsons: {"root_key": {"sub...

by Engager in

Static field value

I have created a dashboard to show windows server uptime. Now I would like to add application name of all servers....

by Path Finder in

How do I make my lookup file public?

I'm a Splunk n00b, apologies. How do I make my csv lookup file public so other people can use it??? Editing my Job...

by Path Finder in

Event timestamp behavior is inconsistent when DATETIME_CONFIG = NONE

I want to use a file's modification timestamp as the Splunk timestamp for the events it contains. Accordingly, I've s...

by Splunk Employee in

Calculate percent of missing events

I swear I have done this before but I want to use the existence of events from a log file to calculate if the service...

by Builder in

Mapping by Zip code

When I am trying to map by Zipcode I get the stats table to genereate but when switching to geostats it takes 4 resul...

by Loves-to-Learn in

How can I define column-color when I do not know in advance what my fields are named?

I want to query data collected from running containers, indexed into a data set. The particular results will be prese...

by New Member in

Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

Basically, I am trying to visualize all events which match up to the initial query, and provide a bar graph output. T...

by Engager in

Chunked=True SmartStreamingCommand to support large data sets - requires change to internals.py - remove flush at maxresultrows

To support large dataset (1mil + rows) using custom commands and Chunked=true I implemented SmartStreamingCommand ...

by Path Finder in

URLDECODE

I would like to know how can I use the urldecorder command for all URLs in the reqHdr.referer field (Akamai) index...

by Explorer in

Append Search Performance Slow

Hi, I'm trying to create a search that returns certain hosts that are NOT found returning data. I know I can do this ...

by Contributor in

How to pass Appname in query ?

Hi, can appname be passed in the query ? I have 2 different app names in splunk and need to pass them in queries A...

by Explorer in

What's the difference between using "By" and having another field in top command?

Don't have a specific example, but would like to understand for my education. For example, I don't understand what...

by Path Finder in

How to compare list of hosts?

I have a large amount of hostnames and IP's (approx. 1850) I need to validate are sending logs to Splunk. I do not be...

by New Member in

Subsearch or ‘let stats sort it out’?

Hey folks. Help! I have two indexes. Index 1 - Contains an authoritative list of AWSconfig accounts it.index 2...

by Explorer in

Is there a reference for the syntax of configuration files?

The pages in [this section][1] give some pointers about what syntax is allowed, but I cannot find a full reference. I...

by Explorer in

append command is not working

Hi All, Updated I have 70,535 records in first query and 201776 from second query. when i am append these two s...

by Motivator in

コマンド制限について

「sort 0」や「join max=0」などコマンドに件数制限がかかっているケースが見受けられれます。上記は制限解除のオプションは用意されていますが、制限を解除することでの影響はあるのでしょうか。制限以上件数に見合う速度や負荷以...

by Loves-to-Learn Lots in

Setting earliest and latest.

I want to search data from "earliest" to "earliest" + 5 minutes later. How should I implement it ? I tried the ...

by New Member in

How to trigger alert only when the result is changed?

I want to trigger an alert only when the results are changed. The frequency of my alert is 15 mins, So the next Alert...

by Loves-to-Learn in

help on where command which is malformed

hi I have an issue in the where command below (The expression is malformed) What is the problem please?? | eval...

by Motivator in

Show a message even when no events are returned using Sttats with by clause

Hi All, I have situation where I want to show a message instead of empty cell. I am using below query to get so...

by New Member in

Calculate the difference between two time fields within a single event

I have two time fields in a single event that I need to calculate the difference between and then display said differ...

by Engager in

How do I get a distinct value count from two fields?

I have two different fields (DB_INSTANCE_NAME & INSTANCE_NAME ) in two source types. These fields contain a similar v...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

need help with rex to extract responseMessage as ==> Declined - Do not Honor so that I can stats count by rspCode and respMesage with detail

How to regex over nested jsons with foreach and rex?

Static field value

How do I make my lookup file public?

Event timestamp behavior is inconsistent when DATETIME_CONFIG = NONE

Calculate percent of missing events

Mapping by Zip code

How can I define column-color when I do not know in advance what my fields are named?

Need help visualizing a search which contains a main query, then a small subset of the main query and putting this all in one visualization

Chunked=True SmartStreamingCommand to support large data sets - requires change to internals.py - remove flush at maxresultrows

URLDECODE

Append Search Performance Slow

How to pass Appname in query ?

What's the difference between using "By" and having another field in top command?

How to compare list of hosts?

Subsearch or ‘let stats sort it out’?

Is there a reference for the syntax of configuration files?

append command is not working

コマンド制限について

Setting earliest and latest.

How to trigger alert only when the result is changed?

help on where command which is malformed

Show a message even when no events are returned using Sttats with by clause

Calculate the difference between two time fields within a single event

How do I get a distinct value count from two fields?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions