Splunk Search

Ask a Question

Discussions

Thread Info

Extract the second word with the events

All, I'm able to extract the second word but now the requirement is little different. _time _raw Shivera 346.78...

by Explorer in

Convert Time Format

Hi , In splunk query i need to convert time format as below . Current format - 08:09.23 AM, Fri 06/10/2016 R...

by Loves-to-Learn Lots in

How to configure a search for metadata

I have a number of Jenkins jobs for which I would like to create a dashboard with search (pull downs, form fills). Th...

by New Member in

Splunk Query to get time taken by each application in a transaction

Hi All, I am new to splunk. I got a transaction which is flowing through multiple applications. I got a requiremen...

by New Member in

Search the strings that are not available in lookup file

All, I have a question on how to perform a search with the strings that are not available in lookup file.. I ha...

by Explorer in

Regex / Transforms issue.

Hi Regexian Splunkers, I have an event that looks like so: 2020-02-20 20:22:02.202020 test:>"value" test1:>"v...

by Contributor in

How to add 30 day average into Splunk license usage search?

I am using the Splunk 30 day usage search and would like to add the 30 day average into the search and then as on ove...

by Influencer in

How do I get my transaction search to use the first start event as the starting point?

Hi, i have log file and i am using startswith Starting Dispatcher and endswith completed. but some times in the log t...

by New Member in

splunk syntax search a subnet

All, I want search a subnet over all indexes and sourcetypes. The subnet is 5.5.0.0/16 How would the query look so...

by Path Finder in

[subsearch]: Subsearch produced 1313901 results, truncating to maxout 50000

I am getting subsearch error while using the join command in my search. I have to use join command to connect 2 sourc...

by Builder in

Subsearch Help

I have the following search: index="*" sourcetype=endpoints [search index="*" signature="sig_id" | dedup dest | fi...

by Communicator in

"Could not load lookup" error on Indexers

We upgraded our indexers from 6.6.4 to 7.3.3 and now any search gives us: [sptsp005] Could not load lookup=LOOKUP-...

by Engager in

How can I create a time chart grouping the data per 5 minutes, but showing every minute?

Example: _time---value---group 00:01------2---------2 00:02------3---------5 00:03------4---------9 00:04------2--...

by New Member in

Trim braces from a token variable-Dynamic dashboards

Im creating link to different dashboards based on the application clicked on from the main form So i have a variab...

by Path Finder in

Splunk CLI and UI give different search results

I index manually through UI the log file i wish to index (Data Inputs > Add new > Index Once) and select all the conf...

by New Member in

Search for Suspicious Logon Behavior

Hello there. I want to build a query that alerts off when a single source IP or source computer is attempting to logo...

by Explorer in

how can I use dedup command using many fields??

Greetings!! I would like to ask a question about dedup eg: |dedup host ,IP |dedup host |dedup IP I've tried but wh...

by Communicator in

Eval Epoch Duration Time into Human Readable Format

I am using the following query to show the duration of a accounts logon and logoff. The results come back in epoch ti...

by Explorer in

How to store a value in one search and give it to other search

i need to store a numerical value in Energ1 and store a string value in energy1 and use them in the last search ...

by New Member in

Want to understand below condition in Query

Can anyone help me to understand below condition where _time>=if("$field1.earliest$"=="0",1,relative_time(now(),"...

by Communicator in

makecontinuous and fillnull for selfmade date-hour column

Hi, I'm trying to fill empty hours (without events) using makecontinuous. The time column created in the query/ ...

by New Member in

How can I extend the width of my drop down box in my dashboard?

I'd like to extend the width of my drop down box in my dashboard because the source names are quite long and i'd like...

by Communicator in

Extract multiple values when field is in the same log twice

Hi all, I am working with a log that can sometimes have the same field in one log entry more than one time, but wi...

by Path Finder in

How to concatenate a variable number of fields?

I had the next events examples: 2019-09-16T13:27:10.169107+02:00 koopa.browser.local node= koopa.browser.local ty...

by Path Finder in

eval showing in btool props but does not appear in search

Okay I'm pulling my hair out here. I'm playing around with Windows Defender Events, trying to capture them and get th...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Extract the second word with the events

Convert Time Format

How to configure a search for metadata

Splunk Query to get time taken by each application in a transaction

Search the strings that are not available in lookup file

Regex / Transforms issue.

How to add 30 day average into Splunk license usage search?

How do I get my transaction search to use the first start event as the starting point?

splunk syntax search a subnet

[subsearch]: Subsearch produced 1313901 results, truncating to maxout 50000

Subsearch Help

"Could not load lookup" error on Indexers

How can I create a time chart grouping the data per 5 minutes, but showing every minute?

Trim braces from a token variable-Dynamic dashboards

Splunk CLI and UI give different search results

Search for Suspicious Logon Behavior

how can I use dedup command using many fields??

Eval Epoch Duration Time into Human Readable Format

How to store a value in one search and give it to other search

Want to understand below condition in Query

makecontinuous and fillnull for selfmade date-hour column

How can I extend the width of my drop down box in my dashboard?

Extract multiple values when field is in the same log twice

How to concatenate a variable number of fields?

eval showing in btool props but does not appear in search

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!