Splunk Search

Discussions

Thread Info

Event breaking help with props.conf

I have a sourcetype that I'm working with and trying to break up the events by any line that says "Job start time: yy...

by Communicator in

Any way to break this row into two columns?

I am setting up a dashboard that monitors count of events on a daily basis and a previous 30 day average by customer....

by Path Finder in

iam receiving a message unbalanced quotes , i tried using back slash

| eval e="$time_token.earliest$", l=$time_token.latest$"| eval e=case(match(e,"^\d+$"),e,e="" OR e="now" , "0" , true...

by Explorer in

Creating a custom SourceType with multiple delimiters (35 fields)

Hi all, I've searched around a bit and I can't seem to find the answer after failing to figure it out myself. T...

by Explorer in

query running using KV store is taking logn time

Hi , I have a scenario where i am using KV store to get the events generated. But my query is taking 5hr to run w...

by Path Finder in

Why is my search using "mcollect" command causing the following error: "Error in 'mcollect' command: Must specify a valid metric index"?

In my query before, I was using the outputcsv search command, and then I had a monitoring input stanza to upload it t...

by Builder in

Is it Possible to create the Scatter_Line Chart in Splunk?

We have the Actual Generation Data from the Machine and also having the Set Points of the Particular Parameter. we...

by Path Finder in

Splunk platform release notes

I was going through the Release note which was updated into Splunk Docs recently. https://docs.splunk.com/Documentati...

by Communicator in

how to extract all values separately suing rex command

hi, i have a string like: AAA TEST BBB 1000 CCC DDD EEE FFF GG 11111 i need to extract all the values separately a...

by New Member in

Problem to indexer a multivalue field too longer

Hi everybody Trying to index a multivalue field with more than 6000 characters approx. With the same sourcetype we ha...

by New Member in

crud in lookup

Hi all, I am trying to do crud of a lookup. I ahve been following this link:- https://www.hurricanelabs.com/splunk-tu...

by Path Finder in

Why is multiline regex blacklisting all events for specifically 4656 only?

Hi All, I cant seem to get this right. I am trying to use regex to blacklist 4656 events where: The account name ...

by Path Finder in

Regex by ID removing duplicates

Hello everyone. I have a code below where each event is determined by the line break. I am wanting to take the val...

by Path Finder in

How to search syntax to exclude dhost or URL

New to Splunk here. Trying to run a search for user BLAHBLAH that does NOT contain dhost of api.drift.com Would someo...

by Path Finder in

How to adjust search to include names that are also hyphenated

We ingest patient records into Splunk and some compliance users need to search to see if an employee accessed records...

by New Member in

How to find a follow-up event after certain interval

Say, when a user connects his VPN, it will do policy checking (event--> policy_checking) and within 5 minutes will be...

by Path Finder in

Searching in multiple indexes

I am trying to create a search to do the following: 1) Look in a table where information is tagged in a certain wa...

by Contributor in

How to combine duplicate Latitude and longitude values in the stats tale of a cluster map

I just want to clean up my search of 'noise'as my stats table gets populated by duplicate values from the save latitu...

by Engager in

Generate percentage and filter based on it from events with count in them (so I cannot use "top")?

Hi Experts, I need to create a alert , if HTTPCode_Target_5XX_Count is greater than 5% of Total count then i need to ...

by Path Finder in

[tpl10082inf63] Field 'total' does not exist in data

Hi, I am using below query. I am getting data but in chart i am getting warning '[tpl10082inf63] Field 'total' does n...

by New Member in

How come a specific macro ends up in generic searches and breaks some of them?

We use the TA-Varonis-DatAlert and it creates the varonis_index macro defined as index=*, which is global. When ru...

by Motivator in

Reporting on VM capacity over time

Date, VM1, VM2, VM3, VM4 5/1/2019 100, 100, n/a, 450 6/1/2019 100, 140, n/a, 450 7/1/2019 105, 200, n/a, n/a 8/1/2019...

by Contributor in

Can I fill a null value with another field's value in the event?

I have seen two other related questions but neither of the answers have worked for me. Data: Events with a cont...

by New Member in

Count of distinct values for emails

I have events coming in from an email spam appliance and would like to have an alert on spam campaigns with a unique ...

by Engager in

Why is this regex pattern breaking after adding a few more characters to expression

I have the following sample text that's embedded inside a log: (Response=200) {"log":{"properties":"rob"}} ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Event breaking help with props.conf

Any way to break this row into two columns?

iam receiving a message unbalanced quotes , i tried using back slash

Creating a custom SourceType with multiple delimiters (35 fields)

query running using KV store is taking logn time

Why is my search using "mcollect" command causing the following error: "Error in 'mcollect' command: Must specify a valid metric index"?

Is it Possible to create the Scatter_Line Chart in Splunk?

Splunk platform release notes

how to extract all values separately suing rex command

Problem to indexer a multivalue field too longer

crud in lookup

Why is multiline regex blacklisting all events for specifically 4656 only?

Regex by ID removing duplicates

How to search syntax to exclude dhost or URL

How to adjust search to include names that are also hyphenated

How to find a follow-up event after certain interval

Searching in multiple indexes

How to combine duplicate Latitude and longitude values in the stats tale of a cluster map

Generate percentage and filter based on it from events with count in them (so I cannot use "top")?

[tpl10082inf63] Field 'total' does not exist in data

How come a specific macro ends up in generic searches and breaks some of them?

Reporting on VM capacity over time

Can I fill a null value with another field's value in the event?

Count of distinct values for emails

Why is this regex pattern breaking after adding a few more characters to expression

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions