Splunk Search

Community Activity

What is better for the conversion, eval or convert? We wonder what is better for this query - index=_audit action=alert_fired ss_app=<app name> \| stats count as Total... by danielbb Motivator in Splunk Search 12-03-2019 0 2	0	2
Format table field with a space in the column name I would like to use the Simple XML format rule to specify the formatting of table columns as documented here, e.g.: ... by helge Builder in Splunk Search 12-03-2019 0 7	0	7
Splunk HELP - How to stats based on each value in array field Hi Team, I have several fields which values are array. For example, event1: ktf2="[Background_Criteria,Profile_Cr... by cheriemilk Path Finder in Splunk Search 12-03-2019 1 1	1	1
Converting @d for eval command I am trying to use the token passed through the time input in a dashboard to a search query. In this specific example... by kunwarjit Engager in Splunk Search 12-03-2019 0 3	0	3
How to create an alert for a log that does not update for X amount of hours I have the following as my search but wanted to see if a log does not update for X hours then send an alert. If the l... by ryangillan Explorer in Splunk Search 12-03-2019 0 5	0	5
[7.3] Index Selection for roles does not show all indexes upgraded to 7.3 and they can no longer see all 208 indexes that we have when editing roles. When you edit a role and... by sylim_splunk Splunk Employee in Splunk Search 12-03-2019 0 4	0	4
How to extract a field from IBM Informix schema with Splunk? Hi, I have IBM Informix schema and want to extract data with Splunk from it like this: table name \| Index \| Trig... by indeed_2000 Motivator in Splunk Search 12-03-2019 0 16	0	16
Why are there errors when resolving missing lookup tables/fields? I'm having errors resolving several missing lookup tables. Any help to resolve these will be appreciated. The lookup... by afolabia Path Finder in Splunk Search 12-03-2019 0 2	0	2
Delay in search time field extractions on search head cluster I have a three-node search head cluster, when I create a field extraction through the GUI, it takes hours for it to b... by ehowardl3 Path Finder in Splunk Search 12-03-2019 1 4	1	4
Splunk 8 - TSTATS WHERE IN () does not work with CIDR Providing Splunk 8 the following: \| tstats allow_old_summaries=t count from datamodel=Network_Traffic.All_Traffic w... by samsonusmc New Member in Splunk Search 12-03-2019 0 1	0	1
Splunk Events Do Not Show for recent dates Hello, I am using the rex command to extra information on the automation and having it count the number of times a ho... by harshparikhxlrd Path Finder in Splunk Search 12-03-2019 0 4	0	4
What is my best approach to creating a expand / collapse feature on my dashboard? I've only been "Splunking" for about a month now so I am pretty new to this. I want to add a button to expand certa... by bmendez0428 Explorer in Splunk Search 12-03-2019 0 0	0	0
how to get count numbers based on the values I have the following fields: x, value, I want to get number that count by value of x. for example : 267 is the small... by jenniferhao Explorer in Splunk Search 12-03-2019 0 4	0	4
Assemble many events into a particular visualization So I already have a set of data that I can access and on which I build a chart. Under, you will find my actual resul... by adrien_dereumau Path Finder in Splunk Search 12-03-2019 1 5	1	5
DHCP lookup to output fields for user, mac based on IP Address by lease time for all sourcetypes Hi, I was wondering if anyone could help with this problem. I have created a lookup for DHCP logs which consists of ... by nathanluke86 Communicator in Splunk Search 12-03-2019 0 5	0	5
Can we set API V2 custom_detail fields within a splunk query in enterprise? Hi Splunk enterprise. We currently have many event rules to manage from various sources in PagerDuty, the issue we ... by yimcam1980 New Member in Splunk Search 12-03-2019 0 0	0	0
can some one explain me the function of the below code in specific \| eval created_upper_token=if("$time_token.latest$"="" OR like("$time_token.latest$","%now%"),"@s","$time_token.lates... by pavanraghav Explorer in Splunk Search 12-03-2019 1 3	1	3
When main query return 0 results, how to stop subquery give error? In my subquery, I'm using results returned from main query, when main query have results it works. But when main quer... by xiaoyunwuxie Explorer in Splunk Search 12-02-2019 1 7	1	7
Help creating a table that shows unique events from last 24hrs, that have not occurred within the last 30days Hello, I have an index with ALPR (license plate) data. I'd like to create a table, that shows unique plates detected... by JAvnaim Explorer in Splunk Search 12-02-2019 0 2	0	2
Join 2 large tstats data sets I need to join two large tstats namespaces on multiple fields. For example, I have these two tstats: \| tstats count... by btorresgil Builder in Splunk Search 12-02-2019 2 10	2	10
How to find a host which is missing a specific value? Hi all, My question is focused on open ports but the condition applies to a wide range of scenarios. My question is ... by galindimitrov Explorer in Splunk Search 12-02-2019 0 10	0	10
Limiting duration to 2 decimal places (without round function) Hello, I was using the round function in my search to limit the results to 2 decimal places. I have gotten it to wor... by harshparikhxlrd Path Finder in Splunk Search 12-02-2019 0 1	0	1
Can anyone suggest how I can create a join query using pattern Eg eg in fuse.log I have a entry like userId=abc while in access.log i have entry like sessionid-12232 \| abc \| xyz O... by ayush8878 New Member in Splunk Search 12-02-2019 0 5	0	5
Field extraction not working (props.conf) I have one props placed in location , opt splunk etc apps appname local props Below is the code [db_accounts] ... by pal_sumit1 Path Finder in Splunk Search 12-02-2019 0 1	0	1
How to remove a row in a table _time A B C D 6:05 1 1 5 8 6:10 0 3 2 2 6:15 5 0 6 2 6:20 8 9 2 7 6:25 9... by kishan2356 Explorer in Splunk Search 12-02-2019 0 4	0	4