Splunk Search

Discussions

Thread Info

How to create a regex that extracts date and time from the description field?

I have 1000 of text entities under the description field, and I want to write a regex for it and put to a different e...

by New Member in

see results of a rex command

i have this rex code to extract the string from an event field: | rex "(?\d{1,2})\s+hours?\s+ago" | eval process=...

by Explorer in

Eval Statement for today plus 7 days?

All, Quick one I am stuck on. I want an EVAL statement that takes _indexedtime and adds 7 days to it and creates ...

by Builder in

Query to get results from multiple indexes?

I've 2 indexes "abc" and "def". There is a field "account_number" in index "abc" and a field "Emp_nummber" in index "...

by Explorer in

error: 'lookup-table-files': File is binary and not gzipped

Hi, I am trying to add a new lookup table using the GUI and get the above error. I looked at the file with a hex edit...

by Explorer in

SPL query to replace ALL values in a field with "Hello World"

I'm trying to write a simple query to replace all of the values in a field (let's call this field my_field) with a si...

by Path Finder in

Help with count of specific string value of all the row and all the fields in table

Hi Team, I With reference to the screenshot, the part of the table which is highlighted in yellow is what I...

by Communicator in

statement optimization because the link is the same for more condition. I like to use or operator

how can i optimize this statement : <condition field="title"> <link> <![CDATA[/app/we...

by New Member in

Calculate total and average and display the results in single column

Having the following search result, I need to calculate total for few rows and average for few rows and both results ...

by New Member in

Extracting words in a string with regular expressions

Hi, I'm struggling to get a regular expression for characters in a string. https://status.aws.amazon.com/rss/#e...

by Path Finder in

How can we convert a time from EST to UTC in Splunk search?

A user tells us - -- I need to convert time value from EST to UTC in Splunk search. Is there any function availab...

by Motivator in

How to set field in subsearch?

Hi, how to a must write search then set fields from general search to subsearch? Example: index=name host=thishost | ...

by Engager in

How to dynamically change the number of rows in a table - This was working using input token in 6.6.1, now is unreliable in 7.2

I have been using inputs to allow users to select the number of rows in a table. This has been working well, with...

by New Member in

How to extract field from Windows event log

The event I have is from a windows event log and AppLocker See below: LogName=Microsoft-Windows-AppLocker/EXE a...

by Path Finder in

how to fillnull json value pair using spath or some other command

<notification-list xmlns="http://www......./restful/schema/response"> <added-instance preexisting="false"> <alarm id=...

by Communicator in

Any better way to rename

Hi this is my data structure, i'm trying to rename clk1 , clk2, clk3 as something like this | rename clk* as * Bu...

by New Member in

Throttle Alerts for a table of results until end of the current day

I am trying to setup an alert which will run every hour and considers the data from the start of current day(earliest...

by Path Finder in

InnerSearch not creating columns with eventstats

I want to get the result and divide it into three sections as three-column such as last 15 min result, avg of 7 day a...

by Loves-to-Learn Lots in

Eval subsearch give error when result not found

Hi, my search is the following | inputlookup genesis.csv | eval _time=now() | eval field1=[ | inputlookup look...

by Engager in

Search Optimization saved search using time vs where clause

I currently have a search, which takes 5 minutes to complete, I did not write the search query, and would like to see...

by Explorer in

Can you help me with the following issue involving the mvexpand Limit (Total Output Limit)?

I like and need mvexpand to work with some of my data. Sometimes, our input events contain information about mult...

by Path Finder in

How to combine multiple searches to get result

Ex: index=newIndex host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10 ...

by New Member in

How to get a distinct count of only unique values of a field

So I'm trying to get a distinct count of source mac addresses by device. The srcmac gives me the mac address The ...

by Communicator in

How to replace any multi values found in search result with true and if the value is null replace with No

Hi there! I am updating my question: Below is the scenario where I wanted to see what are the servers got patched sin...

by Explorer in

How to extract a string from an event?

Hello, I am very new to Splunk and I would like some help in doing this. I need to extract from this field: Event 1 h...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to create a regex that extracts date and time from the description field?

see results of a rex command

Eval Statement for today plus 7 days?

Query to get results from multiple indexes?

error: 'lookup-table-files': File is binary and not gzipped

SPL query to replace ALL values in a field with "Hello World"

Help with count of specific string value of all the row and all the fields in table

statement optimization because the link is the same for more condition. I like to use or operator

Calculate total and average and display the results in single column

Extracting words in a string with regular expressions

How can we convert a time from EST to UTC in Splunk search?

How to set field in subsearch?

How to dynamically change the number of rows in a table - This was working using input token in 6.6.1, now is unreliable in 7.2

How to extract field from Windows event log

how to fillnull json value pair using spath or some other command

Any better way to rename

Throttle Alerts for a table of results until end of the current day

InnerSearch not creating columns with eventstats

Eval subsearch give error when result not found

Search Optimization saved search using time vs where clause

Can you help me with the following issue involving the mvexpand Limit (Total Output Limit)?

How to combine multiple searches to get result

How to get a distinct count of only unique values of a field

How to replace any multi values found in search result with true and if the value is null replace with No

How to extract a string from an event?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

In Splunk studio, is it possible to populate a tex...

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

Splunk Search

Are you a member of the Splunk Community?

Discussions