Splunk Search

Community Activity

List Comparison I'm wanting to find out if it's possible to take a list of items in a text file, conduct a search against that list a... by balcv Contributor in Splunk Search 03-07-2019 0 6	0	6
How do you use fillnull to return a count of 0? I have events that have a value called "Date First Found" that is of the format: "%m/%d/%Y". I calculate the number o... by michael_ermino_ New Member in Splunk Search 03-07-2019 0 2	0	2
With regex, can you help me with a matching issue for a blank space? Hello, I am having an issue with some regex that I wrote. it is working fine except for this blank space. Regex : ... by su_kumar New Member in Splunk Search 03-07-2019 0 7	0	7
Why does my real time search job keeps getting killed? Hi I have a real time search over the past 5 minutes, however it works for 30 seconds an then it dies. any ideas? I... by robertlynch2020 Influencer in Splunk Search 03-07-2019 1 6	1	6
How do you correlate events from two different indexes by date? Hi folks, I have 2 indexes containing information as below: index ABC _time sessionkey ... by ADRIANODL Explorer in Splunk Search 03-07-2019 0 4	0	4
Replication and search factors "not met" We have: - Index Cluster Master - Search head cluster (3 nodes) - Index Cluster (3 nodes) - Heavy forwarder (1 node) ... by davidmills Explorer in Splunk Search 03-07-2019 0 2	0	2
Added _meta to default result in double counts. unable to search data using SPL index=test ssp=3538 following search does return the result index=test ssp=*3538 ... by rbal_splunk Splunk Employee in Splunk Search 03-07-2019 0 1	0	1
What's wrong with my eval case statement? What is wrong with this? \| eval Count=case((sourcetype="input1" OR sourcetype="input2") AND index="foo1", "NA" (sou... by ryhluc01 Communicator in Splunk Search 03-07-2019 0 15	0	15
Field extractions aren’t working as expected since upgraded to 7.2.3 Since upgraded to Splunk version 7.2.3, some fields extractions aren’t showing on the searches properly. In particula... by rsantoso_splunk Splunk Employee in Splunk Search 03-07-2019 0 2	0	2
How to merge remaining fields into a multivalue field after dedup'ing one field? Hi, Just as the question says. My current search results in something similar to this: ip device ----------... by russell120 Communicator in Splunk Search 03-07-2019 0 3	0	3
How to plot a timechart from summary index? Hi, I have a summery index with events like this :- 3/06/2019 00:00:00 +0000, search_name=ABCD , search_now=15519168... by splbsm Explorer in Splunk Search 03-07-2019 1 3	1	3
REST Search API with WHERE condition I'm using Splunks REST API to post a search job and then get the results. Ideally I would like to use a where conditi... by someone4321 Explorer in Splunk Search 03-07-2019 0 6	0	6
Query for eventcount I have a lookup file with indexes in it, I want a query i need the eventcount of the indexes mentioned in the lookup ... by VijaySrrie Builder in Splunk Search 03-07-2019 0 2	0	2
Multiple WHERE's in Query I'm trying to write an ANTLR grammar for Splunk queries and an example of the queries that my system receives is as f... by inovexsean Explorer in Splunk Search 03-07-2019 0 4	0	4
Can you help me create a graph for average calculation of execution time field? Hi all, I would like to create a dashboard displaying average transaction time / day / test type. Tests are running... by htomi New Member in Splunk Search 03-07-2019 0 3	0	3
Cisco Config Regex Before I begin work on what is likely to be a multi-day excursion, I wanted to see if this has already been done. I ... by DBattisto Communicator in Splunk Search 03-07-2019 0 6	0	6
Why does dedup command with sortby parameter in base searches produce duplicate results in Splunk 7.1.4? Good morning, I've noticed a strange phenomenon with Splunk Enterprise 7.1.4 base searches and I wanted to see wheth... by andrewtrobec Motivator in Splunk Search 03-07-2019 0 4	0	4
JSON miliseconds not taken from timestamp Hi! I have a json log and dedicated sourcetype for it. Sourcetype looks like this: [json] disabled=false KV_MODE=jso... by przemysaw Explorer in Splunk Search 03-07-2019 0 3	0	3
Help with regex / replace needed Hello, I have the following event: X Mon Mar 4 19:57:48:935 2019 X *** WARNING => MMX 'EGPH5': mm_diagmode set 0 ... by damucka Builder in Splunk Search 03-07-2019 0 2	0	2
Can you help me with the where command? Hello, I use the seatrch below index="" sourcetype="" \| eval Boot_Duration=coalesce('Durée du démarrage ','B... by jip31 Motivator in Splunk Search 03-06-2019 0 16	0	16
About "https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Add_an_entry_to_fields.conf_for_the_new_field". There is following description in this manual. For example, say you're performing a simple <field>::1234 extraction ... by yutaka1005 Builder in Splunk Search 03-06-2019 0 2	0	2
how i can use short for two field? Hello everyone. Want to display the output only for the time which crosses 18 months (earliest time) by rajhemant26 New Member in Splunk Search 03-06-2019 0 2	0	2
Removing Column Headings with Sparkline I have created a search including sparkline: index=_* type="threat" severity="medium" \| stats sparkline count \| ta... by balcv Contributor in Splunk Search 03-06-2019 0 3	0	3
customizing colors of charts Is there any way that I can customize the color of column or bar chart? since I wanted to represent green, yellow and... by mdmaala Communicator in Splunk Search 03-06-2019 0 2	0	2
Pulling multiple Columns from an inputlookup Trying to pull more than one column from an inputlookup. One of the columns maps to a field in the index I am search... by dbturner New Member in Splunk Search 03-06-2019 0 1	0	1