Splunk Search

Discussions

Thread Info

Is there any added benefit in using separate email addresses or indices for RUA and RUF reports?

To anyone that has used Splunk to monitor DMARC: Building out dashboards and reports for DMARC visibility, I've notic...

by New Member in

How to find the event count that are not repeated and repeated events in next consecutive quarter over year ?

I used set diff command, it works fine for less rows. But for my search it terminating and limiting the search result...

by Engager in

How can you add help to a custom search command?

by Communicator in

How do I covert an Object name into columns using a back slash?

Hello Team, Could anyone help me in spiting an Object name into a column name? Like In Query we are getting Obj...

by Engager in

How do I match multiple regex expressions?

I need to run a query that matches multiple expressions from JSON data. This is what I tried, but it didn't work: ...

by New Member in

xml search time extraction not working

Hi, I am trying to extract the field tags and values between the interceptor and \Interceptor tags but am not able to...

by Explorer in

How to convert a number to String?

Can somebody please help me in converting a number back to string?

by New Member in

How do I get a value from a field as described in the following example?

some normal text.......and in between <ns0:ExceptionLog_Action> <ns0:Exception> <ns0:Code>11...

by New Member in

How to report composite transaction breakdown in terms of total, transaction and application duration averages

Given the following log events, how can transaction be used to calculate the average duration of nested overlapping t...

by Explorer in

Can you help me with a query using the streamstats command?

Here is how events are, 2018-12-20T13:38:07.938-0500: 28658.929: [**Dull BC** (Allocation Failure) 2018-12-20T13:...

by Contributor in

I need to display the error message (DC1-4 connect fail host:port Connection refused (Connection refused)) in a column until logs have the info message (DC1-4 connected host:port)

Hi - Need to create a Splunk dashboard for an application. Am very new to Splunk and doesn't have any Splunk e...

by Explorer in

Constructing URL to add a splunk user via REST (or via ansible uri mod)

So I need to add a bunch of local users to Splunk. We are an ansible shop, and we can leverage the uri modue: --- ...

by Builder in

help for opening an apps in nav menu

Hello In an hat apps I have many apps with many dashboards inside each apps From the hat apps nav menu, I want to ...

by Motivator in

Is it possible to use dedup to grab the oldest events rather than the newest?

I would like to dedup a series of events and save the oldest event for each host. Is it possible to use dedup for tha...

by Communicator in

How do you build a lookup table name during runtime of the query?

I have a few lookup tables that I need to query against. For example: LT_type1 LT_type2 Depending on my search,...

by Explorer in

How do you display the ulimit values for a group of servers in a chart so that they can be compared?

index=_internal host=* source=*splunkd.log ulimit is what I found that works. I would to make sure that certain group...

by Explorer in

How come the timewrap command is displaying today's results and not from the value of the day in the timemodifier?

I am using the search below to get a week over week results using Timewrap, but the results shown are from today and ...

by New Member in

How to search to check license usage every hour and send an alert email every 10 mins upon reaching 80%?

How to write a search for License usage to be checked every hour & send an alert email every 10 mins upon reaching 80...

by New Member in

Timechart values not working

I've been trying to chart some data and every way I try, it just doesn't work. I'm able to create a table of my da...

by Builder in

Is there any way to optimize post process searches instead of running them alternately?

Search 1 is : index=reportstore earliest=-28d@d latest=@d sourcetype=reportstore_logs host=denver | eval ReportCre...

by New Member in

Can I replace a string in the logs on the host itself?

So, I have been using Splunk out of the box for a while, but now I would like to do some data massaging before I ...

by Path Finder in

How do you count Unique IDs, in both indexes, based on a specific event?

I am trying to get Unique IDs (appears in both indexes) but I only want to count if there is event_name="AccountFinal...

by New Member in

How do you return only 1 result from a lookup?

I'm enriching my search with a match against a lookup table. However, the lookup returns more than 1 result for each ...

by Explorer in

Difference in _time and _indextime for logs

Hi, We are getting indexing lag in one of our splunk index. There is variation in _index-time and _time hence produc...

by Explorer in

Search From Two Indexes. Applying A Name Referenced By Id On Both Searches.

Hi there, Hoping someone could help me out. I'm currently using the AWS Add-On For Splunk and I wanted to expand t...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Is there any added benefit in using separate email addresses or indices for RUA and RUF reports?

How to find the event count that are not repeated and repeated events in next consecutive quarter over year ?

How can you add help to a custom search command?

How do I covert an Object name into columns using a back slash?

How do I match multiple regex expressions?

xml search time extraction not working

How to convert a number to String?

How do I get a value from a field as described in the following example?

How to report composite transaction breakdown in terms of total, transaction and application duration averages

Can you help me with a query using the streamstats command?

I need to display the error message (DC1-4 connect fail host:port Connection refused (Connection refused)) in a column until logs have the info message (DC1-4 connected host:port)

Constructing URL to add a splunk user via REST (or via ansible uri mod)

help for opening an apps in nav menu

Is it possible to use dedup to grab the oldest events rather than the newest?

How do you build a lookup table name during runtime of the query?

How do you display the ulimit values for a group of servers in a chart so that they can be compared?

How come the timewrap command is displaying today's results and not from the value of the day in the timemodifier?

How to search to check license usage every hour and send an alert email every 10 mins upon reaching 80%?

Timechart values not working

Is there any way to optimize post process searches instead of running them alternately?

Can I replace a string in the logs on the host itself?

How do you count Unique IDs, in both indexes, based on a specific event?

How do you return only 1 result from a lookup?

Difference in _time and _indextime for logs

Search From Two Indexes. Applying A Name Referenced By Id On Both Searches.

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

How to show the line when its value is NULL with ...

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Splunk Search

Are you a member of the Splunk Community?

Discussions