Splunk Search

Community Activity

How to improve efficiency of my regex statement? I have this query \| rex field=_raw "(?ms)^[^\]\n]\]\s+(?P[^:]+)(?:[^:\n]:){2}(?P[^,]+)[^:\n]:\w+=(?P[^,]+)[^;\n];... by JoshuaJohn Contributor in Splunk Search 01-11-2019 0 4	0	4
How do you populate a field if the search time extracted field (using regular expression) is not presented in the logs? Hi All, I am trying to populate a custom field value if my search time extracted field is not present in the raw lo... by raj_mpl Path Finder in Splunk Search 01-11-2019 0 15	0	15
Can you help me create a regular expression to extract 2 values from a string? log1: com.google.AbcdExtension] [mthd] \| null - Bound CLINIC-MBR-GROUP-INC:23490110094900 -- total execution to... by arjun_krishna Explorer in Splunk Search 01-11-2019 0 9	0	9
How do you find consecutive events in two different searches? Hi, This is a newbie question. I have two different searches. I want to combine the search results and only display... by funnysage Loves-to-Learn in Splunk Search 01-10-2019 0 5	0	5
How do you sort dates from newest to oldest in a drop down? I have a drop down which populates the dates in MM/DD/YYYY format, which is an extracted field in the raw data. I wa... by vrmandadi Builder in Splunk Search 01-10-2019 0 10	0	10
SQL Help - pull URL with specific querystrings Consider we have the following URLs http://abc.com/?a=1&b=2&c=3 http://abc.com/?d=1&e=2&a=3 http://abc.com/?f=1&g=2&... by alagiriv New Member in Splunk Search 01-10-2019 0 0	0	0
How come our tstats with datamodel does not group by field? We have an index with quite a few index-time fields, and an accelerated datamodel that adds a calculated field there.... by arkadyz1 Builder in Splunk Search 01-10-2019 0 9	0	9
How do you get counts with wildcards? Suppose I have the following data, but I don't know the GUIDs ahead of time: Path /boat/826ec68b-cc87-41f9-b93b-5bf... by wfresch Explorer in Splunk Search 01-10-2019 0 8	0	8
Events list of append command I have a query like this: first_query \| dedup 1 id \| search action=drop \| stats count by action, destination \| field... by shayhibah Path Finder in Splunk Search 01-10-2019 0 7	0	7
How come our data is not lining up correctly in the following search? I've written a search that charts data into a table. The query extracts run times greater than 25% over its calcula... by fisuser1 Contributor in Splunk Search 01-10-2019 0 1	0	1
Migration Issue We are about to migrate stuff from one cloud env to AWS.. set up is done.. issue is : we have old splunk instance wh... by Amandeepsin New Member in Splunk Search 01-10-2019 0 3	0	3
How to compare data from the same month for multiple years? I am doing a very basic search that just shows the top URIs during a specific month each year. I would like to be abl... by joseph_hazlett Explorer in Splunk Search 01-10-2019 0 6	0	6
"search base=X" not working with append I am using the "search base=X" approach to generate stats. When I try to run two searches using append (or join etc)... by ChrisCLewis Communicator in Splunk Search 01-10-2019 0 11	0	11
Why am I unable to convert _time to epoch with my search? _time 2016-03-02 07:00:13.405 Above _time is the data format in the logs. I need to find difference between a few d... by arunsubram Explorer in Splunk Search 01-09-2019 1 5	1	5
How do you extract everything that ends with a certain word? Hi all, I have this line in the event log ComputerName=sgp1ply1fe01.xxx I want to extract only "sgp1" using rex, ... by Cbr1sg Path Finder in Splunk Search 01-09-2019 0 4	0	4
Heavy forwarders are currently configured to send some palo alto logs to one server1 . Can you please let me know how to forward a copy of that same traffic to different serve2r(indexer), UDP 514? Current forwarding to server1 must remain in place. Heavy forwarders are currently configured to send some palo alto logs to one server1 . Can you please forward a copy ... by srampally Path Finder in Splunk Search 01-09-2019 0 1	0	1
Splunk Map issue when passing token on the kml map i have a plotted the map with the kml files . When i select a value from the dropdown to locate a point in the map, i... by Nadhiyaa Path Finder in Splunk Search 01-09-2019 0 0	0	0
Multiple Outputs - One Fails, Both Fail Hi there, I have a HF which has two outputs - one to a set of Splunk indexers and one to a TCP-based syslog server. ... by jharms70 New Member in Splunk Search 01-09-2019 0 1	0	1
How do I return a field(s) from a specific index, where the query has multiple search indexes? index=security sourcetype=symantec OR (sourcetyoe=WinHostMon (Path="malwarebytes")) \| fillnull value="" \| table H... by mmercola New Member in Splunk Search 01-09-2019 0 1	0	1
run a splunk query using a hyperlink Hi, I am creating a dashboard that will present various aspects of a given session, with the goal being to additiona... by kylegoldberg New Member in Splunk Search 01-09-2019 0 0	0	0
sum an unknown number of fields (with wildcards) I have event like _time host1=1 host2=10 host3=20 _time host1=2 host3=12 host3=30 The number of fields is not defin... by sbsbb Builder in Splunk Search 01-09-2019 1 5	1	5
How to query data that has no value? Hi fellow Splunkers! I'm hoping you can help my manager and I with a certain problem we're trying to solve. We have ... by dscott198 New Member in Splunk Search 01-09-2019 0 6	0	6
Trick to manage business hours / weekdays at search time Hello guys, this isn't a question just a trick  Add this to your query : \| appendcols [\| makeresults \|... by splunkreal Motivator in Splunk Search 01-09-2019 0 0	0	0
How to alert when we are receiving data from hosts that are not in a lookup, or are not receiving data from hosts in the lookup? Hi, We have a lookup table "hostlist" of hosts that need to be present in Splunk. For example host dns1 dn... by mlevsh Builder in Splunk Search 01-09-2019 0 10	0	10
Can you help me with a percentage calculation in Splunk? Hello, I need to do a percentage calculation, but I cannot. I have the data as follows: It is just a field named a... by hjsabdjahbd Observer in Splunk Search 01-09-2019 0 4	0	4