Splunk Search

Discussions

Thread Info

searching events for "was down for" and averaging the time

I have events like the below that are saying when a particular pool member was out of rotation for a particular perio...

by Explorer in

Change order of comma separated names

I have a list of comma separated names (lastname, firstname) that I need to reverse. So "Smith, Suzy" becomes "Suzy S...

by Engager in

Data model - eval expression

I can run the below command in a search successfully - | eval message=replace(Message, "^Installation Succ...

by Explorer in

EVAL for ELSE IF condition

My logic for my field "Action" is below, but because there is different else conditions I cannot write an eval do ach...

by Communicator in

replace join with stats maybe?

Hello guys, I have below query which uses join. I see lots of examples how to replace that with stats, but I am not a...

by Engager in

Add entry data to an alert

I am using the search below | metadata type=hosts | where recentTime < now() - 10800| eval lastSeen = strftime...

by Explorer in

How to resolve SPL fetching more number of data points for indexed data than event data?

Hello All, I have the below SPL to compare hourly event data and indexed data to find if they follow similar patter...

by Contributor in

Get user's search history

Quick question: how can I view a user's search history?

by Builder in

Timechart % failures every 30 mins from nginx access logs

index=myindex source="/var/log/nginx/access.log" | eval status_group=case(status!=200, "fail", status=200...

by Path Finder in

How to add entry of source ip,host from the search or notable into lookup table

Hello Team, Required help regarding below points :1] how to add entry of the ran search with the fields Host, Sour...

by Explorer in

Creating a table with unique rows base upon unique fields

I am relatively new to the Splunk coding space so bare with me in regards to my inquiry. Currently I am trying to c...

by Explorer in

REX: how to search in the opposite direction

I'm new to REX and trying to extract strings from _raw (which is actually a malformed JSON, so SPATH is not a good op...

by Explorer in

how can I tell if a data model is being used?

I have a distributed environment with 2 independent search heads. I run the same search on both, and one shows a fie...

by Path Finder in

Counting how many days users logged into the server for the last 12 months

Hello, I am trying to count how many days out of the last 12 months our users logged into two of our servers....

by Communicator in

Passing token to macro when multiselect

Hi Splunkers, I would like to pass the label value to the macro based on some condition, when a single value is sel...

by Contributor in

IPlocation updated

I need some help updating the mmdb file for the iplocation command. Ive read the other forum questions regarding this...

by Communicator in

Can't seem to understand relative_time

Hi, I am working my way through some of the splunk courses. I am currently on "working with time". In one of the ...

by New Member in

Splunk Append Query

I am using the below query to merge 2 queries using append. However, I am unable to get the value of the field named ...

by Loves-to-Learn in

Regex to extract next 5 lines after keyword

hi i would like some help on how to extract the next 5 lines after a keyword where it extracts the full line where th...

by Path Finder in

Fetching alphanumeric value and numeric values in aline

How to extract alphanumeric and numeric values from aline, both are dynamic values <Alphanumeric>_ETC_RFG: play th...

by Loves-to-Learn Lots in

Apply different calculation count/sum depending on value/index

I have a "cost" for two different indexes that I want to calculate in one and the same SPL. As the "price" is differe...

by Explorer in

Splunk Query to show average count and minimum for date_month and date_day

Hi, I created a column chart in Splunk that shows month but will like to also indicate the day of the week for each o...

by Path Finder in

How to use rex to extract field before two symbols

I have raw data like: Error=REQUEST ERROR | request is not valid.|","time":"1707622073040" ...

by Explorer in

Compare the same search over two different time periods

I have a number of devices that send logs to Splunk. I want to know when devices stop logging. For this example s...

by New Member in

I would like to take the hosts field from the below search and show the most recent event from each host

I created an alert from the search below, and it emails a pdf - is there a way to add the most recent event from each...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

searching events for "was down for" and averaging the time

Change order of comma separated names

Data model - eval expression

EVAL for ELSE IF condition

replace join with stats maybe?

Add entry data to an alert

How to resolve SPL fetching more number of data points for indexed data than event data?

Get user's search history

Timechart % failures every 30 mins from nginx access logs

How to add entry of source ip,host from the search or notable into lookup table

Creating a table with unique rows base upon unique fields

REX: how to search in the opposite direction

how can I tell if a data model is being used?

Counting how many days users logged into the server for the last 12 months

Passing token to macro when multiselect

IPlocation updated

Can't seem to understand relative_time

Splunk Append Query

Regex to extract next 5 lines after keyword

Fetching alphanumeric value and numeric values in aline

Apply different calculation count/sum depending on value/index

Splunk Query to show average count and minimum for date_month and date_day

How to use rex to extract field before two symbols

Compare the same search over two different time periods

I would like to take the hosts field from the below search and show the most recent event from each host

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Help me with splunk query to monitor CPU and Memor...

How can i export a list of all services in APM

Splunk Answers Content Calendar May 2025!

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!