Splunk Search

Community Activity

Can you help me with my query involving the eval command and strftime? \| eval lastChange=strftime(time_of_last_change,"%m-%d-%y %I:%M:%S %p") \| eval timenow=now() \| eval last1hr=strftime(... by tb5821 Communicator in Splunk Search 11-08-2018 0 5	0	5
How can I do a basic "IN" command in Splunk? I am trying to accomplish a simple "IN" command in Splunk, basically by filtering the result to show only those entri... by hanriv0001 New Member in Splunk Search 11-08-2018 0 5	0	5
Any way to combine these records? SO I understand WHY I get the results I get but I am having a difficult time, most likely due to me, getting the resu... by tkwaller_2 Communicator in Splunk Search 11-08-2018 0 2	0	2
How do you use SED on a heavy forwarder to drop log data after the specified character count? We are going to be pushing our logs through a heavy forwarder, so we have the ability to truncate a certain part of o... by FIS1 Explorer in Splunk Search 11-08-2018 0 7	0	7
\| metadata with powershell Search-Splunk command I am trying to run the following search, which works fine from the regular Splunk search UI, but not in the Powershel... by dchallis2017 New Member in Splunk Search 11-08-2018 0 0	0	0
How can I do different searches based on the inputfield value? Hello everybody, In my dashboard i have two input fields Primary_field =* Secondary field=* my current search looks... by alex_kh Explorer in Splunk Search 11-08-2018 0 3	0	3
How do you assign a value to a field if it is missing the event? I have the sample data which has all the fields like below [11/07/2018 09:59:00] CAUAJM_I_40245 EVENT: ALARM... by vrmandadi Builder in Splunk Search 11-08-2018 0 7	0	7
Can you help me with my python regex expression? I'm new in Python, so i have this string: info1= "Jose Maria Almeida;00351 962341234;1997-12-19" I'm trying to ge... by stewiefre New Member in Splunk Search 11-08-2018 0 2	0	2
When there are duplicate host names, how do you build a search that gets hosts' last activity? We have a bunch of hosts. Some of them are kind of like duplicates in that they are just the host name, and some are ... by CMSchelin Path Finder in Splunk Search 11-08-2018 0 2	0	2
How to compute _indextime-_time difference average with tstats? Hi, I'd like to calculate the average latency (_indextime-_time) with the tstats command, but I can not make it work... by ctaf Contributor in Splunk Search 11-08-2018 0 5	0	5
How can I take date Values as Column Names? Hello , I am writing one query in Splunk to retrieve the events from a JSON log file. I am getting one value of a ta... by darshana2511 New Member in Splunk Search 11-08-2018 0 2	0	2
How can I extract multiple fields and values from the following raw information? I have raw information as follows: Two times Kaspersky output within one 'section' ---------------------------------... by edwinmae Path Finder in Splunk Search 11-08-2018 0 3	0	3
Can you help me extract field and value pairs from a JSON log? Hi at all, I searched through past answers, but I couldn't reach to adapt some of them to my data: I have JSON data... by gcusello SplunkTrust in Splunk Search 11-08-2018 0 1	0	1
How do I use the join command to detect if an item is in one list and not another? Hi I need your help for the following: I have 2 lists: I want to detect when an item is in the list B and NOT in ... by ESMaletMa Explorer in Splunk Search 11-07-2018 0 6	0	6
Can you help me with a query I have for an alert? Hello experts, I am new to Splunk. I have a file with below values. I have Indexed time as well. I need to write a ... by naomibn Explorer in Splunk Search 11-07-2018 0 1	0	1
How to change table header after using transpose command? Hi I am using transpose command (transpose 23), to turn 23 rows to column but I am getting table header as row 1, row... by marellasunil Communicator in Splunk Search 11-07-2018 0 7	0	7
Can you help me figure out why one of my table columns contains no values? index=monthly_budget \| chart sum(TOTAL_BUDGET) over sports_category by department limit=0 \| transpose 0 header_field... by rajyah Communicator in Splunk Search 11-07-2018 0 11	0	11
How do you convert a month number to a month string? Some timestamps use month numbers like "11" rather than strings like "Nov". I'm using this eval to make the conversi... by sph0lt0n Engager in Splunk Search 11-07-2018 0 1	0	1
Preserve host field under a new name while doing custom host extractions Hi, we are receiving log data from various network devices on a syslog server. This log data is then forwarded to ou... by HansWurscht Path Finder in Splunk Search 11-07-2018 1 5	1	5
Distinct values from XML array in timechart I am looking at an XML response from an API that contains an array of messages. I want to timechart the messages for... by jonathanoberhau New Member in Splunk Search 11-07-2018 0 0	0	0
How do you extract multiple key value pairs within a raw field? Hello, I want to extract key value pairs from logs that contain a particular search string. Here is the example of ... by ameyapatil29 Explorer in Splunk Search 11-07-2018 0 4	0	4
I need to alert when one value from last 24 hours multiplied by 2 differs from dedup of 2 fields from the past 60 minutes I have 36 servers that forward event sources with 2 distinct values. I need to compare the number of system names (fr... by dorgra Path Finder in Splunk Search 11-07-2018 0 3	0	3
To Rex or not to rex? Hi All, Hope your having a great Day.. I have a dilemma ! I have the following log extract where i want to timeline... by luckyman80 Path Finder in Splunk Search 11-07-2018 0 3	0	3
Lookup + Summary Index: how to keep all the fields from the original event? Hello there! I am using Splunk Enterprise 7.2.0. I am trying to set up the following flow: I have an index called r... by orinciog New Member in Splunk Search 11-07-2018 0 4	0	4
Tstat search taking a long time - "IO" "CPU" and "Disk Access" all very low - What can i do? HI I am running a BIG TSTAT search off a Datamodel - The bottle neck is dispatch.stream.local + dispatch.fetch (I ha... by robertlynch2020 Influencer in Splunk Search 11-07-2018 0 3	0	3