Splunk Search

Ask a Question

Discussions

Thread Info

How can I break events in my search?

Hi, Trying to break events and can't figure this one out. I receive a bunch of events in a single line, I want to ...

by Path Finder in

Why are users getting different data for the same query?

I recently overheard someone asking this and I thought it was worth reposting on here for others' benefit. Essenti...

by Splunk Employee in

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list?

I am trying to monitor an application where remote users with different GeoLoc(s) and unique sourceIP(s) login and in...

by Builder in

What is the difference between rare vs stats values(field) count?

Hi, I'm trying to find least common agent useing two commands: 1) sourcetype=access_combined| rare useragent 2) s...

by Explorer in

Automatic Lookup not working

I've followed http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups and looked at pl...

by Explorer in

Perform stats count based on the value of a field

What I am looking to do is something of this nature: | stats count(eval(if(action=success))), count(eval(if(action...

by Explorer in

Display hosts with no data

Currently, I have a search where I'm looking for a specific string in a set of logs across a large number of hosts (6...

by Path Finder in

Splunk SH Cluster with HAProxy configuration

FYI, posting our config setting to make a 3-node Splunk SH cluster work with HAProxy (1.5.18) using pure TCP and usin...

by Path Finder in

How to drill down with readable format of date and NOT EPOCHs?

I have a search index=abc sourcetype=xyz | bucket created_time span=1w | stats count by date_epoch | eval date_rea...

by Path Finder in

How to merge eventcount output of indexes with stats call to max(_indextime)?

I want to query splunk so that it can find all index names that do not have _ at the beginning and query for the max(...

by Engager in

Conditional Eval based on value in the field

I am trying to use transaction command to correlate two event types. I need to correlate events based on value in "id...

by New Member in

incomprehensible value of Scancount

Hi, I have this SPL request in a search : index=<my_index> (url_host="yqe-tractors.stenchkrzl.xyz" OR url_host=...

by New Member in

What will be the Regex for the below?

How to capture all the below in one variable using Regex. Below is the sample. Each line is a separate value and in a...

by Communicator in

Combining field names into one new result name

Hi, I'm trying to combine results of varying operating systems into one, for example: Microsoft Windows Server ...

by New Member in

INDEXED_EXTRACTIONS error in splunkd.log

Can you please advise, what do I do if my Splunk complains often (every couple minutes) in splunkd.log in production ...

by Path Finder in

How to get an accurate count of total users logged into Splunk today?

Hi, I am planning to display the distinct count of users logged into Splunk today. I came across, following two se...

by New Member in

Display search result as a read-only text box or a small sized table

I have a dashboard with a drop-down that will have a list of values populated to it. When the user selects a value fr...

by Communicator in

Why am I getting an error on this timechart syntax when trying to display two curves?

Hello I need help to display two curves in my chart and the 2 curves refer to host="$field1$ and host="$field2$ So I ...

by Motivator in

How to remove a row from lookup table and update it?

Hi, I wonder whether someone may be able to help me please. I have created in a separate search with a lookup tab...

by Path Finder in

How to get 3rd word using regex?

Hi, City:{city1: 4, city2: 3, city3: 2, city4: 5} I used this regex to get the 3rd word from the above line: (...

by Path Finder in

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list? (PART 2)

I created this PART 2 as the previous thread is getting long. Recap: I am trying to monitor login behavior to an o...

by Builder in

Sub Search Limit

Any ideas on how I can get around the 10k subsearch limit? This search is quick, and works fine, however I'm hitting ...

by Communicator in

Why is stats avg() not putting in zeros by _time?

I am trying to see the average users by day but when there are no events or users for a certain day the _time field d...

by Communicator in

How to plot a chart or graph based on the number of 500 errors occured for services?

I have extracted the 500 error as "server_error" and I want to count the total number of server_error by host and sho...

by New Member in

continue search logic when first search returns 0 results

Is there a way I can continue my search when first search returns 0 events. Returning 0 events is a valid scenario in...

by Contributor in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How can I break events in my search?

Why are users getting different data for the same query?

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list?

What is the difference between rare vs stats values(field) count?

Automatic Lookup not working

Perform stats count based on the value of a field

Display hosts with no data

Splunk SH Cluster with HAProxy configuration

How to drill down with readable format of date and NOT EPOCHs?

How to merge eventcount output of indexes with stats call to max(_indextime)?

Conditional Eval based on value in the field

incomprehensible value of Scancount

What will be the Regex for the below?

Combining field names into one new result name

INDEXED_EXTRACTIONS error in splunkd.log

How to get an accurate count of total users logged into Splunk today?

Display search result as a read-only text box or a small sized table

Why am I getting an error on this timechart syntax when trying to display two curves?

How to remove a row from lookup table and update it?

How to get 3rd word using regex?

How to outputlookup historic IP activity / userID and create an alert that will occur if the IP address is not on the historic IP activity list? (PART 2)

Sub Search Limit

Why is stats avg() not putting in zeros by _time?

How to plot a chart or graph based on the number of 500 errors occured for services?

continue search logic when first search returns 0 results

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Using Machine Learning Toolkit to detect auth abus...

How to check MQ reconnects after a connection is d...

I cloned HTTP traffic collection from Splunk Strea...

Proactively stream data to different index after C...

Write Splunk log with Laminas