Splunk Search

Ask a Question

Discussions

Thread Info

How to merge the results from two different indexes/sourcetypes.

Hi, I have two queries, one gives me the test-case names, test-id details and lsf jobid details. Another query giv...

by New Member in

Create search with percent of total

Hi all, Please help me! How to create a search with the percentage of desktops with outdated antivirus. Since even...

by Path Finder in

question about predict

so I have this query that detects anomalies in the errors from a specific source based on the mean absolute value of ...

by Path Finder in

How to sort group by results?

For example: raw data is 100,x,info=1,error=1,warn=1 101,x,info=1,error=1,warn=1 101,y,info=1,error=2,warn=1 10...

by Explorer in

How to write a search using my sample test data to get the expected table of results?

Hi Team, I'm Facing issue in designing a query for the following requirement : Sample data : Test data : ...

by Explorer in

How can I chart queries over time?

I have a query that end with | table jra_conn bam_conn bib_conn jra_conn, bam_conn, bib_conn are not Splunk fi...

by Contributor in

Search taking much time in different app than the search app

I have a Dashboard that when i open in the search app it show the results quickly, but when i open in other one it ta...

by Explorer in

Why do the REST API and Splunk GUI give different results for the same query?

When I run the query search index=* sourcetype="XXX" earliest=-7d@d latest=-6d@d | stats count via the REST API, I ge...

by New Member in

How do I clean metadata after deleting the eventdata for a particular source

Hello, I indexed data using files and directory monitor to index multiple files in a folder. I later deleted the d...

by Path Finder in

How to typecast integer to string and save that to a new field?

I have a numeric field that needs to be string to put be CIM compliant. I tried using tostring, but it still shows up...

by Builder in

Joining multiple tables - about 3 or more tables

I have about 4 different tables that i am trying to join table 1 and table two have a common id, sys_id and whe...

by Explorer in

I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

I used this query: index="abc" source="xyz" | search [inputlookup example] | eval End=strptime("End_Date_Time","%Y...

by Path Finder in

return function on field with spaces

Hello - searched, but no answer found. ...| return 10 "Name of Field" Gives: Name="" of="" Field="" I know...

by Explorer in

how to expand multi value fields with different values in column values

Dear Experts, Please provide a valuable solution for my problem. I am having the fields from JSON which is having ...

by New Member in

Can i use comparations and conditional like function with search

Hi team i would like to use something like that | eval foo=if(like(Description,"%[search index=prueba | fields u_i...

by Communicator in

What sort of regular expressions does splunk use?

Just curious about this. Most of the regular expressions I see splunk use look nothing like standard/posix regular ex...

by Builder in

How to write this type of return query?

My query is: search[|inputlookup abc | stats count(Numbers) as sum| eval end=strptime(End_Date_Time,"%Y/%m/%d %H:%...

by Path Finder in

Skipped SavedSearches

Hi! I get sometimes messages that some savedsearches are skipped. The only information what I get is an event i...

by Communicator in

Combine 2 separate searches and display on a single Time Chart

I am trying to combine the results from 2 different search queries into a single time chart. I am using "Shared Time ...

by Path Finder in

Data count issues using | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") on a .csv to be able to search based on time

Using | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") on a .csv to be able to se...

by Explorer in

how to expand multi value fields with different formats

Hi , I want to expand as erach event for the attached example

by Explorer in

Search earliest"-10m" based on a datetime field from the event and not from the indexed time

Hi, i want to search the events from the last 10 minutes based on the secondary datetime field from a event. No...

by Explorer in

Show the a particular percentage using Single Value

Hello Splunkers, I've been trying to show in a Single Value Visualization 3 different percentage values. My sea...

by Explorer in

Chart for Events falling within same time

I have events event_starttime, event_endtime, event_duration, event_name I want chart of events falling in common ...

by New Member in

Lookup Tabel with UrLs

Looking for assistance in creating a lookup table with UrLs, my syntax below does not work. Any ideas on how to use a...

by New Member in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to merge the results from two different indexes/sourcetypes.

Create search with percent of total

question about predict

How to sort group by results?

How to write a search using my sample test data to get the expected table of results?

How can I chart queries over time?

Search taking much time in different app than the search app

Why do the REST API and Splunk GUI give different results for the same query?

How do I clean metadata after deleting the eventdata for a particular source

How to typecast integer to string and save that to a new field?

Joining multiple tables - about 3 or more tables

I'm not able to exclude maintenance time from my events when I use inputlookup. Any tips?

return function on field with spaces

how to expand multi value fields with different values in column values

Can i use comparations and conditional like function with search

What sort of regular expressions does splunk use?

How to write this type of return query?

Skipped SavedSearches

Combine 2 separate searches and display on a single Time Chart

Data count issues using | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") on a .csv to be able to search based on time

how to expand multi value fields with different formats

Search earliest"-10m" based on a datetime field from the event and not from the indexed time

Show the a particular percentage using Single Value

Chart for Events falling within same time

Lookup Tabel with UrLs

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...

Proactively stream data to different index after C...