Splunk Search

Ask a Question

Discussions

Thread Info

Getting values from a field and comparing them

I have the following query: index=source sourcetype=type_example | bin _time span=5m| eval TIME=strftime(_time,"%...

by Explorer in

Is it possible to combine multiple rows in a lookup table?

Hello, I use a dbxquery to import asset’s tags which includes information about asset’s category, business unit an...

by Communicator in

How can I display my data in a bubble chart?

I am running the following search: "authentication failed" | stats count by user, sourceip | sort -count | head 10...

by Explorer in

How to count stats for two different field logs coming from the same device by using the OR command?

I have two different fields in logs coming from the same device. I want to count that stats for both fields by using ...

by Explorer in

rex to extract field from csv

Hi, I want to extract below fields First 5 fields are automatically extracted by splunk witihout any issues. But ...

by Communicator in

How to add the regex in datamodel and use in tstats?

Want to add the below logic in the datamodel and use with tstats | eval _raw=replace(_raw,"\","null") |rex "Netwo...

by Path Finder in

how can we set the default search mode to verbose always. Can we set it from a config file.

Am running the calling the query from and SDK. Splunk returns results in Verbose mode. But it does not return results...

by Path Finder in

create a drill-down multiple condition

Hello, Is it possible to set a drill-down condition only for the cells of a specific column but to exclude one cel...

by Path Finder in

How to search complex string

Hello, In my Splunk dashboard I have a table that contains the following: <table> <search> <query> ...

by Path Finder in

Reading fields with periods in them using Python SDK

I have a Python script that runs Splunk queries. Another team at my company changed their fields to have many, many p...

by Builder in

Searches are terminating with Unknown sid and The search job “xxxxxxxxxx.xxxxx” was canceled remotely or expired.

When running a search which takes longer than a couple of seconds to complete, I suddenly see the following error mes...

by Explorer in

What does format do after a table lookup

I inherited a search that contains he following line; [| inputlookup <lookup table name> | format ] and I can'...

by Builder in

Microsoft DNS Query not parsing

Hello, Here is what my dns queries are being indexed as. I am looking for a search time regex that will extract th...

by Path Finder in

How to list the difference between two searches

I currently have two searches that produce two different numbers: |metadata type=hosts |search host=abc1* or host=abc...

by Loves-to-Learn in

Is there any limit for field value for the transaction command?

Hi, Is there any limit for field value for transaction command? I am executing transaction command over Securit...

by Explorer in

Timechart question

I am currently running this search: index=events host=hig1* or host=hig2* | timechart span-1d dc(host) the sea...

by Loves-to-Learn in

Event Time is less then 10 min old

Hello I'm a splunk newbie, be gentle please. I'm try to monitoring my VPNs status with splunk, unfortunately my fi...

by Explorer in

Active computers reporting to splunk last 30 days

I would like to know how to search for all computers that are reporting to Splunk in the last 30 day. Thank you

by New Member in

Avoid rows less than certain number of alerts

basic search | timechart span = 5m count by host | where count > 3 for today 10% of the time,the count is greater ...

by New Member in

Is there any way to restrict searches based on user's source IP address?

Is there any way possible to restrict searches based on source IP of splunk user? Current environment is Splunk En...

by Builder in

How to fix firewall data Parsing issue from the syslogs?

Hi All, We are facing an data parsing issue with the check point firewall logs. Problem Details : index=fi...

by Motivator in

Using like() in a case statement not working

Hey everyone. I am working with telephone records, and am trying to work around Splunk's inability to search for lite...

by Builder in

Pass a value from a macro to a subsearch after doing a join

Hi , I have a macro which gets values including host,now i do a left join .Once i do a left join in the subsearch ...

by Path Finder in

Count days without events

Hello, I'm trying to get the sum of days where no events occurred by a city name. I found the following answer ...

by Engager in

Why is Eventstats and Subsearch adding non-existent values to the table?

My data is structured in a way that there exists multiple types of events, each with a specific id field that is uniq...

by Communicator in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Getting values from a field and comparing them

Is it possible to combine multiple rows in a lookup table?

How can I display my data in a bubble chart?

How to count stats for two different field logs coming from the same device by using the OR command?

rex to extract field from csv

How to add the regex in datamodel and use in tstats?

how can we set the default search mode to verbose always. Can we set it from a config file.

create a drill-down multiple condition

How to search complex string

Reading fields with periods in them using Python SDK

Searches are terminating with Unknown sid and The search job “xxxxxxxxxx.xxxxx” was canceled remotely or expired.

What does format do after a table lookup

Microsoft DNS Query not parsing

How to list the difference between two searches

Is there any limit for field value for the transaction command?

Timechart question

Event Time is less then 10 min old

Active computers reporting to splunk last 30 days

Avoid rows less than certain number of alerts

Is there any way to restrict searches based on user's source IP address?

How to fix firewall data Parsing issue from the syslogs?

Using like() in a case statement not working

Pass a value from a macro to a subsearch after doing a join

Count days without events

Why is Eventstats and Subsearch adding non-existent values to the table?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...

ジョブを消しても復活する現象について

splunk threat intelligence taxii data

Splunk DB connect add-on InfluxDB 2.6