Splunk Search

Discussions

Thread Info

Need help on search parallelization ? How and where to turn on this search parallelization mode?

Hi All, I need to turn on the search parallelization "Batch mode search parallelization" but not sure where I need to...

by Motivator in

Route and Filter Data from syslog (and syslog-ng is NOT an immediate option) Part 2

My override index confs are breaking and I cannot find the cause... Currently I have logs from two sources (A and ...

by Builder in

How can I append all lookup files with uncertain names (like(name,"record*%"))?

Hi Splunkers, I have lookup with WiFi authentication data (IP-Addr, mac-addr, username) . Let's say name=wifiauth_...

by Contributor in

How do I extract the time from Operating System events?

I am trying to extract the time from event from the AV system. The output is set up to be sent to Splunk over UDP eve...

by Contributor in

how to extract fields using regex

I have the below values in a field , Sadf123.dfd.com er-md-kt-mgmt.com feb-fe345@tbm.com I need to extract the ...

by Path Finder in

Regex Help

Hi community, Can you please help me create a regular expression that allows me to exclude the leading zeros of a ...

by Path Finder in

How do I extract this field from my sample Meraki Flow syslog events to use in search?

I am having trouble using a field that is in my log entries, but Splunk doesn't "auto-discover" it when I started ind...

by Explorer in

Can you shift one line of a multiline chart?

I have a need to track 2 related events. An object gets tagged if it fails a check. If the failure does not get fixed...

by Path Finder in

How to display only column(s) that has value greater than 0

Hi all, I have table looks like this Column1,Column2,Column3,....,ColumnX 1,2,0,....5 1,0,5,....3 2,3,0,....0 S...

by Path Finder in

How to search for which user has access to what index?

Does anyone know how to: 1) search for which user has what access to the index? 2) who has accessed to what index ...

by Splunk Employee in

Should the records in time-based lookup csv file must to be sequence (order) by time?

Hi, I have done some test using small set of data in my lab. It looks like the time-based lookup work correct when...

by Path Finder in

Filter out a subset of items based on another value in a CSV lookup

Hello again, So lets say I have a CSV file that looks like the following: node_code region_code SAN ...

by Explorer in

RegEx Extraction Assistance for new field.

I have a field that looks like the below. PM=Rodhouse,Logan (PM Build VZT-PM) PM=Allen,Jim (PM Run-PM) Basicall...

by Explorer in

Merge multiple line to one line with end, start line desire?

Hi, I'm have trouble with multiple line in my logs and i have many information dont need in this logs. So I'm want ge...

by Engager in

How to extract new fields in a log file

Here is a sample content from my application log. I wish to extract the fields "rib-rmq Status is STATE_ACTIVE. L...

by New Member in

Should the records in time-based lookup csv file must to be sequence (order) by time?

Hi, As title. I have done some test using small set of data in my lab. It looks like the time-based lookup work corre...

by Explorer in

How to 'grep' multi-line event?

How would I perform a Unix grep on a multi-line event? Ex.: _raw="one two three" _raw="tree bee eleven" I'd li...

by Explorer in

Field not fillled through eval in map

I have a search like this: |inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*...

by Path Finder in

Why is the mvcombine breaking sparkline?

Hi everyone, I have a requirement to use mvcombine after stats. When I use mvcombine the sparkline stops worki...

by Contributor in

What should I use instead of foreach when iterating?

by Ultra Champion in

How can I retain certain field values for all events with tstats when some fields may not exist on all events?

I have an accelerated data model where all events contain a duration field (ReqTot). In addition, some events include...

by New Member in

Why are there field extraction issues on events with no sourcetype information?

Hi there, I know there is an answer related to my question but I don't understand it. I already have this sourc...

by Contributor in

InputLookup - find unique values across 4 fields

I have a lookup file that contain 4 fields (field1, field2, field3, field4) which contains an account number. Same ac...

by Contributor in

complete data not coming through search

When I run the following query , I am getting data for limited days. Eg. When I run this query for 1 month ,I didn't...

by Engager in

case - expression is malformed

What am I doing wrong? * Account_Name=smithjt OR Account_Name=jonestt* |eval X1=case (Account_Name=="smithjt", "John ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Need help on search parallelization ? How and where to turn on this search parallelization mode?

Route and Filter Data from syslog (and syslog-ng is NOT an immediate option) Part 2

How can I append all lookup files with uncertain names (like(name,"record*%"))?

How do I extract the time from Operating System events?

how to extract fields using regex

Regex Help

How do I extract this field from my sample Meraki Flow syslog events to use in search?

Can you shift one line of a multiline chart?

How to display only column(s) that has value greater than 0

How to search for which user has access to what index?

Should the records in time-based lookup csv file must to be sequence (order) by time?

Filter out a subset of items based on another value in a CSV lookup

RegEx Extraction Assistance for new field.

Merge multiple line to one line with end, start line desire?

How to extract new fields in a log file

Should the records in time-based lookup csv file must to be sequence (order) by time?

How to 'grep' multi-line event?

Field not fillled through eval in map

Why is the mvcombine breaking sparkline?

What should I use instead of foreach when iterating?

How can I retain certain field values for all events with tstats when some fields may not exist on all events?

Why are there field extraction issues on events with no sourcetype information?

InputLookup - find unique values across 4 fields

complete data not coming through search

case - expression is malformed

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...