...34b7b96-094d-45bb-b03d-f9c98a4efd5f …that I then want to use as input for another search on the same index I looked at manual and can see that subsearches are allowed [Aboutsubsearches - Splunk D...
Hi all,
I have below query and the results like below table, is there a way that only search and display total count for the Users who have error(User1, User2, User3)?
index=aaa sourcetype=...
Hi
I have a basic question about the append limit which is 50000 events max
Does it means that only the 50000 first events sorted by timestamp are displayed (from newest to oldest)?
And in s...
Hello,
Help me please. I'd like to define multiple search or subsearch to merge all relevant information about alerts.
Interesting fields in search are the hosts - as managed_host field a...
Have a search that returns emails of interest (possibly malicious). Trying to add a subsearch that will return a count of how many times each sender address has been seen in the last 30 days (r...
index="_internal" user!=admin | [search index="_internal" | stats count by user]
I am trying to run above query but it fails with an error that "Error in 'SearchParser': Subsearches are only v...
Can someone please help me with this. So I have the following query: source=abc type=Change msg=" consumed" event_type="*" Now for each of the above searches i need to do the following: source=ab...
Hello,
I would like to run a scheduled report once. A very log time search, I don't care about performance or time to complete.
I set in local limits.conf
[subsearch]
# maximum number of r...
Hello I want to ask a question aboutsubsearch. When submitting a fed command without using it, an error message occurs as follows.
Before setting federated search ] index=fw | join s...
...ourcetype=ironport mailto=%form_var%
which will result in a fields that I can use (icid) to then find the mailfrom field. So I am thinking about a subsearch like:
index=email sourcetype=i...