Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Search
Splunk Community
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Search
Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
7,480 results
Sort by:
07-28-2025
08:54 AM
...ame, but the Syslog server name. What am I missing? How would I go about fixing this?
Labels
- Labels:
-
configuration
02-29-2024
01:56 AM
...ntermediate forwarder, so sometimes I can see data ingested by an HF coming from another HF). What about data sent not with a Splunk agent/host? For example, suppose I have this flow: Log source w...
Labels
01-11-2021
01:04 PM
Hey guys I've been having trouble finding documentation about removing indexed data. After looking through the "meta woot!" app I saw my hosts were growing a few thousand a day and my estreamer a...
Labels
- Labels:
-
host
11-17-2023
01:15 AM
Hi, I would like to ask a question regarding the lookups table. I am managing logs about login and I want to be sure that on a specific host you can access only with a specific IP address, o...
Labels
- Labels:
-
lookup
06-26-2019
01:09 PM
...hem if they go down. We've created this search so far to accomplish this:
sourcetype=tandem* "Host is OFFLINE" OR "Host is ONLINE"
| rex field=Text "Host is (?P\w+)"
| stats latest(Status) as S...
08-13-2025
12:44 AM
When running license usage reports by host we are hitting the squash_threshold in server.conf. I've researched this and the only solution I can see it to increase the squash_threshold beyond t...
Labels
01-23-2026
10:30 AM
I'm trying to rewrite the host field on events that are coming into a HEC on a HF. It's populating the hostname of the HF as host, and I'd really like to use what's in the event. props.conf...
Labels
- Labels:
-
host
-
props.conf
-
transforms.conf
07-18-2022
01:04 PM
...eturns a count of 1.
|inputlookup file.csv | join type=left host [|tstats count by host]
About a dozen hosts return counts; the rest return null values.&n...
Show results in replies (9)
-
In order to show the hosts where there is no data, your search should look like | tstats count w...
-
...ay too many hosts, but I can search for them directly using the same syntax (i.e. index=* and s...
-
...he correct number of hosts but around 10% then erroneously return 0 events. E.g. | t...
-
You should not do dedup - that's wrong. The whole point of stats is to do the aggregation of hosts...
-
...uery look for all hosts in the default indexes and joins those results with the lookup file. Hosts...
-
...ny lower case hosts in there any more
-
...ndex=* by host But it doesn't include hosts from the lookup that have no events, which I want t...
-
...0% of hosts showing up with different-case duplicates - one with appropriate event counts, and one w...
-
...esults I expect. The only zero hosts now are true zeros. Success! You're the best! Thanks so much for s...
05-05-2021
03:48 AM
Hi, I successfully created an SPL that does what I need for a single host but I cannot get it to work for all hosts. This works index=<my_index> host=<specific_host> s...
