Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
279 results
Sorted by:
10-14-2022
01:02 PM
...o get it working yet...
| union
[search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=S...
Labels
- Labels:
-
subsearch
Show results in replies (8)
-
without knowing your data, it's a little tricky to give an exact solution, but values(*) as * will ...
-
I would start here for reading. Use the guidance to gradually rebuild from scratch. Joins and...
-
...o the 'join' and then you can use eval to determine which category of your union it belongs to Not t...
-
this doesn't quite work because the conditions are mutually inclusive. The session has to mee...
-
I should have said, if it meets the 4th criteria as well as all 3 of the first criteria, then it is...
-
Also, timechart doesn't work in your example because there is no _time field...
-
If I understand correctly, then all sessions containing all 4 steps should be included in the total...
-
still, the timechart command doesn't work without _time field, correct?
09-22-2023
01:54 PM
I'm trying to UNION two different tables containing info on foreign traffic - the first table is a log with time range earliest=-24h latest=-1h. The second are logs of those same systems for the f...
04-11-2022
10:46 PM
...earch criteria common except sorting by column
I want to union of two in one query and extract even duplicate result, what will be that one query please?
Show results in replies (5)
-
There could be a more practical way like re-using results from a saved job, but assuming that you r...
-
Thanks for the quick reply, however there are 2 issues with first query(If I am not applying splitt...
-
Bah. My bad. I was writing it on my tablet, without splunk at hand to verify, and mixed different s...
-
Cheers , it works now, Any suggestion how can we remove passorder, splitter and totalreqo...
-
| fields - passorder and so on 😉
08-07-2023
04:58 PM
When comparing multivalue fields, there are a number of relationships one might be interested in. Equality is easy to check, but what about more complex relationships? Are any members of f1 i...
Labels
- Labels:
-
fields
12-08-2014
04:13 AM
I have a query that produces results that has two columns :
| field1 | field2 |
Field1 & Field2 have same domain, i.e. takes same set of values. I need to find out Union of the d...
08-04-2010
08:18 PM
Hi - I'm trying to union/intersect results from different source type using the SET command:
set union [search sourcetype="first_source" 404 | fields url] [search sourcetype="second_source" 3...
- Tags:
- sourcetype
Show results in replies (4)
-
...| set union [search sourcetype="first_source" 404 | fields url] [search sourcetype="s...
-
...rl2") that I want to union into one field, what's the best way to do that? I'm trying to avoid t...
-
Thanks, that seems to return some results. However, when I changed the "union" to "intersect", i...
-
| set union [search sourcetype="first_source" 404 | fields url | fields - _* ] [search s...
11-08-2017
03:59 PM
1 Karma
Hi Splunk Experts--
I'm confused about the union command and am hoping you can
help. Specifically, I'm struggling to understand what causes the
"things that get unioned" to be truncated-- in m...
06-16-2022
01:41 AM
Hello
I'm running this query:
| union
[ search host="puppet-01" OR host="jenkins-01" OR host="ANSIBLE-01" sourcetype=ProductionDeploy NOT Permisson_Job_Name=*_permission E...
- Tags:
- union
Labels
- Labels:
-
field extraction
-
subsearch
-
table
09-27-2022
01:45 AM
i All
There are query splunk like this :
(index=Prod sourcetype=ProdApp (host=Prod01 OR Prod02) source="/prodlib/SPLID" "Response" ERR-12120)
| rex "^(?:[^\[\n]*\[){6}(?P<...
Labels
- Labels:
-
eval
Show results in replies (9)
-
The table is displaying the events as separate rows - in order to align the userID rows with the cu...
-
(index=Prod sourcetype=ProdApp (host=Prod01 OR Prod02) source="/prodlib/SPLID" "Response" ERR-12120...
-
I will corellate customerName and user id with this source. For customerName with Response source, ...
-
How do you correlate the events with customerName to the events with userId? There is nothing in y...
-
In your example "Ikbal" does not match "IKBAL110294" and therefore these fields cannot be used to c...
-
Each name or CIF have a different User ID. For this example(Ikbal), he has the userid IKBAL110294 ...
-
Why are you not extracting userId from here?
-
I don't know how to get the userid(blueline) from here, because it's outside of the Response or Req...
-
| rex "^.+(\[[^\]]+\].*){4}\[(?<userid>[^\]]+)\]" Does this work? If not, please can you sh...
06-23-2015
12:18 AM
...o see all above counters in one query in either bars or graphs so for that I am making my query like given below but it is not working. Kindly suggest where I am doing wrong?
|set union [search i...
