×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
modulussplunk
Loves-to-Learn
Member since: ‎07-24-2019
‎06-12-2023
Community Statistics
Posts 7
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-24-2019
Activity Feed
View All

Re: Parsing JSON like-data with extracted server n...

by in Splunk Search
‎06-12-2023 08:56 AM
‎06-12-2023 08:56 AM
BTW, I could 'hack' this by using split and mvindex but that seems very hackish...like grep/sed/awk...I am trying to actually understand how to to this 'properly. ... View more

How to parse JSON like-data with extracted server ...

by in Splunk Search
‎06-12-2023 08:54 AM
‎06-12-2023 08:54 AM
Howdy   We've got this data:   Each log line is like: {"serverX.somedom.com" : {"key.value.pair1": "0", "key.value.pair2": "1", "key.value.pair3": "2" }} How can I access any of  key value pairs I want and  use the serverX.somedom.com  as well?   To produce something like:   |Server|key.value.pair1|key.value.pair2|Time| |serverX.somedom.com|0|1|"time"   I've looked for lots of JSON and/or spath commands/post but I'm needing some more knowledge here..   Thanks!       ... View more
Labels

Re: Getting the Date for the max() value

by in Splunk Search
‎01-09-2022 10:59 AM
‎01-09-2022 10:59 AM
Ah. I see. Thanks very much. I added table to the query and it appears all is well. Many thanks here!   My Final Query:     ... View more

Re: Getting the Date for the max() value

by in Splunk Search
‎01-08-2022 04:11 PM
‎01-08-2022 04:11 PM
Thanks so much. But it no longer shows any stats.. Do you want eventstats to replace stats entirely or pipe the whole previous search into eventstats as you list it below? ... View more

Getting the Date for the max() value

by in Splunk Search
‎01-08-2022 11:04 AM
‎01-08-2022 11:04 AM
Howdy I have a search like this: Everything is great!   Would it be possible to add a column that contains the timestamp for max(seconds) ? I've googled and even tried out some solutions I found here but can't quite get it... (i.e If I try to add "by host, _time" I get ALL the results).  Thanks!       ... View more
Labels

Re: Basic Query using Dates

by in Splunk Search
‎07-24-2019 07:43 PM
‎07-24-2019 07:43 PM
Thanks rob_jordan. I should have mentioned. I don't need to search with the default time picker drop downs, but 'within' search bar itself. We feed the data daily so the default time picker drop down doesn't mean too much. We actually use the dedup command on the search bar. But, I apologize. That link might make sense to you or others but I'm just getting started with Splunk. I'm still a bit unsure of the syntax. From my understanding, it seems like it would the search query look something like, this? index="blah1" sourcetype="blah2" policy = "strong" mypdate > ($epoch_number_for_desired_date)| eval mypdate = strptime('mypdate', "%m %d %y") Thank you ... View more

Basic Query using Dates

by in Splunk Search
‎07-24-2019 06:16 PM
‎07-24-2019 06:16 PM
We have indexed fields like the following: fname (a-z*) lname (a-z*) pdate (name_month day year) policy ( strong or weak) I'm able to do a query and returned all of the usernames with a strong policy (policy = 'strong'). If I try to also query for a password change date prior to May 1st (pdate > 'May 25 2019'), I get results with users that have password changes after that date. I believe I need to somehow convert the date perhaps with the strftime function, because maybe it's not comparing the the fields as dates, but how would I do that and actually construct the query? I've read the docs and tried some copy/pastes w/o a working solution. Thanks ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-12-2023 12:20 PM