×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Splunkie
Explorer
Member since: ‎04-09-2025
‎01-15-2026
Community Statistics
Posts 7
Solutions 0
Karma Given 3
Karma Received 1
Member Since ‎04-09-2025
Activity Feed
View All

Run Search with API and PowerShell

by in Splunk Cloud Platform
‎01-13-2026 06:40 AM
‎01-13-2026 06:40 AM
Hello All, I need help with a PowerShell script to that runs a search on Splunk Cloud via the REST API and retrieve results to be stored in a .csv file. I have put together the script below but I am not having any luck. I keep getting unable to connect to the remote server error. Can you please have a look at my script to help me spot anything I am missing. Thanks. ... View more
Labels

Re: Remove string from field using REX

by in Splunk Search
‎07-23-2025 03:43 AM
1 Karma
‎07-23-2025 03:43 AM
1 Karma
Thanks livehybrid,  The first option worked perfectly. I only wanted the field to be sanitized at search time and the first option does that. Cheers.   ... View more

Remove string from field using REX

by in Splunk Search
‎07-23-2025 02:00 AM
‎07-23-2025 02:00 AM
I am trying to remove a field which  has a suffix of sophos_event_input after the username. Example Username_Field Joe-Smith, Adams sophos_event_input Jane-Doe, Smith sophos_event_input I would like to change the Username field to only contain the users name, Example Username_Field Joe-Smith, Adams  Jane-Doe, Smith  Basically I want to get rid of the sophos_event_input suffix. How will I go about this?  ... View more
Labels

Re: Remove string from field using REX or Replace

by in Splunk Search
‎07-22-2025 08:12 AM
‎07-22-2025 08:12 AM
I am having a similar issue however in my case the field always has a suffix of sophos_event_input after the username. Example User Joe-Smith, Adams sophos_event_input Jane-Doe, Smith sophos_event_input I would like to change the User field to User Joe-Smith, Adams  Jane-Doe, Smith  Basically I want to get rid of the sophos_event_input suffix. How will I go about this?  ... View more

Re: Query that checks if field values have changed...

by in Splunk Search
‎04-11-2025 05:28 AM
‎04-11-2025 05:28 AM
Thanks @splunkmarroko, Thanks. I tried that, however going about it that way returns the initial events with an "Active" status and does not take into consideration that the status has changed from "Active" to "Resolved". ... View more

Re: Query that checks if field values have changed...

by in Splunk Search
‎04-11-2025 04:11 AM
‎04-11-2025 04:11 AM
Thanks @livehybrid, This works but returns inaccurate results when the search is run using the real time search time filter. This is an example of what I have; | base_search here | stats latest(status) as latest_status by incidentId | where latest_status!="Resolved" | stats count as total   The output is to count the number of active incidents to be displayed on a dashboard. Any pointer or tips on how to better achieve this will be appreciated. Cheers. ... View more

Query that checks if field values have changed to ...

by in Splunk Search
‎04-10-2025 05:54 AM
‎04-10-2025 05:54 AM
Hi Friends, I am working a query that checks if the value of a field has changed to a state of resolved to exclude it from the results of active cases. The field I am trying to use to check if a case has been resold is the status field.  I need help with a query that looks at all cases with the status of Active and removes cases whose status has now changed to Resolved from the results. Thank you. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-15-2026 04:58 AM
Karma from
View All
Karma given to
View All