Splunk Search

Ask a Question

Discussions

Thread Info

How do I extract key value pairs from a field in a log file that has XML content?

Hi All, I have log file which has XML content in one of the fields and I need to extract its key value pairs. Can ...

by Contributor in

Is there a way to use structured field extraction (PSV in this case) that works with multiline field values?

Hi There, I have been trying with no luck today to do a structured field extraction using the "Add Data" function ...

by Explorer in

How to define cell colours in the "Lookup File Editor"?

Hi, how can I define cell colours for a csv in the lookupeditor as shown here? http://lukemurphey.net/projects/...

by Motivator in

How to edit my search to find the number of retention days (frozenTimePeriodInSecs/86400) for a specific index?

I have the following search to calculate the RetentionDays of all the indexes in a cluster, but I'm unable to fetch t...

by New Member in

How to convert time to seconds in my search?

Using this search to show the average runtime by a jobname selected from a drop-down menu. The time right now shows u...

by Communicator in

How do I expand rows in a lookup into columns?

Hi Still learning the language. Hopefully this is a simple one. I have a lookup that displays as Computer1 ...

by Path Finder in

How to edit my search to only return results that exceed a certain count within a time window?

I would like to issue the following search, but only get results that exceed a count within a time window. I see how ...

by Path Finder in

Why is MySQL query size is being limited using Splunk DB connect

I am not sure what is causing this behavior. My table has 2369 rows. I found this by using Splunk DB Connect Data...

by Explorer in

Is there a way to zoom back in after zooming out on the timeline?

I noticed there's no "zoom in" or "undo" option, after zooming out on the timeline. Is there an easy way to get back ...

by Splunk Employee in

How do I combine my two searches to graph two different fields in one graph?

Hey guys, I'm trying to create a graph which calculates the number of logs that fit the text critieria I am search...

by Path Finder in

Why are events not returned for a search on a search-time extracted field?

We have a field extraction in apps/search/local/props.conf like this: [my_glog_kv] ... EXTRACT-my_glog_kv = ^(?<se...

by Path Finder in

Regex help in filtering machines that were not compliant that now are....

I have events that detect compliance of machines via forescout data (we don't have the app installed) and I'd like to...

by New Member in

How do I separate the results of a transaction to separately show each event?

Hi at all, I have to separate the results of a transaction to separately show each event. I'd like to do this beca...

by SplunkTrust in

If I only need fields "Target Account Name" and "Subject Account Name", how can I write a search to exclude other fields from the list?

For example: Message: An attempt was made to change the password Subject: Security ID: ABC/DEF A...

by New Member in

How to create a new field and set it with a value of 5 minutes for each event?

Hello all, I'm making an alerts report and by now, I have the total number of Alerts for a month, let's set it as ...

by Contributor in

how to get average of time field?

I have following values in a field(CPU) 000 00:00:00.00 000 00:00:00.03 000 00:00:43.18 000 00:00:20.69 ...

by Path Finder in

How to transform a table and use column headers as field values?

Hi, I would like to do a transformation like this: Can you help how to achieve this? Thanks in advan...

by Motivator in

How to autofill rows in a table, even if there are no values produced by streamstats?

Hello, I have an output table like below from a streamstats call on my events: period total cummulative_to...

by Explorer in

How do I edit my search to get a count by error text?

Hi everyone, I am trying to do the following in Splunk, but it's not working: index=MRM eventtype=MRM_ERROR | e...

by New Member in

Is there an easy way to use blacklist in inputs.conf to filter the input itself in real-time like we would do for a Windows event log?

Blacklisting works to blacklist a file or directory... but is there an easy way using blacklisting in inputs.conf to ...

by Communicator in

How to use fields as tokens in scheduled report emails, but not in visualizations?

Dear experts, I defined the below mentioned pivot to generate a monthly report of the most frequently used URL pat...

by Explorer in

Why is MV_ADD=true extracting everything twice and producing duplicates in my search results?

My Event: Directory: /var/tmp/.X11-unix Mtime : 2015-01-06 06:26:36 +0000 | 2016-01-04 15:31:39 +0000 ...

by Communicator in

How to edit my search to add a third column to my table results if there are certain values in the first

I want to add a column "FinalType" in a statistical table, so when the EventType=ScoreLock and TxnType=Renewal, it sh...

by Communicator in

How can I increase the max number of searches on my dashboard in Splunk Enterprise?

I'm running Splunk Enterprise on my Windows machine and am facing an issue in loading my dashboard fully. The dashboa...

by Engager in

Why are we getting error "Server has invalid Kerberos principal" when running a search that triggers MapReduce?

With Hunk, we're getting an invalid Kerberos principal when we try to run a search that triggers MapReduce. The strea...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How do I extract key value pairs from a field in a log file that has XML content?

Is there a way to use structured field extraction (PSV in this case) that works with multiline field values?

How to define cell colours in the "Lookup File Editor"?

How to edit my search to find the number of retention days (frozenTimePeriodInSecs/86400) for a specific index?

How to convert time to seconds in my search?

How do I expand rows in a lookup into columns?

How to edit my search to only return results that exceed a certain count within a time window?

Why is MySQL query size is being limited using Splunk DB connect

Is there a way to zoom back in after zooming out on the timeline?

How do I combine my two searches to graph two different fields in one graph?

Why are events not returned for a search on a search-time extracted field?

Regex help in filtering machines that were not compliant that now are....

How do I separate the results of a transaction to separately show each event?

If I only need fields "Target Account Name" and "Subject Account Name", how can I write a search to exclude other fields from the list?

How to create a new field and set it with a value of 5 minutes for each event?

how to get average of time field?

How to transform a table and use column headers as field values?

How to autofill rows in a table, even if there are no values produced by streamstats?

How do I edit my search to get a count by error text?

Is there an easy way to use blacklist in inputs.conf to filter the input itself in real-time like we would do for a Windows event log?

How to use fields as tokens in scheduled report emails, but not in visualizations?

Why is MV_ADD=true extracting everything twice and producing duplicates in my search results?

How to edit my search to add a third column to my table results if there are certain values in the first

How can I increase the max number of searches on my dashboard in Splunk Enterprise?

Why are we getting error "Server has invalid Kerberos principal" when running a search that triggers MapReduce?

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability

ES8 + Mission Control Usage rest API

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Using Machine Learning Toolkit to detect auth abus...