Splunk Search

Ask a Question

Discussions

Thread Info

Timestamp Problem props.conf

Hey, I'm having difficulty getting my Splunk instance to extract the part of the timestamp that I want Splunk to s...

by Motivator in

Group Events Based Solely on Temporal Proximity

Hi all, We have a need to correlate IPS, application, and firewall logs based solely on their timestamps. The r...

by Path Finder in

Replace parts of a string

Hi! I'm trying to replace parts of a string, in order to make it more human-readable. Our logs contains strings like ...

by Path Finder in

Auto-run form Question

Hey, I am trying to produce a form that does not require the use of a search button in order to execute a search a...

by Motivator in

Quotes in CSV-formatted events

I am attempting to add CSV-formatted events to my index through the REST API. I've got it working mostly correctly, b...

by Path Finder in

"NOT IN" between two search query

Hi all, i need to select IP address from a search query that "are not" in another search query. How can i do this? th...

by Path Finder in

fschange on auto-rotated config files

So I have an application that auto-rotates its config files every time it is changed, and uses the following structur...

by Communicator in

Adding time in a search

I would like to add the total amount of time an cs_id spends on the web daily. Ironport provides logs where the time ...

by New Member in

Limitations with searchmatch() eval function?

Is there any weird issues with using multiple searchmatch() expressions within a single eval command? I have a tra...

by Super Champion in

How can you emulate a sub-subsearch?

Is there anyway of emulating a nested subsearch? I know its sometimes possible to rewrite a search to factor-out a su...

by Super Champion in

Collect's addtime=true/false : What does it do?

I've got certain events that I want to send to collect. I see the addtime option (defaults to true). What does it do?...

by Champion in

Matching both sides of two kv pairs over time

I have a small DTrace app that monitors ARP requests and replies, producing output like this: 2010 Sep 1 03:10:0...

by Path Finder in

Use date_hour date_minute for charting

Hi everyone. I'm trying to use the date_hour and date_minute fields (which reads perfectly the hours and minutes o...

by Explorer in

Search using outer join fails to return all matching events

Search fails to correctly return all matching events when performing outer joins. The search below illustrates the pr...

by Splunk Employee in

How do I configure multi-value fields for RFC 5424-compliant syslog events?

Splunk understands old school BSD-style syslog events effortlessly. For RFC 5424-style events, multiple data structur...

by Splunk Employee in

How do I set the major unit duration to 1 week

In a chart, I need to set major unit to be one week (i.e adjacant tick marks need to be one week apart). How do I do ...

by New Member in

Simultaneous queries/jobs limit

Hi I was wondering if there is a limit on the count of simultaneous queries/searches/jobs executed in a Splunk in...

by Path Finder in

Regex across two lines

I have the following output: DEV#: 0 DEVICE NAME: vpath0 TYPE: 2107900 POLICY: Optimized SERIAL: 123ba...

by Builder in

Search query login

Hi all, i need to do a query about the number of login failed and succeeded in a time period. I'm auditing linux and ...

by Path Finder in

How do force a search to finish before invoking a custom search command?

I'm building a custom search command that performs some visualizations on a dataset outside of Splunk. It has to pars...

by Communicator in

Diff of 2 searches

How would I go about running a search that compares the output to two searches and reports the difference between the...

by Path Finder in

regex and BREAK_ONLY_BEFORE

I have a script that sends something like the following to stdout: DEV#: 0 DEVICE NAME: vpath0 TYPE: 2107...

by Builder in

Distinct Count on Summary Index

Okay, my summary index looks like this: sourcetype="blah" | sistats count by email I'd like to run a q...

by Path Finder in

Show only events WITHOUT field

Is there a way to show events only if they do not contain a specified field. E.g. 40% of my selected events contain a...

by Explorer in

How to configure forwarder to send different information to 2 different indexers

Hi, We now have a setup in which we use splunk like this. Forwarders deployed on windows Domain Controllers, that ...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Timestamp Problem props.conf

Group Events Based Solely on Temporal Proximity

Replace parts of a string

Auto-run form Question

Quotes in CSV-formatted events

"NOT IN" between two search query

fschange on auto-rotated config files

Adding time in a search

Limitations with searchmatch() eval function?

How can you emulate a sub-subsearch?

Collect's addtime=true/false : What does it do?

Matching both sides of two kv pairs over time

Use date_hour date_minute for charting

Search using outer join fails to return all matching events

How do I configure multi-value fields for RFC 5424-compliant syslog events?

How do I set the major unit duration to 1 week

Simultaneous queries/jobs limit

Regex across two lines

Search query login

How do force a search to finish before invoking a custom search command?

Diff of 2 searches

regex and BREAK_ONLY_BEFORE

Distinct Count on Summary Index

Show only events WITHOUT field

How to configure forwarder to send different information to 2 different indexers

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

MLTK - What algorithm should I use?

How to show the line when its value is NULL with ...

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions