Splunk Search

Discussions

Thread Info

Extract data between multiple days..

Hi Guys, I am just trying to write a spluNk query to extract data between 1-32 days , >32 days , > 42 days , > 72 ...

by Path Finder in

Finding a Sessions Length

Hi All, ** Summary ** I have windows logs for remote VPN access. I want to be able to graph concurrent use by user. B...

by Engager in

How to format text extracted from a lookup?

Good afternoon, I have text in a lookup.csv that has hard returns in it, for example: This is the reason why t...

by Communicator in

Sorting issue with numeric field, descending order

I have a simple search with a sort command at the end as follows: .... some base search | dedup id | table id, name |...

by Communicator in

How to use IN clause in a search string?

Why does the following string work: url=*string1* OR url=*mystring2* But, this one does not work? url in (*m...

by New Member in

Why kv store lookup is much slower than csv lookup?

Hi everyone! We've moved some of heavy lookups to kv store and now they work faster and more stable. But one of them ...

by Builder in

How to match values if already in table

I appended a CSV to an index, and right now my results pop up as the 100 lines of CSV, and then 30K of the index. ...

by Engager in

It is possible to change the default delimiter "," by ";" in the ouputcsv?

I need to change the default output separator of ouputcsv or outputlookup, is there any way to change it? For exam...

by New Member in

Is it possible to use TERM() with Datamodel in a tstats?

Currently I am trying to optimize my application and I would like to know if it is possible to use TERM() with a data...

by Explorer in

Error during Python init in custom search commands

Hi, I believe that my Splunk's Python has some issue during initialization. This happens whenever I try to run any...

by Path Finder in

Timespan based output

Hi Can someone help me in getting o/p over 1h interval along with Total requests count, Success count, Failure count ...

by Explorer in

By any chance can we change the log rotation format?

Hi Splunkers, Ideally what happens is we set threshold for log file and set some retention. so files do get create...

by Communicator in

Converting events data into metric using Mcollect

Hi Guys, I'm trying to convert events data into metric for CPU, Disk, Memory monitoring for Azure PAAS, using belo...

by Explorer in

Compare results to previous results?

If say I have data from December to march in csv every 5 min , and no data from Marc to April.if say in month of nay ...

by Path Finder in

Yet Another Question - math on fields from different index and searches in one display?

@to4kawa You have helped me a lot the past few weeks, lol you will probably answer this one too!  So i have t...

by Path Finder in

How to get two fields in two lines in one event ?

I'm hoping to get help. I have the below errors that are in the same event at in different lines. i would like to ...

by New Member in

multivalue field search time extraction through UI

Hi, I would like to extract field values from UI using the field transformations and field extractions from setti...

by Builder in

Extract a field and perform subsearch

Hello, I have this subsearch command: [search source="local/data/user/logs/access*" status =5* | table request_...

by Explorer in

Why can't a non-admin user search my accelerated data model?

I've created two accelerated data models. As admin, I can search each of them with |tstats summariesonly=t FROM datam...

by Path Finder in

Capitalize every word of field in search results

I have a list of Cities in a field that are all lower case. Is there a way to capitalize them in search? Example: los...

by Motivator in

time frame calculation

Hello i want to write IF statement as part of my query and want it to run on time frame of 30 days or more... the qu...

by Communicator in

Automatically capitalize the first letter of every word that follows a period?

I am looking for the proper SPL to capitalize the first letter of every word that follows a period. I have tried seve...

by Engager in

need help in extracting a substring from a string

hello splunkers! new to splunk and i am needing to extract a word from a message field. this is the message The...

by Explorer in

expand json array to multiple events, then search constraints on the results

Hello, I've gone through a hundred of these types of posts and nothing is working for me. Here is the nested json arr...

by Explorer in

How to do an outer join on two tables with two fields?

Hi, I'm wondering if it's possible to do an outer/left join two tables on two fields. I have two indexes with the fol...

by Explorer in

Get Updates on the Splunk Community!

Splunk Search

Discussions

Extract data between multiple days..

Finding a Sessions Length

How to format text extracted from a lookup?

Sorting issue with numeric field, descending order

How to use IN clause in a search string?

Why kv store lookup is much slower than csv lookup?

How to match values if already in table

It is possible to change the default delimiter "," by ";" in the ouputcsv?

Is it possible to use TERM() with Datamodel in a tstats?

Error during Python init in custom search commands

Timespan based output

By any chance can we change the log rotation format?

Converting events data into metric using Mcollect

Compare results to previous results?

Yet Another Question - math on fields from different index and searches in one display?

How to get two fields in two lines in one event ?

multivalue field search time extraction through UI

Extract a field and perform subsearch

Why can't a non-admin user search my accelerated data model?

Capitalize every word of field in search results

time frame calculation

Automatically capitalize the first letter of every word that follows a period?

need help in extracting a substring from a string

expand json array to multiple events, then search constraints on the results

How to do an outer join on two tables with two fields?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?

Proactively stream data to different index after C...

Write Splunk log with Laminas

Issues in multiselect input dropdown

Using splunk-sdk in user-defined functions in Spar...

Verification of SAML assertion using IDP's cert fa...