Splunk Search

Discussions

Thread Info

How to calculate the number of CPU cores for cluster, over time?

This should be a simple query but I seem unable to get the correct results when I try and display over time. This ...

by Communicator in

calculate percentage of multiple columns and then create a chart

I have a query (pasted below) that counts occurrence of different strings within the same field called Variable10. I ...

by Explorer in

How to combine multiple fields filtering to create a new eval variable?

Hi , i have the following fields (host id time) and 6 records host | id ****** ***************** A | 3 A...

by Engager in

auto increment on query

Hello, I'am writing a query to retrieve comments of my clients This is my query | eval q_commentaireSupplementa...

by Explorer in

Splunk case statement to count values based on field name

Hi team, there are three fields in source "app1.csv" (CUST_ID,ACCT_ID,SUBSCRIP_ID). There is no other field in this t...

by Path Finder in

In timechart query plot the difference of values from two polls each at 30 sec intervals

Blockquote I have similar json input as below, every minute similar blocks of data is send to index. I am plot...

by Path Finder in

How to get the average base on line number?

Hi I have a table as below, each time run the query it may return different result run 1 day1 10 day2 20 day3 25 ...

by Communicator in

Regex help

Hey Guys, I need help to write a regex with the name upload to pull the number 3712 from the below log where 'B Se...

by New Member in

How to merge two queries into one from two sources?

Hi, I have two queries that I'm attempting (badly) to merge into one The first query is below and it works (fin...

by Motivator in

How can I bring up the top 10 errors in Pivot view?

Hi, I'm trying to pull top 10 errors for last 7 days and I would like to show each error counts on each day. Pls s...

by New Member in

Why do these 2 searches return different results based on the dedup?

Simple searches that return different restults based on where the dedup is. Seems like ti functuioning 2 different wa...

by Communicator in

How to correlate fields from two different searches?

Thanks in advance. I have events from two different sources: The first source (let's call it Source A) has the ...

by New Member in

Lookup Definition using Match Type

I am attempting to create a new "Week" field based on an external lookup. However, the date field in my sourcetype...

by Explorer in

How to compare 2 filename%y%m%d.csv from month appart?

Hi fellows! I have a scheduled job that output a single host list (in a unique Table) every day. the filename is a...

by New Member in

How can I convert duration to seconds? "1h 2m 3s" to 3723

I have a a field that is called rawtime that has a bunch of durations. My end goal is to graph per hour the average d...

by Engager in

Results for transactions with endswith not met

index=winevents host=servernames* EventCode=1511 OR EventCode=4647 | eval Sid=case(EventCode=1511,'Sid') | lookup lda...

by Communicator in

How to change the name of field values at y-axis

Hi, My idea is to shorten the value names at y-axis to a meaning full short names, so that it doesn't get truncate...

by New Member in

Average and Diff per host

Given I have multiple hosts, I'd like the host total within a bucketed time span, average of the totals across all ho...

by Path Finder in

Compare a field with lookup file

I was trying to compare searched result with lookup file. Is there any to compare results with lookup file. |mysea...

by Explorer in

First day of the month

Hello , I have a job of this month,the problem is that in my histogram i always have thersday as first day

by Explorer in

Help Deploying URL Parser TA to Index and Search Head Cluster

I've been trying to follow examples of other TAs that might use SCP v2 to add parameters I can't use because of chunk...

by New Member in

How to override only specific fields using appendcols?

Hi, Is there a way to only override specific fields only. When i use appendcols override=true, it is overriding all ...

by New Member in

How does one use REGEX, FORMAT, or something else, at index time, to replace "-" with "_" i.e. application_special-source-type => application_special_source_type?

Extracting "_" delimited fields from source file name (regex101.com) ([^\/]+)([^]+)([^]+)([^]+)([^]+)bro([^]+)([^]...

by Path Finder in

Is there a way to apply lookup table in a real time search?

Hi all, I just want to ask if there is a way that I can apply a lookup table in a real-time search? I have this colu...

by Builder in

What is the most efficient way of comparing two indexes.

I'm comparing in event1 from indexA is existing in indexB. Currently I am using join in comparing this two indexes bu...

by Path Finder in

Get Updates on the Splunk Community!

Splunk Search

Discussions

How to calculate the number of CPU cores for cluster, over time?

calculate percentage of multiple columns and then create a chart

How to combine multiple fields filtering to create a new eval variable?

auto increment on query

Splunk case statement to count values based on field name

In timechart query plot the difference of values from two polls each at 30 sec intervals

How to get the average base on line number?

Regex help

How to merge two queries into one from two sources?

How can I bring up the top 10 errors in Pivot view?

Why do these 2 searches return different results based on the dedup?

How to correlate fields from two different searches?

Lookup Definition using Match Type

How to compare 2 filename%y%m%d.csv from month appart?

How can I convert duration to seconds? "1h 2m 3s" to 3723

Results for transactions with endswith not met

How to change the name of field values at y-axis

Average and Diff per host

Compare a field with lookup file

First day of the month

Help Deploying URL Parser TA to Index and Search Head Cluster

How to override only specific fields using appendcols?

How does one use REGEX, FORMAT, or something else, at index time, to replace "-" with "_" i.e. application_special-source-type => application_special_source_type?

Is there a way to apply lookup table in a real time search?

What is the most efficient way of comparing two indexes.

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

MLTK - What algorithm should I use?

How to show the line when its value is NULL with ...

Search for triggered save searches and their actio...

MLTKC how should i check jupyter notebook func in ...

ITSI thresholds: adaptive vs static

Splunk Search

Are you a member of the Splunk Community?

Discussions