Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

438 questions
0
votes
2 answers

What does splunk count when more than one field is used in the 'top' command?

When I type this search query in splunk search head: index=main sourcetype=mySrcType | top fieldA fieldB Splunk automatically adds count column to the resulting table. Now, what is this count? is it a simple sum of each field count?
Ahmed Hussein
  • 617
  • 1
  • 13
  • 33
0
votes
0 answers

Splunk query returns fewer results than expected

I am using this command to get top 200 results from Splunk on my_field: q = "search index=idx host=nets* mydomain.com | top limit=200 my_field" When I run this in Splunk, it gives me 200 results. However, when I run it using the Splunk Python SDK,…
trans1st0r
  • 1,883
  • 1
  • 15
  • 21
0
votes
1 answer

splunk - Get a distinct count of field values matching a regex

I am doing this - <<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(person_id) Now in last instead of dc of person_id i need a count of person_id which matches a regex - <<>> | search $country$ $campaign_name$…
G.D
  • 187
  • 1
  • 17
0
votes
1 answer

How to use rex command to extract two fields and chart the count for both in one search query?

I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and…
anu arora
  • 13
  • 6
0
votes
1 answer

How do I create a dashboard that searches other dashboards for recently modified or updated dashboards in Splunk?

So I was just wondering if it was possible to create a simple xml or html code that has dashboard that searches for all other recently modified or updated searches of dashboards in splunk? And if so when I search up these updated databases I would…
Abarry
  • 1
  • 2
0
votes
1 answer

How to add filter specific to each column in SPLUNK dashboard

I am creating a Dashboard from Splunk log In this dashboard, I want to want to add the filter to each column. Just by writing into filter text box, data need to be filtered. something like this. Here is source detail
nand
  • 497
  • 1
  • 12
  • 28
0
votes
2 answers

Single Email Alert with Multiple Queries in Splunk

When we trigger an email through splunk we want to display 3 tables with different resultset. Is there any option to configure more than one splunk query to single email alert? Please help with your inputs.
user2057006
  • 517
  • 3
  • 11
  • 27
0
votes
0 answers

Search Query returns only 50000 Events/Results List of 5.6 million events

Observing an issue while I try to query the Splunk for search query returns only 50000 events/results list totally though total events/results are almost 5.6 million events. What settings do I need to make in any of the Splunk configuration…
DharmendraSetty
  • 1
  • 1
0
votes
1 answer

In splunk, how to create Private Lookup table for individual?

As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table. I have created Lookup table by: curl -k -u username:pwd…
Sumangala Amati
  • 1
  • 3
0
votes
1 answer

mvzip + mvexpand trick for fields of different cardinalities

I need to expand multiple MV fields in Splunk. The answers here work if each field in a row has the same cardinality. One of the fields in my dataset sometimes has a single value - NULL - in which case Splunk does not include the entire row.…
Roko
  • 35
  • 1
  • 6
0
votes
1 answer

How to find unique patterns in log file via splunk sdk

I have a requirement to identify all unique log patterns from splunk. I can get it on Patterns on pattern tab on splunk UI, but want to get it programmatically. I can get search results using splunk sdk, not able to find unique log patterns.
user1035864
  • 51
  • 3
0
votes
1 answer

How to delete queried results from Splunk database?

Query is on Splunk DB data delete: My requirement: I do a query to splunk, based on time stamp, "from date" & "to date". After I got the list of all events results between the timestamp, I want to delete these list of events from the Splunk…
DharmendraSetty
  • 1
  • 1
0
votes
1 answer

Why data appear if I add " index=* " in the query?

I am using splunk to search for company's log. I am wondering, why do I need to add "index=" in the query, e.g. env=dev index= Without "index=*", no data will be returned. Why do we need it? and what does it mean? I am confused, because each term…
janetsmith
  • 7,972
  • 11
  • 48
  • 72
0
votes
1 answer

Splunk: query when the same user called the same endpoint less than 30 minutes apart

Based on the following entries: ORDER=entry1 USER=user1 EP=endpoint1 TIME=10:00 ORDER=entry2 USER=user2 EP=endpoint1 TIME=10:01 ORDER=entry3 USER=user1 EP=endpoint1 TIME=10:05 ORDER=entry4 USER=user2 EP=endpoint1 TIME=11:00 I want to write a Splunk…
Alexandre Santos
  • 7,654
  • 7
  • 35
  • 60
0
votes
1 answer

Splunk Log - Date comparison

I have configured my application logs over splunk and want to do the following - Get events when the string has today's date Get events when the string has tomorrow's date. I have tried to write a query as below for #1, but it doesn't seem to…
Bhaskar
  • 305
  • 4
  • 17
1 2 3
29 30