Highest Voted 'splunk-query' Questions

1

vote

2 answers

Splunk query reference field in joined data

Full disclosure, I am very new Splunk so I may explain my question incorrectly. I have two data sources and was given a query to pull data from them individually. I am trying to join this data together so I can create some type of chart, but I am…

splunk splunk-query splunk-formula

asked Sep 15 '20 at 15:43

SBB

7,079
27
82
181

1

vote

1 answer

Splunk: How to Compute Incident Duration Records?

I have the following events in Splunk: _time Agent_Hostname alarm status 2020-08-23T03:04:05.000-0700 m50-ups.a_domain upsAlarmOnBypass raised 2020-08-23T03:07:16.000-0700 m50-ups.a_domain …

splunk splunk-query splunk-formula splunk-calculation

asked Sep 03 '20 at 16:38

Yu Shen

2,225
3
30
37

1

vote

1 answer

Splunk queries: filter by _meta fields

Context I have a bunch of application servers I would like monitor using Splunk. Servers on every environment run the same applications. Looking for a way to tag this information in order to easily disentangle stage servers from prod server in my…

splunk splunk-query

asked Aug 11 '20 at 12:33

zar3bski

1,593
2
13
38

1

vote

1 answer

Splunk query to get field from JSON cell

The splunk query outputs a table where one of the column has these kind of json the part of the query that gives this output is…

sql json splunk splunk-query splunk-dbconnect

asked Jul 31 '20 at 10:10

prashantitis

1,698
19
47

1

vote

1 answer

Recording earliest login time for each day

I need to return the earliest login time per day for a single username. However, some returns do not match the login from that date. Query below: index=app_redacted_int_* sourcetype="redacted" SessionState="Active" UserName=ABCDE123 | rex…

splunk splunk-query splunk-sdk splunk-formula

asked Jul 29 '20 at 20:39

George S

11
1

1

vote

2 answers

How to merge two stats by in Splunk?

I wanted a single graph to show values. One search is index="cumu_open_csv" Assignee="ram" | eval open_field=if(in(Status,"Open","Reopened","Waiting","In Progress"), 1,0) | stats count(eval(open_field=1)) AS Open, count(eval(open_field=0)) AS…

statistics splunk splunk-query

asked Jul 28 '20 at 11:08

Hari Priya

27
5

1

vote

0 answers

How to calculate duration between logs in Datadog?

Splunk has transaction command which can produce duration between logs grouped by id: 2020-01-01 12:12 event=START id=1 2020-01-01 12:13 event=STOP id=1 as it is decribed on Query for calculating duration between two different logs in…

logging monitoring datadog splunk-query

asked Jul 07 '20 at 19:52

Justinas Jakavonis

6,374
5
52
88

1

vote

1 answer

How to check if the multi-value field contains the value of the other field in Splunk

I need to set the field value according to the existence of another event field (e.g. a field) in a multivalued field of the same event (e.g. mv_field) Here is an example query, which doesn't work as I expected, because the ext_field always has the…

splunk splunk-query

asked Jul 01 '20 at 19:12

Yaroslav Borysiuk

21
4

1

vote

0 answers

Kubernetes logs spamming Splunk

I'm having issues with Kubernetes containers spamming Splunk with hundreds of gigabytes of logs sometimes. I would like to put together a search to track containers that have a sudden log spike and generate an alert. More specifically: look at the…

splunk-query

asked Jun 11 '20 at 15:28

gschwel

21
3

1

vote

1 answer

Getting Error as "Regex: syntax error in subpattern name (missing terminator)." in SPLUNK

I have been extracting fields in Splunk and this looks to be working fine for all headers but for the header l-s-m, I am getting the error as "syntax error in subpattern name (missing terminator)." I have done similar for other headers and all…

splunk splunk-query

asked Jun 03 '20 at 08:38

Vicky

25
5

1

vote

1 answer

How do I added a token to the query of a dashboard in Splunk?

I recreated the dashboard using the report query and have the search returning all of the table results. I have an input for the reference number as a text box. The token name is: purchCostReferenceToken I want to limit the table results based on…

splunk splunk-query

asked Jun 02 '20 at 15:19

Gloria Santin

1,804
1
33
87

1

vote

1 answer

How to extract fields from JSON string in Splunk

In Splunk after searching I am getting below result- FINISH OnDemandModel - Model: Application:GVAP RequestID:test_manifest_0003 Project:AMPS EMRid:j-XHFRN0A4M3QQ status:success I want to extract fields like Application, RequestID, Project, EMRid…

splunk splunk-query

asked Jun 02 '20 at 11:34

R.Gold

95
1
9

1

vote

1 answer

Splunk: Matching an error log and obtaining the count of it

I'm new to Splunk. I need to get a count of each of the error messages from our logs. I tried writing the below search query but it is not working as expected. index="my_index" source="my_service.log" logger="com.xyz.splunk.logger.*"…

splunk splunk-query

asked May 15 '20 at 03:24

Vinda

163
1
6
17

1

vote

1 answer

How to form Splunk query to split a field into separate fields as per the maximum number of partitions?

I have some strings like below returned by my Splunk base search. "CN=aa,OU=bb,DC=cc,DC=dd,DC=ee" "CN=xx,OU=bb,DC=cc,DC=yy,DC=zz" "CN=ff,OU=gg,OU=hh,DC=ii,DC=jj" "CN=kk,DC=ll,DC=mm" Note: CN,OU,DC could be 0 or many. My ultimate goal is to find all…

split splunk splunk-query

asked Apr 27 '20 at 16:48

Smita Patankar

75
1
10

1

vote

2 answers

Query for calculating duration between two different logs in Splunk

As part of my requirements, I have to calculate the duration between two different logs using Splunk query. For example: Log 2: 2020-04-22 13:12 ADD request received ID : 123 Log 1 : 2020-04-22 12:12 REMOVE request received ID : 122 The common…

splunk splunk-query

asked Apr 22 '20 at 06:30

Veeresham Tammali

396
3
12

Questions tagged [splunk-query]