Stack Overflow
Stack Overflow

Questions tagged [splunk-calculation]

93 questions
0
votes
1 answer

Renaming regex returned token values and passing old token value(before they were renamed) to a drilldown search query in Splunk

I've a splunk query that finds top errors in the log using regular expression. I then display it as a bar chart. the regex returns 10 values for error. someSearchQuery | rex "someTerm(?) | stats count by error | sort - count | head 10 I…
nsingh
  • 61
  • 1
  • 5
0
votes
1 answer

Splunk Avg Query

I am consuming some data using an API, I want to calculate avg time it took for all my customer, after each ingestion (data consumed for a particular customer), I print a time matrix for that customer. timechart span=24h avg(total_time) Now to…
Shambhavi Rai
  • 321
  • 4
  • 19
0
votes
1 answer

Required assistance how to add specifics source file with same string (date) in file name in splunk query

I am having one requirement where we are getting files every day with the respective date mentioned in the files: for example the file names…
Krish
  • 1
  • 2
0
votes
1 answer

When ever a particular search query matches in splunk i would like to send the search result to a rest api

I am new to Splunk and its apps. My Requirement is When Splunk got the particular logging like "Login Success" i would like to send that whole message to a rest API. I can use a scheduler to call Splunk-Api and get the result, but i don't want to…
anil kumar
  • 1
  • 1
0
votes
1 answer

How to count text that are replaced by rex commands as one in Splunk

I have a Splunk Query to fetch top 5 API based on error percent. Below is the query for it index=myaccount sourcetype=myaccountweb-master Response status=* url=* | chart count over url by status | addtotals | foreach * [ | eval <> =…
augustine vijay
  • 7
  • 2
0
votes
1 answer

Subsearch produced 221180 results, truncating to maxout 10000

i have 221180 ips in csv(deattackerv1.csv) with only one field "ip" .. where i want to check if we have any hit in splunk for that ip's in given one index .. How can we achieve that .. below is the query .. but i am getting error as "Subsearch…
supriya
  • 21
  • 1
  • 6
0
votes
1 answer

How to do cross validation and counts between two search queries using Multisearch

Hello Everyone I hope everyone is doing well... It turns out I have to find how many times a custumer that has made a purchase has contacted the corporate line to complain... I can generate a table that shows me the custumers that have made an…
R_Student
  • 624
  • 2
  • 14
0
votes
2 answers

Combining the results from 2 indexes in splunk query

I have one index idx1 and other index idx2 and a common column "A" on which matching needs to be done. I'm facing difficulty in combining the data from both the columns. I've to combine the data in such a way that if there is duplicate then the data…
sleepy_soul
  • 49
  • 1
  • 10
0
votes
1 answer

How to count the number of event based on JSON field structure in Splunk

I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like: data = {a: "b"} data= {d: "x", h: "e"}…
Samira Arabgol
  • 359
  • 2
  • 5
  • 22
0
votes
0 answers

grouping/Pivot in splunk

From below query can see we have event count as Q Blocked , Q Not Blocked, Non Q Blocked and Non Q Non blocked ... index=xyz |eval BlockedStatus = case(Like(src,"14.19.106.%") AND blocked=1 ,"Q Blocked", Like(src,"150.29.121.%") AND…
supriya
  • 21
  • 1
  • 6
0
votes
1 answer

splunk case with wild card search for IP Address

can you please help me with below .. index=xyz | eval BlockedStatus = case(Like(src,"14.19.106.%") AND blocked=1 ,"Q Blocked", Like(src,"150.29.121.%") AND blocked=1,"Q Blocked", Like(src,"14.19.106.%") AND blocked=0,"Q…
supriya
  • 21
  • 1
  • 6
0
votes
1 answer

nested condition in splunk

I am looking for below result. india without scanner IP blocked india without scanner IP nonblocked india with scanner IP blocked india with scanner Ip non blocked where ip1,ip2=>Scannner IP I have tried the below one ..but it's showing only…
supriya
  • 21
  • 1
  • 6
0
votes
1 answer

Blank CSV in splunk report

in splunk report, can we get at least header(column name)in attached CSV in autogenerated email, if there are no data in CSV/splunk.. eg. if no data then also it should atleast show header name..
supriya
  • 21
  • 1
  • 6
0
votes
1 answer

Epoch time field extraction in splunk

How can we write regex or field extraction for below logs? Field is start and end where value is in epoch format and i want to change this in human readable format .. cs7=45.45 cs7Label=latitude cs8=28.05 cs8Label=longitude Customer=Romania-UPC…
Supriya Sharma
  • 21
  • 4
0
votes
1 answer

Epoch time conversion to time in Splunk

I am uploading an XML in which one of the field is dailyTime. This dailyTime is an epoch time and i want to convert it into human readable time.
Femme Fatale
  • 870
  • 7
  • 27
  • 56
1 2 3
4
5 6 7