Stack Overflow
Stack Overflow

Questions tagged [splunk-calculation]

93 questions
0
votes
1 answer

Splunk - subtract two counts and trigger alert

I'm trying to find proper Splunk documentation about the following, but it seems pretty difficult. What I need to do is conceptually simple: I want to find out the number of certain events for two successive days and subtract them (simply subtract…
Sorin-Alexandru Cristescu
  • 337
  • 4
  • 16
0
votes
1 answer

Query to find the unique code in splunk

can some one suggest a query to send the unique errorcode count. Example enter image description here 2006 in between the tags(in place of 2006) different codes are printed i need to query to pull all the unique error codes
Sandeep muthyapu
  • 281
  • 2
  • 3
  • 8
0
votes
1 answer

Need Splunk query for finding common elements between two fields when each field is a list

I have each event as a JSON object below which is indexed by Splunk. How can I have a Splunk query such that I find all such failures which happen to be present in both "failed" and "passed" arrays? "output":{ "date" : "21-09-2017" …
Zack
  • 2,078
  • 10
  • 33
  • 58
0
votes
1 answer

Specific field values extraction with single value only

Need to extract customers msisdn (From) who have sent only one SMS (Received) and that too "STOP". Logs are below - 5/27/18 11:38:29.598 PM [2018-27-05 23:38:29.598 UTC] INFO pool-1-thread-3 [receivedSmsFileLogger] - Received = "JE S8…
Sumit Pandey
  • 19
  • 3
0
votes
1 answer

How do I find first occurence of a particular event for the list of users in splunk

i have to first occurence of a particular event for the list of users in splunk. eg: i have list of user say 10 from another query. i am using below query to find date of first mail sent by customer 12345. How do i find the same for a list of…
saurabh choudhary
  • 73
  • 1
  • 1
  • 6
0
votes
0 answers

splunk workflow actions not working

I am trying to create an incident using splunk POST workflow action. From event when i try to trigger the workflow action a new window is opened and the query string is getting appended to URL but the values are not filled in the fields. how to…
jack
  • 43
  • 11
0
votes
2 answers

Splunk Dedup by _time and Combine Values for One Field Into One Event

I am working with Exchange 2010 data. I have the MessageID, Sender, Recipients, and _time. Depending on the event type, recipients can be split (i.e. all recipients for a given message are not included in the event, but are split across multiple…
OverflowingTheGlass
  • 2,324
  • 1
  • 27
  • 75
0
votes
2 answers

Splunk searching questions

Will the following searches return the same results? SEARCH 1: ssh error SEARCH 2: ssh AND error Will the following searches not return the same results? SEARCH 1: purchase SEARCH 2: action=purchase
Mihir hota
  • 11
  • 2
0
votes
1 answer

display selective fields in splunk in query

I am trying to create a table in splunk of some service endpoint and calculation time taken by each endpoint, now the problem i want to display selected endpoints based on time. This is the query i wrote to display the fields. index="test" |…
Demon
  • 21
  • 4
0
votes
2 answers

What does splunk count when more than one field is used in the 'top' command?

When I type this search query in splunk search head: index=main sourcetype=mySrcType | top fieldA fieldB Splunk automatically adds count column to the resulting table. Now, what is this count? is it a simple sum of each field count?
Ahmed Hussein
  • 715
  • 1
  • 15
  • 38
0
votes
1 answer

In splunk, how to create Private Lookup table for individual?

As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table. I have created Lookup table by: curl -k -u username:pwd…
Sumangala Amati
  • 1
  • 3
0
votes
1 answer

Splunk Log - Date comparison

I have configured my application logs over splunk and want to do the following - Get events when the string has today's date Get events when the string has tomorrow's date. I have tried to write a query as below for #1, but it doesn't seem to…
Bhaskar
  • 337
  • 6
  • 21
-1
votes
1 answer

Summary Index In splunk

can you please help me with time stamp of summay index.. we having disk space issue and we are clearing the old logs . but we want keep some field data so if will schedule a SI then does it will add the data from last 1 month at one time ..then why…
supriya
  • 21
  • 1
  • 6
-1
votes
1 answer

Splunk command to check if current search is greater than x% of previous search

I want to know how to write search query in Splunk in order to check if the current search is greater than 20% of previous search. I am getting events on a particular count every 10 min. I want to check if my current count (for the last 10 min) is…
Geethu Thomas
  • 1
-2
votes
1 answer

Splunk :find percentage of top 1000 in splunk

How can we get percentage of top 1000 values along with some more field .. i have tried below but its not working .. |eval percent=round(count/total*100,1000) | eventstats count(src) as total | iplocation src| stats count by src , dest , msg ,…
supriya
  • 21
  • 1
  • 6
1 2 3 4 5
6
7