Questions tagged [splunk-query]
697 questions
3
votes
1 answer
How to extract a value from fields when using stats()
Query:
index = test
| stats values(*) as * by ip_addr, location
| where location="USA"
| fields timestamp, user, ip, location, message
Result:
+--------------------------------------------------------------------+
| timestamp | user | ip …
ThomasWest
- 485
- 1
- 7
- 21
3
votes
2 answers
Use sub-second precision on "earliest" in Splunk query
I have a Splunk search string. If I add earliest=10/05/2020:23:59:58, the search string still works. However, if I changed that to earliest=10/05/2020:23:59:58:01, I got an error message say invalid value "10/05/2020:23:59:58:01" for time term…
Jie
- 1,107
- 1
- 14
- 18
3
votes
1 answer
Splunk queries: filter by _meta fields
Context
I have a bunch of application servers I would like monitor using Splunk. Servers on every environment run the same applications. Looking for a way to tag this information in order to easily disentangle stage servers from prod server in my…
zar3bski
- 2,773
- 7
- 25
- 58
3
votes
1 answer
Splunk: Unable to get the correct min and max values
I'm a newbie as far as Splunk is concerned with modest regex skills.
We have events with the following patterns:
fallbackAPIStatus={api1=133:...,…
maverick2701
- 31
- 2
3
votes
2 answers
Splunk extracted field in dashboard
I am sending some data to splunk which looks like:
"Start|timestamp:1552607877702|type:counter|metricName:cache|count:34488378|End"
And then extracting the fields using a regex:
search "attrs.name"="service" | regex (Start)(.*)(End) | extract…
CaptainHastings
- 1,557
- 1
- 15
- 32
3
votes
2 answers
Stats Count Splunk Query
I wonder whether someone can help me please.
I'd made the following post about Splunk query I'm trying to write:
https://answers.splunk.com/answers/724223/in-a-table-powered-by-a-stats-count-search-can-you.html
I received some great help, but…
IRHM
- 1,326
- 11
- 77
- 130
3
votes
0 answers
Splunk rest curl query fails to execute on the successive attempts with the session key authorization
First attempt creates the splunk SID, but fails on the successive attempts to create search id.
Same issue occurs while polling/consuming the search after SID creation on its successive attempts. Can anybody point out helping the missing part?
Curl…
sathish
- 65
- 8
3
votes
1 answer
How to make Splunk query case sensitive
How do I make my query case sensitive.
Say I want my search results for "Case Sensitive" and not "CASE sensitive" or "CASE SENSITIVE"
This is what I'm using which isn't helping.
index=foo_foo sourcetype=foo "Is my query CASE(Case Sensitive)"
I've…
RIP SunMicrosystem
- 406
- 8
- 20
3
votes
1 answer
Checking Splunk logs for one string but not others
In Splunk I want to search for any exceptions EXCEPT concurrent timeout exceptions. Concurrent timeout exceptions appear in the logs as either "java.util.concurrent.TimeoutException" OR "concurrent timeout exception".
If I perform a query…
SuperCow
- 1,523
- 7
- 20
- 32
2
votes
0 answers
How to show nested structures in Splunk table
Let's say I have the following kind of event:
{"title":"title1","movieStatistics":[{"country":"US","cast":[{"name":"Actor1","age":30,"languages":["English","Spanish"]},{"name":"Actor2","age":48,"languages":["English","Polish","Spanish"]}]}]}
With…
Silvos90
- 21
- 3
2
votes
2 answers
In Splunk, Need to Pull Data from Nested JSON Array in an Array
I have some data that is an array inside an array. If it makes it easier, there will only ever be the one nested array inside of StopData.
{
"Name": "ExceptionLogs",
"Id": "Id1",
"StopData": [
[
{
"level": "ERROR",
…
stricq
- 798
- 6
- 18
2
votes
1 answer
Separate multiple search values with an OR clause with Splunk?
I have a text box in a Splunk dashboard, and I'm trying to find out how I can separate values entered into the text box that are separated by commas with an OR clause.
For example:
values entered into text box: 102.99.99, 103.99.93,…
YouKnowWhyImHere
- 63
- 7
2
votes
1 answer
Splunk: Use output of search A row by row as input for search B, then produce common result table
In Splunk, I have a search producing a result table like this:
_time
A
B
C
2022-10-19 09:00:00
A1
B1
C1
2022-10-19 09:00:00
A2
B2
C2
2022-10-19 09:10:20
A3
B3
C3
Now, for each row, I want to run a second search, using the _time value…
rikinet
- 93
- 6
2
votes
1 answer
Splunk how to display multiple stats queries in table?
I am new to Splunk and don't quite manage to formulate a Splunk query in order to get the exact results I want:
I have server logs that are something like this:
clientIP instanceID serviceType error
I have three queries that I would like to display…
Ric Had
- 23
- 5
2
votes
1 answer
Splunk - Displaying addcoltotals into its own column
I have a report where I am working with event logs. I have created a table with fields that are extracted from the event logs.
This is my splunk query:
| stats count as Total_by_Requester values(*) as * by Requester_Id
| table Type_of_Call LOB…
ashu mallik
- 49
- 1
- 6