Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

697 questions
2
votes
1 answer

How to extract a field from a Splunk search result and do stats on the value of that field

I have following search results 2021-07-14 17:12:55,525 INFO [NiFi logging handler] returned 202: response_time:0.029 retry_count:2 Out of this I would like to extract "response_time" values like this so I can find the average, max, min,…
Vijay Kumar
  • 2,439
  • 2
  • 32
  • 51
2
votes
2 answers

how to calculate duration between two events Splunk

I need to find the duration between two events. I went over the solutions on splunk and Stack Overflow, but still can't get the calculation. Both sentToSave and SaveDoc have the time stamp already formatted, which is why I used the case function. I…
Zara Z.
  • 23
  • 7
2
votes
1 answer

Multifields search in Splunk without knowing field names

There are some two values V1 and V2 and I do not know index field names. How should be looked request if I wanna have in selection response the following: unknown-field-name1 = V1 unknown-field-name2 = V2 I am a beginner in Splunk world and just…
Adam Shakhabov
  • 1,194
  • 2
  • 14
  • 35
2
votes
2 answers

Splunk Cloud search query with variable does not return results

I have a query that does not return results and shows no errors (the same with where and search command): "ExtendedProperties.PrCode"="myProductName" | eval myversion="12.916"| where "ExtendedProperties.ProductVersion"=myversion The query without…
K. B.
  • 3,342
  • 3
  • 19
  • 32
2
votes
1 answer

Is there a way to achieve either before/after events in Splunk, or a real-time stream of events in a report?

ON a *nix command-line, you can see relative before-and-after lines while using the grep command : grep "abc" -A 2 -B 3 My question: is there any way in Splunk enterprise product to see relative lines when doing a search? Splunk search supports…
SauriBabu
  • 414
  • 6
  • 15
2
votes
2 answers

SPLUNK enterprise i am trying to calculate results where if > 4% of failure is anomaly?

SPLUNK enterprise i am trying to calculate results where > 4% of failure is anomaly. is formula correct? to set anomaly ?(failcount and total count fields are numeric) | inputlookup sample.csv | eval isananomaly = if('Failcount' / 'Totalcount' *…
parth
  • 29
  • 4
2
votes
1 answer

How to get data from _raw in Splunk

I have this search query: index="abc" |search SomeInfo | table _raw and it returns table with results in one column in this format: 2020-09-10 15:57:24,479 [the_value_i_need] INFO java.class.name:52 - SomeInfo|NAME=NAME1 2020-09-10 16:57:33,479…
Foxy
  • 416
  • 8
  • 18
2
votes
2 answers

Splunk query to retrieve value from json log event and get it in a table

I have a log event getting in a json format like this { "level":"level name", "exception":"exception message", "logger":"com.log", "thread":"thread name", "message":"exception message", "properties":{ "id":"1234", …
kenz
  • 112
  • 12
2
votes
4 answers

Splunk limits the results returned by stats list() function

I have a splunk query which returns a list of values for a particular field. The number of values can be far more than 100 but the number of results returned are limited to 100 rows and the warning that I get is this- 'stats' command: limit for…
Kunal gupta
  • 481
  • 2
  • 7
  • 19
2
votes
3 answers

How to search splunk query which includes double quotes in the string to search

I am trying to search for a pattern(see below) in the logs using splunk. The String which I am going to search includes double quotes. Below info log is printed in the logger.. INFO: o.l.k.SomeClass: {"function": "delete",…
Hirein
  • 135
  • 5
  • 20
2
votes
1 answer

How to check if the multi-value field contains the value of the other field in Splunk

I need to set the field value according to the existence of another event field (e.g. a field) in a multivalued field of the same event (e.g. mv_field) Here is an example query, which doesn't work as I expected, because the ext_field always has the…
Yaroslav Borysiuk
  • 61
  • 1
  • 6
2
votes
2 answers

Splunk query filter out based on other event in same index

I have a index named Events It contains a bunch of different events, all events have a property called EventName. Now I want to do a query where I return everything that matches the following: IF AccountId exists in event with EventName…
JOSEFtw
  • 9,781
  • 9
  • 49
  • 67
2
votes
0 answers

How to specify a specific color to each column in Splunk bar chart?

I have bar chart with next search query: sourcetype=st AND logger=lg AND (message="A" OR message="B" OR message="C") | stats count by message -48h
r1d1
  • 469
  • 4
  • 16
2
votes
1 answer

Is there a similar command to multisearch in Splunk for non-streaming searches?

I understand in Splunk that multisearch allows multiple searches to run in parallel. However, it's only for streaming searches. Is there a similar command or way to run non-streaming searches in parallel?
unknown.
  • 21
  • 3
2
votes
1 answer

Combining 2 queries based on a common value

1st query ns=mynamespace* app_name=A-api API=GET_INITIAL_DATA NAME=* 2nd query ns=mynamespace* app_name=B-api API=GET_FINAL_DATA NAME=* I have the above 2 queries. Each is querying a micro service's logs. But I do not want to call them…
cubeb
  • 557
  • 1
  • 5
  • 18
1 2 3
46 47