Questions tagged [splunk-query]
697 questions
0
votes
1 answer
How can I count ids in splunk logs in one line with regex
I have log like:
Segment 5bbdf7b8bbdd3c685a2110bf : UserMap is [512205885, 512112460, 512369891, 512316786, 58587803, 506882296]
Segment 5bbdf7b8bbdd3c685a2110bf : UserMap is [514348564, 506722271, 513844106, 513725157]
Segment…
Gaurav Yadav
- 67
- 1
- 2
- 8
0
votes
2 answers
search for all fields which have some string in field
How can I get only results for specific fields where field name is like something ?
fx.
get all fields which have "status" in their field name.
I tried this but It doesnt work:
sta*
I want also to do later this:
sta* OR STA* OR Sta*
aalb2993
- 13
- 5
0
votes
1 answer
Splunk dbxquery to call stored procedure with subsearch to populate parameter not working
I have two working Splunk queries as follows.
The first one takes in an IP Address and datetime and returns a Mac Address:
index=dhcp signature=DHCPACK dest_ip="192.0.0.0"
latest="05/30/2018:00:00:00"| rename dest_mac as mac_address | table
…
Russ Clark
- 13,260
- 16
- 56
- 81
0
votes
1 answer
Merge events by time to create a table for 3D Scatterplot
I have a list of events, with the following content
event1: _time=123 Tag="X" Value="12.2"
event2: _time=123 Tag="Y" Value="55.2"
event3: _time=123 Tag="Z" Value="3.2"
event4: _time=234 Tag="X" Value="12.4"
event5: _time=234 Tag="Y"…
Michael Boesl
- 236
- 1
- 9
0
votes
1 answer
have a join query which i need to optimize using OR and Stats, i am new to splunk and i am confused how to start
index="index1" sourcetype=sourcetype1 | join commonfield [ search
index="index2" sourcetype=sourcetype2 ] | sort _time | stats
last(index1field1) as state by index2field1, index1field2, index1field3
| where index1field1 != "UP" | dedup…
index="index2" sourcetype=sourcetype2 ] | sort _time | stats
last(index1field1) as state by index2field1, index1field2, index1field3
| where index1field1 != "UP" | dedup…
m4sucess
- 1
0
votes
1 answer
How to embed a timechart visualization from a Splunk query into a web app?
I have the following Splunk query that produces the following visualization:
I would like to embed this exact visualization into a web app using an iframe. How can I do this?
Currently, I am using the Splunk HTTP REST API and can submit & get the…
aBlaze
- 2,436
- 2
- 31
- 63
0
votes
1 answer
Query to find the unique code in splunk
can some one suggest a query to send the unique errorcode count.
Example enter image description here 2006
in between the tags(in place of 2006) different codes are printed
i need to query to pull all the unique error codes
Sandeep muthyapu
- 281
- 2
- 3
- 8
0
votes
1 answer
Splunk Failed Login Report
I am relatively new to Splunk and I am trying to create a reportthat will display a hostname and the amount of times that host failed to login within the past five minutes, when they failed 3 or more times. The only way I was able to get the initial…
JShorr03
- 3
- 3
0
votes
1 answer
How to find all the events that do not match a pattern in Splunk?
I am trying to find all the events that do not match a specific string in Splunk. In my case I am trying to build a report for all the events where ResponseCode:401, ResponseCode:404 etc. I short it could be anything but 200.
But not sure how to do…
Nital
- 5,784
- 26
- 103
- 195
0
votes
1 answer
How to print line numbers for an event in Splunk
I wanted to print number of lines for an event in Splunk after querying it
Ex: index=* host=* source=*application* this query is giving all the events but I want to print/get number of lines for each and every event. I tried with len() of Splunk…
Sat
- 3,520
- 9
- 39
- 66
0
votes
1 answer
joining 2 different searches in splunk
Search 1:
app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan | stats avg(*responseTime) by date_mday
Search 2
app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs"…
skphi13
- 45
- 2
- 7
0
votes
0 answers
how to control input variable in dashboard
I am struggling with below query:
search..
| table .. AA_ID, BB_ID ..
| where (match(AA_ID, $AAID$) OR isnull($AAID$)) AND (match(BB_ID, $BBID$) OR isnull($BBID$))
.
$AAID$ and $BBID$ are from input variable in a dashboard I made and they are…
semenbari
- 725
- 1
- 8
- 22
0
votes
2 answers
DATETIME losing hh:mm when changing CREATE TABLE to SELECT INTO
I am currently migrating all of my company's reports into Splunk Data Labs input for ingestion. The reports create temp tables using the CREATE TABLE format, which is incompatible with Splunk, however, SELECT INTO format works just fine.
The error…
Kilik
- 53
- 1
- 5
0
votes
1 answer
Can "eval" be used to set an event equal to a search string?
I have two specific search strings I use to narrow down my search in the format of:
index=someIndex "searchtermA" OR "searchTermB" | ....
I want to be able to chart the two values (as their own unique counts in one chart) however field extraction…
user8728708
0
votes
1 answer
Need Splunk query for finding common elements between two fields when each field is a list
I have each event as a JSON object below which is indexed by Splunk. How can I have a Splunk query such that I find all such failures which happen to be present in both "failed" and "passed" arrays?
"output":{
"date" : "21-09-2017"
…
Zack
- 2,078
- 10
- 33
- 58