Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

697 questions
0
votes
2 answers

Splunk searching questions

Will the following searches return the same results? SEARCH 1: ssh error SEARCH 2: ssh AND error Will the following searches not return the same results? SEARCH 1: purchase SEARCH 2: action=purchase
Mihir hota
  • 11
  • 2
0
votes
1 answer

How do I create a Splunk query for unused event types?

I have found that I can create a Splunk query to show how many times results of a certain event type appear in results. severity=error | stats count by eventtype This creates a table like so: eventtype |…
Thunderforge
  • 19,637
  • 18
  • 83
  • 130
0
votes
1 answer

How to show a tree structure database in Splunk?

How to display a tree structure database table/collection(any database) in Splunk. For example: If we have Parent that has ChildA and ChildB. Further ChildA has ChildA1, ChildA2 and ChildA3. ChildB has ChildB1 and ChildB2. When I choose Parent, it…
Mr Singh
  • 415
  • 1
  • 6
  • 14
0
votes
1 answer

In Splunk, streamstats function give cumulative data on weekly basis but displaying data "Thursday to Thursday" instead "Monday to Sunday"

In Splunk, I want to display data in cumulative way on weekly basis but below query is counting data from "Thursday to Thursday" instead "Monday to Sunday". Please Help. index=c sourcetype=c | timechart count(eval(State = "Closed" OR State=…
sud
  • 57
  • 1
  • 1
  • 8
0
votes
2 answers

How to chart a search that returns event with multiple facets that have a name/result pair in Splunk

I am doing the following search: source="new_relic_insights://NRInsightsAPI_rc_ShopFront_Top10Transactions" | search * | head 1 This returns a single event, and within its facets I have a name: xyz and results.sum: 123 The sum corresponds to the…
TomH
  • 117
  • 1
  • 11
0
votes
1 answer

display selective fields in splunk in query

I am trying to create a table in splunk of some service endpoint and calculation time taken by each endpoint, now the problem i want to display selected endpoints based on time. This is the query i wrote to display the fields. index="test" |…
Demon
  • 21
  • 4
0
votes
0 answers

LDAP Authentication/Bind tracking via Windows Events and/or Splunk

Id like to have a Splunk query to show LDAP Authentication/Binds to a group of AD servers. However, if this can be found via Windows events I can then write the query in Splunk. I'm a bit new with LDAP and Splunk... Current search (50 or so results…
coffeebrew
  • 1
0
votes
1 answer

How to forward logs with Splunk Forwarder for the files with no header and logs should be in form of key/Value

I have a splunk forwarder setup already on my host. I have certain files in the folder (/tom/mike/). File names are starting with Back*. The content of file may in one or multiple line. There are multiple fixed position values separated with some…
user2187367
  • 35
  • 2
  • 7
0
votes
2 answers

What does splunk count when more than one field is used in the 'top' command?

When I type this search query in splunk search head: index=main sourcetype=mySrcType | top fieldA fieldB Splunk automatically adds count column to the resulting table. Now, what is this count? is it a simple sum of each field count?
Ahmed Hussein
  • 715
  • 1
  • 15
  • 38
0
votes
0 answers

Splunk query returns fewer results than expected

I am using this command to get top 200 results from Splunk on my_field: q = "search index=idx host=nets* mydomain.com | top limit=200 my_field" When I run this in Splunk, it gives me 200 results. However, when I run it using the Splunk Python SDK,…
trans1st0r
  • 2,023
  • 2
  • 17
  • 23
0
votes
1 answer

splunk - Get a distinct count of field values matching a regex

I am doing this - <<>> | search $country$ $campaign_name$ event_name=email OR event_name=event|stats dc(person_id) Now in last instead of dc of person_id i need a count of person_id which matches a regex - <<>> | search $country$ $campaign_name$…
G.D
  • 305
  • 5
  • 18
0
votes
1 answer

How to use rex command to extract two fields and chart the count for both in one search query?

I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} . How can i extract TransactionName and TranscationStatus and…
anu arora
  • 23
  • 7
0
votes
1 answer

How do I create a dashboard that searches other dashboards for recently modified or updated dashboards in Splunk?

So I was just wondering if it was possible to create a simple xml or html code that has dashboard that searches for all other recently modified or updated searches of dashboards in splunk? And if so when I search up these updated databases I would…
Abarry
  • 1
  • 2
0
votes
1 answer

How to add filter specific to each column in SPLUNK dashboard

I am creating a Dashboard from Splunk log In this dashboard, I want to want to add the filter to each column. Just by writing into filter text box, data need to be filtered. something like this. Here is source detail
nand
  • 517
  • 2
  • 13
  • 29
0
votes
2 answers

Single Email Alert with Multiple Queries in Splunk

When we trigger an email through splunk we want to display 3 tables with different resultset. Is there any option to configure more than one splunk query to single email alert? Please help with your inputs.
user2057006
  • 617
  • 4
  • 15
  • 28
1 2 3
46 47