Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

697 questions
0
votes
1 answer

In splunk, how to create Private Lookup table for individual?

As I am working on network security project. I need to create private lookup table for individual users, such that any other user shouldn't see the content of other users Lookup table. I have created Lookup table by: curl -k -u username:pwd…
Sumangala Amati
  • 1
  • 3
0
votes
1 answer

mvzip + mvexpand trick for fields of different cardinalities

I need to expand multiple MV fields in Splunk. The answers here work if each field in a row has the same cardinality. One of the fields in my dataset sometimes has a single value - NULL - in which case Splunk does not include the entire row.…
Roko
  • 35
  • 1
  • 7
0
votes
1 answer

How to find unique patterns in log file via splunk sdk

I have a requirement to identify all unique log patterns from splunk. I can get it on Patterns on pattern tab on splunk UI, but want to get it programmatically. I can get search results using splunk sdk, not able to find unique log patterns.
user1035864
  • 61
  • 4
0
votes
1 answer

How to delete queried results from Splunk database?

Query is on Splunk DB data delete: My requirement: I do a query to splunk, based on time stamp, "from date" & "to date". After I got the list of all events results between the timestamp, I want to delete these list of events from the Splunk…
DharmendraSetty
  • 1
  • 1
0
votes
1 answer

Why data appear if I add " index=* " in the query?

I am using splunk to search for company's log. I am wondering, why do I need to add "index=" in the query, e.g. env=dev index= Without "index=*", no data will be returned. Why do we need it? and what does it mean? I am confused, because each term…
janetsmith
  • 8,562
  • 11
  • 58
  • 76
0
votes
1 answer

Splunk: query when the same user called the same endpoint less than 30 minutes apart

Based on the following entries: ORDER=entry1 USER=user1 EP=endpoint1 TIME=10:00 ORDER=entry2 USER=user2 EP=endpoint1 TIME=10:01 ORDER=entry3 USER=user1 EP=endpoint1 TIME=10:05 ORDER=entry4 USER=user2 EP=endpoint1 TIME=11:00 I want to write a Splunk…
Alexandre Santos
  • 8,170
  • 10
  • 42
  • 64
0
votes
1 answer

Splunk Log - Date comparison

I have configured my application logs over splunk and want to do the following - Get events when the string has today's date Get events when the string has tomorrow's date. I have tried to write a query as below for #1, but it doesn't seem to…
Bhaskar
  • 337
  • 6
  • 21
-1
votes
2 answers

Splunk - Retrieve a description from a nested JSON string

I have some Splunk events that include a field named ResponseDetails. ResponseDetails is a JSON object that includes a child object with a property named results. results is an Array of objects that have a property named description. An example…
Developer
  • 89
  • 1
  • 4
-1
votes
2 answers

Unique value number between <>

How can I get unique value number for below. SeqNum, by host name. Appreciate your help in advance Thank you I tried | Search SeqNum<*> | Stats count by host Getting table and total value by host but not getting unique number value
Sandeep Parcha
  • 1
-1
votes
1 answer

python script to run splunk query and get output as text output

Trying to run below code it executes but I do not get the correct value any help is appreciated expecting single value like 492. Code runs but does not give the correct value. Tried splunk library but unable to use those. import urllib import…
user3754136
  • 509
  • 11
  • 25
-1
votes
1 answer

Regex in splunk - starting with number and has comma in between

I am trying write a regex to extract the number so that I can calculate the sum. Below is the event: abre0001.pxm: 55 records processed as of 2022-07-28 00:55:51.829407 abre0001.pxm: 23,555 records processed as of 2022-07-28 00:55:51.829407…
knowledge20
  • 1,006
  • 3
  • 14
  • 25
-1
votes
1 answer

Multisearch not doing what I expect

The message format we chose uses a field called scope to control the level of aggregation you want (by request_type, site, zone, cluster). The scope is set with a dropdown and passed in as a token. I wanted to use multi-search to coalesce the…
Stephen Dimig
  • 33
  • 1
  • 5
-1
votes
2 answers

Alert in splunk based on remediation condition

I am trying to create an alert in splunk such that if there is a expression "Error occured due to connection" present in logs and if this is not remediated automatically after the 5 min it should generate an alert. Here remediation can be if the…
knowledge20
  • 1,006
  • 3
  • 14
  • 25
-1
votes
1 answer

Is it possible to forward raw Security Onion data/logs to splunk (stand-alone) server for visualization?

I am trying to forward raw data collected by security onion to Splunk server installed in stand-alone mode
talib ansari
  • 1
-1
votes
1 answer

Extract custom field in Splunk from specific events

I want to extract the kind of error and store it in the field error_type for each event. I have three kinds of errors majorly occurring in my logs within different events. I want that error_type should populate only the error that particular event…
knowledge20
  • 1,006
  • 3
  • 14
  • 25
1 2 3
46 47