Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

697 questions
2
votes
2 answers

Splunk Rex: Extracting fields of a string to a value

I'm a newbie to SPlunk trying to do some dashboards and need help in extracting fields of a particular variable Here in my case i want to extract only KB_List":"KB000119050,KB000119026,KB000119036" values to a column Expected…
Rczone
  • 493
  • 1
  • 5
  • 18
2
votes
1 answer

Splunk query based on the results of another query

A Splunk question... I've found a few Google hits that I thought were going to help with this. I'm trying to perform a search for all "rows" that are returned by an outer search/query. I am by no means a Splunk expert, not even a power user! The…
Simon Catlin
  • 2,141
  • 1
  • 13
  • 15
2
votes
2 answers

How to pass 'time' query to splunk enterprises using Splunk-Python SDK?

I am trying to pass query from Python(eclipse IDE) to extract data from specific dashboard on SPLUNK enterprises. I am able to get data printed on my console by passing the required queries however I am not able to extract data for specific…
NagarjunKS
  • 21
  • 4
2
votes
3 answers

Splunk Query to find greater than

I have a splunk log LOG: "TOTAL NUMBER OF RECORDS IS:0" I need to Query it in a way that it find a log message if the number of records turn out to be more than 0 I have tried the following sourcetype=mylogs | rex "\d+:\d+:\d+\s(?
ThatComputerGuy
  • 323
  • 3
  • 6
  • 11
2
votes
1 answer

Splunk search query with where clause not working

I am using Splunk java SDK to search pattern from Splunk server. I am using pattern search index=* env=* (GET OR POST OR PUT OR DELETE) | where isNum(httpStatusCode) when I am using this query with Java SDK, Splunk is not sending any event. But…
Gopal Kumar
  • 147
  • 1
  • 10
2
votes
0 answers

Calling external rest api from Splunk search query

I am looking for if there is anyway I can call an external REST api (GET call, sample url shown below) from the Splunk search query panel, parse the JSON response and display in a table. https://jsonplaceholder.typicode.com/posts Does Splunk allow…
Sujit
  • 468
  • 1
  • 8
  • 22
2
votes
1 answer

Splunk: find what a user is searching for?

I am trying to write a Splunk SPL query that will show me the most popular search terms that a user is looking for in one of my web apps. I have the logs already in Splunk but I am having a hard time extract the search parameter from the event. The…
AAA
  • 2,388
  • 9
  • 32
  • 47
2
votes
1 answer

Splunk Enterprise HEC not sending data

I've installed the Splunk Enterprise trial. I've enabled the HTTP Event Collector feature as described here which enables sending machine data from my app into Splunk. I tried to send a POST request using Postman to Splunk and got no…
Hen Bar Levi
  • 111
  • 7
2
votes
0 answers

Change the output_mode when making saved search request using Splunk JS SDK

I use the following code to make a saved search request. I get the output as JSON_ROWS format. I would like to get the result in JSON or XML format. Where i can specify the expected output format in the request ? // The saved search created earlier …
wawanopoulos
  • 9,614
  • 31
  • 111
  • 166
1
vote
1 answer

splunk map pass multiple values

I want to create an alert based on the following search: search string "a.string" extract field xx, yy then search "another.string" AND xx then extract field zz |table xx, yy, zz Here is what I came up with (removed other fixed strings in the rex…
John
  • 119
  • 5
1
vote
1 answer

Splunk comparison in lookup tables and display output

I have 2 lookup files as lookup1.csv and lookup2.csv lookup1.csv has the data as below name, designation, server, ipaddress, dept tim, ceo, hostname.com, 1.2.3.5, alldept jim, vp, myhost.com, 1.0.3.5, marketing pim, staff, nohost.com, 4.0.4.8,…
Bond
  • 855
  • 3
  • 13
  • 24
1
vote
0 answers

Enrich main search with fields from subsearch

I'm tracking the usage of the DomainAdmin account and monitoring which users had an active logon session on the server from where DomainAdmin logged in. Here's the query I'm currently using: (event_simpleName=UserLogoff OR…
Loproc
  • 11
  • 2
1
vote
1 answer

Splunk - Group X-axis elements together

I have this chart in a Splunk dashboard The x-axis refers to the different hosts executing our BAU Process. The y-axis refers to the time taken for the BAU Process to finish The code to generate the chart is (host = "A" OR host = "B" OR host = "C"…
waffledood
  • 193
  • 8
1
vote
1 answer

Splunk - Charting average transaction duration (Y-axis) over host (X-axis)

I am using Splunk to chart the average duration of a transaction, for each host, refer to the search query below (host = "A" OR host = "B" OR host = "C" OR host = "D" OR host = "E" OR host = "F" OR host = "G" OR host = "H") AND source =…
waffledood
  • 193
  • 8
1
vote
1 answer

SPLUNK - show only some fields in the search

I have 4 fields in logs file: index, userId, dateTime, name. I want to show only 2 fields in the search for a given criterion, like this: index="AAA" userId="user123" | chart dateTime, name by criterio1 But it gives error. If it were in SQL it…
Peter Roman
  • 77
  • 1
  • 1
  • 7
1 2 3
46 47