Stack Overflow
Stack Overflow

Questions tagged [splunk-query]

697 questions
1
vote
1 answer

Sorting the splunk timechart table with the values in descending order based on a row's values in the timechart table

This is my splunk query index=xxxxx "searchTerm")|rex "someterm(?)" | timechart count by errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total I am adding the total count of the errors over a…
nsingh
  • 61
  • 1
  • 5
1
vote
2 answers

Sum of numeric values in all events in given time period

I have following events that are logged periodically (every minute): 14:58 index=prod_service service.error error.count="3" 14:59 index=prod_service service.error error.count="4" 15:00 index=prod_service service.error error.count="0" 15:01…
Yoey
  • 408
  • 1
  • 4
  • 16
1
vote
0 answers

Apache Spark to query directly a Splunk search result

Small question regarding an integration between Apache Spark and Splunk please. Currently, I am doing a search query in Splunk. The result is quite big. Then, I need to perform some kind of data analytics from it. Therefore, each time I get the…
PatPanda
  • 3,644
  • 9
  • 58
  • 154
1
vote
2 answers

Need to write a regex to extract path for first 5 slashes or up to a number for Splunk

Hi I need to write a regex to extract path from the first 5 slashes from the path or up to a number Example: https://example.com/first/second/third/fourth/fifth/sixth…
Sumit Dhameja
  • 141
  • 2
  • 9
1
vote
1 answer

How to find duplicate log events in Splunk

I'm trying to query my Splunk logs to find duplicate data, but am unable to find the right query. Example logs: {"time":"2021-07-08 02:16:17.9232","level":"debug","message":"update","parameters":{"id":["1"], other params...}} {"time":"2021-07-08…
Nic
  • 12,220
  • 20
  • 77
  • 105
1
vote
1 answer

dispatch.earliest_time in savedsearches.conf file

What does dispatch.earliest_time = -15m@m mean in savedsearches.conf file? I'm confusing what's the exact time for -15m@m? Thanks.
Jen
  • 11
  • 4
1
vote
2 answers

Set difference of a table field in Splunk

From a search I composed a table, let's call it T1, formed by two columns table name, sourcetype Now I need to create a static, code generated table, call it T2, that contains all the expected values for the above mentioned table T1, hardcoded. 1st…
Guido
  • 441
  • 3
  • 22
1
vote
1 answer

Splunk data export using API

I want to export data from Splunk via rest API, I've been wondering whether there is a good "Splunk export" solution that can help me to send my query output/result to a third part application with the help of rest API I have created below Splunk…
SherKhan
  • 84
  • 1
  • 7
1
vote
2 answers

How Can I Generate A Visualisation with Multiple Data Series In Splunk

I have been experimenting with Splunk, trying to emulate some basic functionality from the OSISoft PI Time Series database. I have two data points that I wish to display trends for over time in order to compare fluctuations between them,…
Paul Johnson
  • 213
  • 3
  • 14
1
vote
1 answer

Splunk: regex - No events counted

I am trying to extract a field after a specific expression using regex and then running a query which counts the events where this condition is met. I did this: query | rex field=_raw "text: (?\d+)" | timechart partial=f span=5m count as…
Tobitor
  • 1,388
  • 1
  • 23
  • 58
1
vote
1 answer

Splunk Alert Creation

I am new to Splunk and need suggestion for creating the below alert in Splunk. I need to create an alert which will check the log file last updated timestamp and if it is not updated for last ten minutes, then alert should be triggered. Thanks in…
Peter.Fox
  • 55
  • 1
  • 1
  • 6
1
vote
2 answers

Issue with Splunk Query Stats not brining in all values

I have a log which has below lines in it: "Results":{"Elapsed":"0","Message":"No of Application to Obsolete in Teradata : 4","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}} "Results":{"Elapsed":"0","Message":"Total Application Asset in Teradata…
Amit
  • 101
  • 7
1
vote
0 answers

Splunk event increasing logic witch each SPL query

I am getting data in Splunk from Snowflake using Splunk DB Connect. This is just simple orders data. At Splunk search & reporting I am running the following query on my table to get visualization. source="big_data_table_inner_join" "UNITS_SOLD" |…
Faisal Ghufran
  • 25
  • 4
1
vote
2 answers

Splunk: Find events that don't have a certain attribute logged as different log lines

We have Splunk logs like: ts=20:10:01 id=1 state=first foo=bar ts=20:10:05 id=1 state=second foo=bar ts=20:10:06 id=1 state=third foo=bar ts=20:10:03 id=2 state=first foo=bar ts=20:11:01 id=3 state=first foo=bar ts=20:11:03 id=3 state=second…
Sumitk
  • 1,485
  • 6
  • 19
  • 31
1
vote
1 answer

How do I access an array value inside a case in Splunk?

I'm new to Splunk and need some help with the following: authIndexValue[] is an array that will hold at least one value I want to access its value from inside a case in an eval statement but I get this error: Unknown search command '0'. I also…
Raul Marquez
  • 948
  • 1
  • 17
  • 27
1 2 3
46 47