You need to look into mvfilter – once the data is in multivalue fields in Splunk, you can do something like the following: | eval missing_item_list = mvfilter(!match(full_list,"bb")) from User warren – Stack Overflow https://stackoverflow.com/questions/77579583/regex-search-for-absence-of-a-string-inside-a-string-multiline/77607025#77607025 via IFTTT
Tag:stackexchange
Answer by warren for How do I use a specific date/time in Splunk dashboard with earliest and latest?
You can use a time picker, and then select from it the earliest and latest in your search Say you name your time picker timetok The search would look like this: index=ndx sourcetype=srctp earliest=$timetok.earliest$ latest=$timetok.latest$ … from User warren – Stack Overflow https://stackoverflow.com/questions/77497243/how-do-i-use-a-specific-date-time-in-splunk-dashboard-with-earliest-and-latest/77532620#77532620 via IFTTT
Answer by warren for Regex extraction from Right to Left
You want a variable-list of field names extracted from delimited data in reverse order? How many entries could you possibly have? Three? Five? Two hundred seventy four? Are you trying to do this at search time (ie in SPL you are writing/running), or in props.conf? If you are trying to do this at search time, …
Continue reading Answer by warren for Regex extraction from Right to Left
Answer by warren for How Can a Dropdown be Used to Filter Splunk Query Results
The simplest way to do this will be to create a list in your dropdown who entry values are the field names (ie Model.Old & Model.New) Call the name of that token, say, modelchoice Then have a single search on your dashboard that looks like this: index=’splunk_demo’ source=’demo.zip’ | fields Name, Model.New, Model.Old, Price | …
Continue reading Answer by warren for How Can a Dropdown be Used to Filter Splunk Query Results
Answer by warren for Splunk HTTP collection ignores props.conf file
Yes, you can force a given field in the JSON data coming into the HEC to be the timestamp If you do not, _time will populate with the timestamp of when it is received by Splunk This line in props.conf will set _time to index/received time: DATETIME_CONFIG = CURRENT Check out the props.conf docs for …
Continue reading Answer by warren for Splunk HTTP collection ignores props.conf file
Answer by warren for In Splunk, how do I efficiently map data from separate searches into the same row?
What IS the common field across these events? IP address? Hostname? Something else? Something along the lines of this will get you started: index=ndx sourcetype=srctp ip=* | fields – _raw | fields _time ip req_id session_id app_id cust_id | fillnull value="n/a" req_id session_id app_id cust_id | stats count by ip req_id session_id app_id cust_id | …
Continue reading Answer by warren for In Splunk, how do I efficiently map data from separate searches into the same row?
Answer by warren for How to write a splunk query to get the result for every hour in a day?
Perhaps timechart will suffice? index=’xyz’ sourcetype=’abc’ status=’completed’ | timechart span=1h count by status from User warren – Stack Overflow https://stackoverflow.com/questions/77001574/how-to-write-a-splunk-query-to-get-the-result-for-every-hour-in-a-day/77004668#77004668 via IFTTT
Answer by warren for Splunk regex filter events only one occurrence of special character
@Jerry‘s response is interesting – I would do something similar: index="association" sourcetype="escaplogs" | rex field=data.val max_match=0 "(?<slashes>\/)" | where isnotnull(slashes) AND mvcount(slashes)<2 <rest of search> This is going to find everything that a) has at least one slash (isnotnull(slashes)) in the field data.val, and b) throwout everything with more than 1 (mvcount(slashes)<2) from User warren …
Continue reading Answer by warren for Splunk regex filter events only one occurrence of special character
Answer by warren for splunk map pass multiple values
You might try something like this (presuming you have a common field like hostname in each event): index=ndx sourcetype=srctp ("a.string" OR "another.string") | rex field=_raw "some text that exists in events with a.string (?<xx>\S+) (?<yy>\s+)" | rex field=_raw "other text found with another.string (?<zz>\S+)" | fields xx yy zz hostname | stats values(*) as * …
Continue reading Answer by warren for splunk map pass multiple values
Answer by warren for SPLUNK data trim
You only have "enough space in [y]our index" if there is enough disk space Splunk rolls data on the following conditions: maximum index size reached maximum retention reached out of disk space If you run out of disk space, Splunk starts rolling data out of Hot/Warm into Cold (or, out of Cold into Frozen) as …
Continue reading Answer by warren for SPLUNK data trim
Answer by warren for How to use splunk eval to show a list from an object property
presuming your sample stats line works, add this where clause after the stats: | where isnotnull(status) from User warren – Stack Overflow https://stackoverflow.com/questions/76839007/how-to-use-splunk-eval-to-show-a-list-from-an-object-property/76851409#76851409 via IFTTT
Answer by warren for Splunk query(SPL). Replace a value or anything that comes after the value until a special character
Use an eval replace() It’s still regex based, but simpler to understand (and, often, faster to run) than rex mode=sed: | eval myfield=replace(myfield,"e2_quote_policy_ask_zipcode[^\/]+","AskZipcode") from User warren – Stack Overflow https://stackoverflow.com/questions/76784785/splunk-queryspl-replace-a-value-or-anything-that-comes-after-the-value-until/76805109#76805109 via IFTTT
Answer by warren for List unique values from splunk events
stats will be your friend here: index=myIndex container_name="abc-mno-pqr" "status code :: 50*" | stats latest(status) as Status-Code by transactionId If the fields transactionId and status are not yet extracted, you’ll need to pull them out A way to do this at search time is with rex: | rex field=_raw "code\D+(?<status>\d+)" | rex field=_raw "^\[(?<transactionId>[^\]]+)" regex101 …
Continue reading Answer by warren for List unique values from splunk events
Answer by warren for Parsing raw text in splunk between a word pattern
IF your pattern is actually in the format of com.abc.xyz.service.exception.MY ERROR: null And you want whatever is between the last dot and the colon, then this works: | rex field=_raw "\.(?<errcode>[\w\s]+)\:" from User warren – Stack Overflow https://stackoverflow.com/questions/76690264/parsing-raw-text-in-splunk-between-a-word-pattern/76699892#76699892 via IFTTT
Answer by warren for Alternative to 30+ `| rex field=path mode=sed…` in order to replace path parameters in urls
this sounds like a job for transforms.conf or maybe just to properly extract all those fields with props.conf. If you’re waiting until search time to mask data, you’re still storing all of what you’re trying to mask Lastly, eval myfield=replace(my_field,"regex","literal string") is almost always faster, in my experience, than rex mode=sed Doc.Splunk references for eval, …
Continue reading Answer by warren for Alternative to 30+ `| rex field=path mode=sed…` in order to replace path parameters in urls
Answer by warren for Splunk query to map Exceptions to Endpoints
This answer presumes your fields are already properly extracted If they are not, you’ll need to do that first (and we can help you with it) Something like this should do the trick for you: ((index=ndxA sourcetype=srctpA) OR (index=ndxB sourcetype=srctpB)) thread=* spanid=* loglevel=* | stats values(errorCode) as errorCode values(httpUrl) as httpUrl values(httpMethod) as httpMethod max(_time) …
Continue reading Answer by warren for Splunk query to map Exceptions to Endpoints
Answer by warren for Query Splunk using Power BI
Without knowing a lot more about your use case(s), specific advice is going to be difficult to give However, you can easily hit the Splunk REST endpoint for saved searches, reports, and ad-hoc searches from anything that can speak REST with proper credentials/tokens There are limits to how much data can be returned via REST, …
Continue reading Answer by warren for Query Splunk using Power BI
Answer by warren for Splunk : re-run alert when count > 1 and alert only if both have count >1
Instead of running an alert twice, run it once (at quarter past), but compare the results of the last 5m to those from 15m-10m ago from User warren – Stack Overflow https://stackoverflow.com/questions/76476439/splunk-re-run-alert-when-count-1-and-alert-only-if-both-have-count-1/76482448#76482448 via IFTTT
Answer by warren for case like does not work in Splunk, no string is matched
First, like is a function – so it needs to be used as one This should work: index=log_ad | eval tag=case(like(Hostname,"%SRV%"), "server", like(Hostname,"%DC%"), "controller", 1=1, "not matched") | top tag, Hostname from User warren – Stack Overflow https://stackoverflow.com/questions/76404006/case-like-does-not-work-in-splunk-no-string-is-matched/76406646#76406646 via IFTTT
Answer by warren for Get statistical distribution of multivalue entry in Splunk
First, you need to break the multivalue field into separate entries This is one way to do it: | makemv delim="," product_category | mvexpand product_category | stats values(product_category) as vpc dc(product_category) as dpc count by user_id from User warren – Stack Overflow https://stackoverflow.com/questions/76386274/get-statistical-distribution-of-multivalue-entry-in-splunk/76400300#76400300 via IFTTT
Answer by warren for How to trigger an custom alert condition of multiples from the basic search of Splunk?
Splunk is case-senstive … except where it isn’t 🙂 By default search ANDs But if you want to be explicit, you must all-caps AND – just like you must all-caps OR: index=ndx sourcetype=srctp "someval" "someotherval" Is the same as: index=ndx AND sourcetype=srctp AND "someval" AND "someotherval" Splunk views "and" as raw text to look for, …
Continue reading Answer by warren for How to trigger an custom alert condition of multiples from the basic search of Splunk?
Answer by warren for how to remove dynamic column
If I understand correctly, you have some NULL fields after your join If that is correct, the following should get you at least close: <search that gets through the `join`> | stats values(*) as * by <unique fields you know exist> | fillnull value="-" stats values(…) will only include fields for which there is at …
Continue reading Answer by warren for how to remove dynamic column
Answer by warren for Regex breaks with “/” character instead of newline
Instead of using rex, this can all be done with eval and mvexpand A run-anywhere example: | makeresults | eval urls="https://www.example.org/|http://example.com/|ca.gov|http://blade.example.com/bikes/airplane.php|http://alarm.example.com/|smugmug.com|shop-pro.jp|https://example.org/|qq.com|pcworld.com|symantec.com|360.cn|http://example.com/?brother=bike|http://www.example.com/behavior/bead.php|army.mil|https://example.com/boy/bedroom.php|https://example.com/|https://www.example.com/brother?activity=believe|https://www.example.net/achiever/bottle.html|http://believe.example.com/bit?bait=base&bone=ball|aboutads.info|http://www.example.com/|http://www.example.edu/afternoon|livejournal.com|http://border.example.com/box/afterthought|oaic.gov.au|https://www.example.edu/base.php|house.gov|smh.com.au|http://www.example.edu/|https://www.example.org/|lycos.com|https://border.example.com/?bridge=basket&blood=animal|hibu.com|http://example.com/" | eval urls=split(urls,"|") | mvexpand urls | eval busted=split(urls,":") | eval busted=mvindex(trim(split(trim(replace(mvfilter(match(busted,"\.")),"\/"," "))," ")),0) I combined the last several steps into one line, but this is what it’s doing: break the URL list based …
Continue reading Answer by warren for Regex breaks with “/” character instead of newline
Answer by warren for Splunk: Finding results of a field that have the same peer, but two or more different securityName fields
Just use stats to do this – there shouldn’t be a need to rex-out the end (or, at least, not the way you’re attacking it so far): index=ndx sourcetype=srctp peer=* securityName=trap* | stats values(securityName) as securityName by peer | where mvcount(securityName)>1 from User warren – Stack Overflow https://stackoverflow.com/questions/76133855/splunk-finding-results-of-a-field-that-have-the-same-peer-but-two-or-more-diff/76146566#76146566 via IFTTT
Answer by warren for Splunk Coalesce Function
The SPL you shared shows the rename after you attempt to coalesce(): base search | eval test=coalesce(field1,field2) | rename "space field 1" AS field1, "space field 2" AS field2 | table field1 field2 test Pretty sure what you want is this: base search | rename "space field 1" AS field1, "space field 2" AS field2 …
Continue reading Answer by warren for Splunk Coalesce Function