python (65.1k questions)

javascript (44.2k questions)

reactjs (22.7k questions)

java (20.8k questions)

c# (17.4k questions)

html (16.3k questions)

r (13.7k questions)

android (12.9k questions)

Questions - splunk

How to evaluate a Splunk field which represents the length of another field?

I've loaded the following example file containing lines of JSON into Splunk: {"duration":2134,"input":["foo","bar"],"level":"info","msg...
test-img

Kurt Peek

splunk

splunk-query

Votes: 0

Answers: 1

Latest Answer

Use mvcount('input{}') in replace of length(input) Edit: Put Single quotes around input{} as {,} are special characters.
test-img

Daniel Price

Anomalydetection's Non existing by clause

The Search Command, Anomalydetection, does not have a by clause but I want to be able to group the data via a field, and run the Anomaly detection on each grouping separately. Is there a way todo this...
test-img

Daniel Price

splunk

Votes: 0

Answers: 0

Handling multiline formats in splunk

I am not sure of how to set the BREAK_ONLY_BEFORE I have try setting BREAK_ONLY_BEFORE: date but it throws error My logs are : [2022-04-05 11:18:23,839] WARN Error while loading: connectors-versions...
test-img

Achu

splunk

multiline

fluentd

Votes: 0

Answers: 1

Latest Answer

The better method is to set LINE_BREAKER to a regular expression that defines the start of each event. These props.conf settings should do it. [mysourcetype] SHOULD_LINEMERGE = false LINE_BREAKER = (...
test-img

RichG

How to use a token for a rex in Splunk?

I have a token $token_rex$ set up as follows in the dashboard: <set>mvjoin(mvmap('token_keywords_mv',"(?&lt;".'token_keywords_mv'."&gt;".'token_keywords_mv'."+?)...
test-img

yaserso

splunk

splunk-query

splunk-dashboard

Votes: 0

Answers: 1

Latest Answer

When I try to reproduce your results with this dashboard code: <form> <label>test</label> <fieldset submitButton="false"> <input type="text" toke...
test-img

RichG

Posts

Questions

Blogs

Jobs