Jul 10, 2019 · index=myIndex FieldA="A" AND LogonType IN (4,5,8,9,10,11,12) The documentation says it is used with "eval" or "where" and returns only the value "true". But it …

Jul 6, 2021 · Solved: Hello everyone! I need some help with figuring out how to make this base search the best way without hitting the 500.000 limit aswell.

Jul 9, 2013 · Solved: if one of my fields is host, I want to do host like "startswith*" what is the syntax to do that? thanks,

Oct 12, 2021 · I have a question about how to write a subquery in Splunk. for example I would like to get a list of productId that was returned, but later was not purchased again. NOT IN …

Oct 11, 2017 · The difference between where and search, in my opinion, is that search is best for field to value comparisons and where is better for field to field comparisons (or evaluating a …

Dec 11, 2019 · You should be using the second one because internally Splunk's Query Optimization converts the same to function like(). Which implies following query in Splunk Search

Sep 2, 2024 · Hi All I did a look around for a syntax definition for SPL in Notepad++ and didn't find one. Attached is my attempt. Feel free to use. if you have any suggestions, changes etc then …

Sep 4, 2018 · Hi griffinpair, try something like this: your_search NOT [ search sourcetype="si_Export_FileMissed" earliest=-24h@h | eval clearExport = ClientID + " " + …

Mar 20, 2024 · Firstly, if your subsearch uses the same source index as the outer search, it's more often than not that the search can be written without using the subsearch. Secondly, the …

Sep 13, 2011 · The date_wday=Monday syntax works for me. If you are getting back data from late Sunday night in your mix, then you might have a timezone specified incorrectly or getting …