topic Re: How to count similar events per 5 minutes in a 60 minute search? in Deployment Architecture https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212909#M7941 <P>Try this</P> <PRE><CODE>| bin _time span=5m | stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason | table _time "latest login" acddev acduser acdfrom acdreason count | sort -_time </CODE></PRE> Fri, 05 Aug 2016 12:37:06 GMT sundareshr 2016-08-05T12:37:06Z How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212908#M7940 <P>Hi, I'm trying to have a table of failed login attempts. The table shows all failed login attempts for the last 60 minutes but, I want to group similar attempts by device, username used, attempt from and reason for failure.</P> <P>I've already managed to group them but, I don't want the table to show the count for similar events for the last 60 minutes. Instead, I want it to group by similar events for last 5 minutes WHILE showing all the attempts for the last 60 minutes. I'm not even sure this is possible. I tried bucket _time span=5m but, it still groups by the whole 60 minutes. Here's what I have so far;</P> <PRE><CODE>stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason | table _time acddev acduser acdfrom acdreason count | sort -_time </CODE></PRE> <P>EDIT: I've managed to get the bucket to work by changing <CODE>stats count, first(_time) as "_time" by acddev, acduser, acdfrom, acdreason</CODE> to <CODE>stats count by _time, acddev, acduser, acdfrom, acdreason</CODE> but, I don't want to show the time in 5 minute intervals, I want to show the time of the latest attempt in that group of events. Is this possible?</P> Fri, 05 Aug 2016 01:23:48 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212908#M7940 ZacEsa 2016-08-05T01:23:48Z Re: How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212909#M7941 <P>Try this</P> <PRE><CODE>| bin _time span=5m | stats count, latest(_time) as "latest login" by _time acddev, acduser, acdfrom, acdreason | table _time "latest login" acddev acduser acdfrom acdreason count | sort -_time </CODE></PRE> Fri, 05 Aug 2016 12:37:06 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212909#M7941 sundareshr 2016-08-05T12:37:06Z Re: How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212910#M7942 <P>Doesn't work, both <CODE>_time</CODE> and <CODE>"latest login"</CODE> gives out the same value. I believe it's because of the <CODE>bin/bucket</CODE>.</P> Mon, 08 Aug 2016 00:31:35 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212910#M7942 ZacEsa 2016-08-08T00:31:35Z Re: How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212911#M7943 <P>Have you tried <CODE>transaction</CODE>?</P> <PRE><CODE>... | transaction maxspan=5m acddev, acduser, acdfrom, acdreason | table _time acddev acduser acdfrom acdreason count </CODE></PRE> Mon, 08 Aug 2016 01:30:36 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212911#M7943 sundareshr 2016-08-08T01:30:36Z Re: How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212912#M7944 <P>Transaction isn't showing the count. <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Mon, 08 Aug 2016 01:33:40 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212912#M7944 ZacEsa 2016-08-08T01:33:40Z Re: How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212913#M7945 <P>Transactio will create a event_count field that shows the number of events grouped together</P> Mon, 08 Aug 2016 02:00:33 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212913#M7945 sundareshr 2016-08-08T02:00:33Z Re: How to count similar events per 5 minutes in a 60 minute search? https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212914#M7946 <P>Thanks! It works! Can you edit your answer and I'll accept it.</P> Mon, 08 Aug 2016 07:11:48 GMT https://community.splunk.com/t5/Deployment-Architecture/How-to-count-similar-events-per-5-minutes-in-a-60-minute-search/m-p/212914#M7946 ZacEsa 2016-08-08T07:11:48Z