topic Splunk search to get count greater than 5 in 24 hour for 1 month? in Other Usage

Splunk search to get count greater than 5 in 24 hour for 1 month?

Abhineet — Tue, 18 Jul 2023 00:49:56 GMT

HI,

I am looking for splunk query which gives table having count field value greater than 5 in last 24 hr.

if my name log count is greater than 5 in last 24 hr for specific search condition then it should be available in table, if tomorrow again in last 24 hr log count on my name is greater than 5 then again my name should be available in table for last two days time range.

Below mentioned is query for last 24 hour.

EXTERNAL_AUTH_COMPLETE deviceType=AnixisPPCProvider AND wsModel != "Microsoft Corporation / Virtual Machine" earliest=-24h@h latest=now
| rex field=machineUserName "[A-Za-z-]+(?<empNo>\d+)"
| rex field=machineUserName "(?<eMail>.*@.*)"
| lookup WorkdayData.csv empNum AS empNo OUTPUTNEW country OCGRP OCSGRP name email
| lookup WorkdayData.csv email AS eMail OUTPUTNEW country OCGRP OCSGRP name email
| eval country = if (country == "Korea, Republic of","South Korea",country)
| eval country = if (country == "United States of America","United States",country)
| eval empType = if (like(email,"%@contractor.amat.com%"),"Contractor","RFT")
| rename OCGRP as Department OCSGRP as BusinessUnit name as Name email as Email country as Country empType as EmployeeType
| search Department = "*" AND Country="*"
| stats count by Name Email Country Department BusinessUnit EmployeeType
| where count > 5

Provide me query to get table where log count greaten than 5 on daily basis.

Thanks

Abhineet Kumar

Re: splunk query to get count greater than 5 in 24 hour for 1 month

PickleRick — Mon, 17 Jul 2023 13:30:55 GMT

What do you mean by "log count greater than 5 on daily basis".

Re: splunk query to get count greater than 5 in 24 hour for 1 month

Abhineet — Mon, 17 Jul 2023 15:29:12 GMT

"log count greater than 5 on daily basis"

if event count greater than 5 in 24 hr duration.

below mentioned is sample screenshot of query mentioned in my last post for 24 hr duration.

[screenshot removed]

Re: splunk query to get count greater than 5 in 24 hour for 1 month

PickleRick — Mon, 17 Jul 2023 15:29:48 GMT

I'm not sure these people would appreciate you posting their details (name/email) on the internet. Next time please anonymize the screenshot. I did remove your screenshot.

And the question was because it could have been interpreted twofold.

Either:

- you wanted a list of each 24-hour period during which the count was more than 5 or

- you wanted a list of those people for which there was a count over 5 for every 24-hour long period.

These are two different requirements.

Anyway, your search will be easiest done with

| bin _time span=1d

in the middle (before stats) and adding _time as another field in the BY clause.

So instead of

| stats count by Name Email Country Department BusinessUnit EmployeeType

you do

| bin _time span=1d
| stats count by Name Email Country Department BusinessUnit EmployeeType _time

And of course you run the search over your whole 30 days back.

Depending on which of the options I mentioned at the beginning you want, you might do with either your "where" command or you'd have to do some additional magic to find only those which have more than 5 over the whole month.