topic Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain? in Splunk Search

Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

rishabh4 — Tue, 21 Mar 2017 16:07:53 GMT

How to find the number of hits and top 20 category and top 20 domain using the tutorial data on Splunk. Please help, I am new to Splunk. I also want to know the "status code count" of it so please help me fast.

Re: Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

skoelpin — Tue, 21 Mar 2017 16:44:14 GMT

Try this

index=INDEX_NAME | top limit=20 referer_domain categoryId

Re: Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

niketn — Wed, 22 Mar 2017 03:08:51 GMT

@rishabh4. You have mentioned three cases. To begin with you need three commands

Top 20 domain (Do not show percent, show count)

<YourBaseSearch> referer=*
| top 20 referer_domain showperc=f showcount=t

Top 20 category (Do not show percent, show count)

<YourBaseSearch> categoryId=*
| top 20 categoryId showperc=f showcount=t

PS: There might not be 20 Categories in tutorial data
Status code count

<YourBaseSearch> status=*
| stats count as Count by status
| sort - Count

For details on any SPL command you should refer to docs.splunk.com. When you load the data ensure that you check what index data is loaded and what is the sourcetype. Splunk default index is main (unless you have created your own). Also the tutorial data belong to two sourcetypes access and secure. So your base search could be. Following is an example for base search it may vary based on how you have added data.

index=main sourcetype=access*

There is a scope of using Post Processing in your searches if you want to add multiple search to single dashboard. However, that is slightly advanced topic which you can learn from Splunk Docs once you are comfortable with SPL commands.

PS: Immediately after adding the data Splunk gives you an option to search Added data (Start Searching) which builds a sample base search.

Re: Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

aaraneta_splunk — Wed, 22 Mar 2017 16:44:48 GMT

@rishabh4 - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

Re: Using the Splunk Tutorial data, how to find the number of hits and top 20 category and top 20 domain?

dibyanshu — Wed, 30 Sep 2020 02:02:10 GMT

Listed below all required spl-query::

Case-1 : Total Number of Hits:

==============index=ds |stats count by clientip |stats sum(count) as Total_Number_of_Hits=======================

Note: Ensure to replace index name: ds with your own created or default-main
Explanation : Number of hits can be calculated by number of individual hits on server by each client

Case-2 : Top 20 category and Domain :

Explanation: separately find domain and category and then use join to get single result with combination of both
Note: Find suitable fields to get desire result like domain and categoryId here

Case-3 : status code count :

=====================index=ds status=* |stats count as "Status code count"====================

Explanation : Gives count of all the status code like status 401-faliure, status 200-success ..

In addition i have attached Dashboard snapshot with all these cases-data as separate panel embedded in single dashboard.

Happy Splunking :>