topic Re: event count, per user, per hour in Splunk Search

event count, per user, per hour

tmarlette — Wed, 05 Jun 2013 21:28:29 GMT

So i'm attempting to count a specific event type, per user, per hour. I only want the tope ten users, and I thought the 'top' command would do it, but I'm hitting a snag. The top command doesn't output any data at all.
I'm looking for this data to output in a table format with the fields time,user,count.

I attempted to use the following search query:

host=< myhost > eventtype=< my event type > | timechart span=1h count by user useother=false

Thank you!!

Re: event count, per user, per hour

Ayn — Wed, 05 Jun 2013 21:43:22 GMT

So, what was the result of the query you attempted?

Re: event count, per user, per hour

tmarlette — Wed, 05 Jun 2013 21:49:32 GMT

It looks like I'm getting the latest 20 users, which are not the top offenders I am looking for.

Re: event count, per user, per hour

kml_uvce — Thu, 06 Jun 2013 04:50:25 GMT

try this...

host=< myhost > eventtype=< my event type > | timechart span=1h limit=10 useother=f count by user

Re: event count, per user, per hour

tmarlette — Thu, 06 Jun 2013 13:30:04 GMT

Almost! The result set I get now is the ten (limit=10) most recent offenders.

I thought the 'top' command was the way to go, but I can't seem to get the search to roll it's results to the top command and have it output the data.

Re: event count, per user, per hour

okrabbe_splunk — Thu, 06 Jun 2013 13:47:34 GMT

I think the issue is the output format of the table using time chart. If you manually bucket I think you will get a better result.

Try this:

host=< myhost > eventtype=< my event type > | bucket _time span=1h | stats count by _time,user | sort - count | head

Re: event count, per user, per hour

tmarlette — Thu, 06 Jun 2013 14:40:39 GMT

bucketing is exactly what I was looking for as far as the count for the time span! Thank you!

This gives the most recent offenders/instances, though I am looking for information on only the top ten offenders.

It's almost like I would need to run a search first to find the top ten offenders, then break out each user into a '_time" bucket and show their stats per hour individually? I'm guessing here 😃

Re: event count, per user, per hour

okrabbe_splunk — Thu, 06 Jun 2013 14:44:20 GMT

Yeah you could do a subsearch and use that on the initial search. Something like below but you may need to play with it a bit.

http://docs.splunk.com/Documentation/Storm/Storm/User/Useasubsearch