topic Re: Syntax for 'top x entries per y' in Splunk Search

Syntax for 'top x entries per y'

timbCFCA — Tue, 25 Sep 2012 15:14:05 GMT

I am trying to find the top 5 UrlDestHosts per IP address for the top 25 ip addresses. I have a search which returns the raw information required:

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | stats count by c_ip, UrlDestHost | stats list(UrlDestHost) list(count) by c_ip

How do I add top parameters, say the top X c_ip entries (based on count) and the top Y UrlDestHosts (based on the count per value of X)?

Re: Syntax for 'top x entries per y'

melting — Tue, 25 Sep 2012 17:41:49 GMT

You want to use the top search command in place of the first stats command. Top does the count similarly to stats (also percentage)

... | top 5 UrlDestHost by c_ip | ...

All together it looks like

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top UrlDestHost by c_ip | stats list(UrlDestHost) list(count) by c_ip

Re: Syntax for 'top x entries per y'

Runals — Tue, 25 Sep 2012 17:45:20 GMT

I think the quickest way to answer the first part of your question is:

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top limit=5 UrlDestHost by c_ip

You can change the limit parameter to be whatever you want; default is 10 if you remove it from the search. One of the fields returned will be percent which will probably play with your mind a bit or anyone you might show the results to so I would get rid of it. It probably also makes sense to group by c_ip. I'd probably format the query like this:

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top limit=5 UrlDestHost by c_ip | sort c_ip, -count | fields - percent

This will sort the IPs in ascending order, the counts in descending order, and remove the percent fields. Otherwise you could leave the query as is and use a combination of sort and head to get top results. You are also using list(). In this or other use cases use cases you might try values() which will dedup and order the results.

I can't quite tell if below your code snippet if you are asking a variation of your first question. At any rate I hope some of this helps.

Re: Syntax for 'top x entries per y'

timbCFCA — Tue, 25 Sep 2012 23:46:31 GMT

This is close but it only limits on the Y value. For example I'm only interested in the top c_ip entries (those with the highest count of events).

Re: Syntax for 'top x entries per y'

melting — Tue, 25 Sep 2012 23:50:39 GMT

Top is just counting events. It can count them in categories using the "by" indication.

Perhaps you can give an example of what your output would look like?

Re: Syntax for 'top x entries per y'

kristian_kolb — Wed, 26 Sep 2012 07:49:07 GMT

I think you might have to resort to a subsearch for this (indented for readability);

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" 
[search source="windows_snare_foreweb" cs_network="Internal" action="Allowed" 
  | top 25 c_ip 
  | fields + c_ip
] 
| top 5 UrlDestHost by c_ip

The subsearch will just find (and return) the 25 most common c_ip, which are added to the outer search (as c_ip1 OR c_ip2 OR c_ip3 ...). The result is then piped to top.

Hope this helps,

Kristian

Re: Syntax for 'top x entries per y'

maniishpawar — Tue, 11 Jul 2017 20:14:01 GMT

index=* sourcetype=iis | top 1 _raw by index