topic Re: Search same index & source to get total of all & single value for top 10 in Splunk Search

Search same index & source to get total of all & single value for top 10?

TerryM — Mon, 20 Mar 2023 14:53:55 GMT

Individually these searches work:

```#1 sum all values in field repeat_count in all threat logs that are M,H,C severity```

index=FW host=InternetFW sourcetype="fw:threat" severity IN (medium, high, critical) | stats sum(repeat_count) as TotalCount

```#2 sum all repeat_count vailues for the top 10 signatures ```

index=FW host=InternetFW sourcetype="fw:threat" severity IN (medium, high, critical) | stats sum(repeat_count) as Top_10_Threats_per_Day by signature | sort 10 -Top_10_Threats_per_Day | stats sum(Top_10_Threats_per_Day) as Top-10

Trying to get the 2 values into a timechart

|timechart span=1d values(TotalCount) as " Total" , values(Top-10) as "Total of top 10"

Tried subsearch {search 1[search 2|fields Top-10]}, Tried multsearch.

Re: Search same index & source to get total of all & single value for top 10

ITWhisperer — Sun, 19 Mar 2023 17:14:21 GMT

You mention time yet it doesn't appear in your searches

Do you want the top 10 overall and the counts for only those 10 for each day, or the top 10 for each day, which could be different from day to day.

If it is the latter, try something like this

Re: Search same index & source to get total of all & single value for top 10

TerryM — Sun, 19 Mar 2023 19:12:17 GMT

time: earliest 5 days ago, latest Beginning of today.

Total of all threats for each day and a single total of the top 10 for each day like this:

Total Top 10

8000 2500

2000 250

1567 534

etc

then get it into a timechart.

I can get the Total per day from search #1.

Re: Search same index & source to get total of all & single value for top 10

TerryM — Sun, 19 Mar 2023 19:40:44 GMT

index =FW host=InternetFW sourcetype="FW:threat" severity IN (medium, high, critical)
| timechart span=1d sum(repeat_count) as "Total"
| appendcols
[search index =FW host=InternetFW sourcetype="FW:threat" severity IN (medium, high, critical)
| timechart span=1d sum(repeat_count) as "Top 10" by signature WHERE MAX in top10]

Totals per day works, just need a single Total for the sum of the top 10 events for everything else per day.

Re: Search same index & source to get total of all & single value for top 10

ITWhisperer — Mon, 20 Mar 2023 07:57:35 GMT

Re: Search same index & source to get total of all & single value for top 10

TerryM — Mon, 20 Mar 2023 14:45:25 GMT

Thanks for the replies. This seems to have got what I was looking for. for the numbers that are the same for Total and Top 10, there were only a few Threats those days. Now I just need to decipher how you did it. Did I mention I'm very new to Splunk :).