topic Re: Splunk Query to Generate an n-event sample across sourcetypes in an index in Splunk Search

Splunk Query to Generate an n-event sample across sourcetypes in an index

JohnEGones — Fri, 21 Jul 2023 14:40:15 GMT

Hi people,

I wonder whether it is possible to run a query that generates a set of n-sample of events for each sourcetype in an index?

In some sense, if the log data has been ingested and conformed properly, this is perhaps not so problematic, you might build a datamodel or just query across the relevant CIM field (alias.)

So lets get specific:

index-someIndex sourcetype=someSourceType | enumerate against some defined key value, say an eventtype | enumerate all of the eventtypes and pull out any subeventtypes | list the for 2-5 events for each subeventtype, else just list the 2-5 events for the the eventtype | table _time, eventtype, subeventtype (NULL if blank), event

Re: Splunk Query to Generate an n-event sample across sourcetypes in an index

ITWhisperer — Fri, 21 Jul 2023 15:08:21 GMT

| fillnull value="NULL" subeventtype | streamstats count by eventtype subeventtype | where count < 6

Re: Splunk Query to Generate an n-event sample across sourcetypes in an index

JohnEGones — Fri, 21 Jul 2023 15:30:20 GMT

@ITWhisperer

Thanks. I have not used streamstats much before.

I suppose there is not really a good way to generalize this; since simpler queries like this already assume your data is fairly well-parsed.

Re: Splunk Query to Generate an n-event sample across sourcetypes in an index

ITWhisperer — Fri, 21 Jul 2023 16:12:55 GMT

Correct, you need at least one field to do the stats by.