topic Re: Splunk Search command in Splunk Search

Splunk Search command

Mouseman123 — Fri, 03 Nov 2023 07:37:47 GMT

This would be a piece of cake for someone who uses SPLUNK.
I am doing a search using the 'stats', çount' and sort commands in the botsv1 index.

I am to find the top ten URI's in ascending order. What is the SPL command?

Re: Splunk Search command

yuanliu — Fri, 03 Nov 2023 09:34:43 GMT

Pro tip: Do not assume anyone knows anything about your data.

Update the title to a question that clearly defines the problem. This will help others in the community. "Splunk search command" conveys no information.
Always illustrate relevant data. For example, which field contains URI?
Be conscious that many natural language terms are ambiguous. For example, "top ten URI's" can mean many different things. What is your definition related to your data?

If the field URI contains URI, and "top ten" means the ten URI's that appear in the most events, this can be

| stats count by URI

I recommend that you read/watch some tutorials. Search Tutorial can be a good place to start.

Re: Splunk Search command

Mouseman123 — Fri, 03 Nov 2023 12:11:32 GMT

Thanks for responding so quickly!!!

The SPL commands I have been trying is as follows:

The task i have been given is:
Use the stats, count, and sort search terms to display the top ten URI's in ascending order.
This is from the botsv1 dataset

Re: Splunk Search command

yuanliu — Sat, 04 Nov 2023 10:58:12 GMT

Note: botsv1 means absolutely nothing to most volunteers in this forum. If there is something special about this dataset, you need to explain very clearly. Also important: when you have a sample code that doesn't do what you wanted, you need to illustrate what it actually outputs, and explain why it doesn't meet your requirement if that's not painfully obvious. Did your sample code give you desired result?

Based on your sample code, I speculate that so-called URI is in the field src_ip? Why do you use list, not values? What is the use of list of count? What's wrong with this simpler formula?

index=indexname |stats values(domain) as Domain count as total by src_ip | sort -total | head 10

Without SPL, can you explain/illustrate what data is like (anonymize as necessary), illustrate what the end result look like using illustrated data, and describe the logic between that data and your desired result? This is the best way to get help with data analytics.

i can speculate that you want to display individual count of domains by src_ip, too. If so, designing a proper visual vocabulary is a lot better. For example:

Just note that this is mathematically equivalent to your code. So, you will need to illustrate the output and explain why that's not the desired result.