topic Re: How to find 10 most active folders by their action of uploading documents in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177322#M50985 <P>I just need the number of AOIDS per OOID. The AOID name is not needed in this instace</P> Wed, 19 Aug 2015 14:23:10 GMT splunkman341 2015-08-19T14:23:10Z How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177316#M50979 <P>Hey guys,</P> <P>So I am trying to create a search that fetches the top 10 most active OOIDs (Organization ID Folder) by their activity of AOIDS (associate IDS) uploading documents into said folders. The idea is to get the number of AOIDS for each OOID.</P> <P>For example, you have three companies:</P> <P>Company A XYZ(OOID) has uploaded 300 documents, but only 20 AOIDS uploaded those documents</P> <P>Company B ABC(OOID) has uploaded 200 documents, but 100 AOIDS uploaded those documents</P> <P>The log of where I need to create the search out of is here:</P> <P>Thanks for looking and please let me know if you have any questions! </P> Tue, 18 Aug 2015 17:23:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177316#M50979 splunkman341 2015-08-18T17:23:54Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177317#M50980 <P>You put a <CODE>regex</CODE> tag on this question. Does that mean you don't have the OOID and AOID fields extracted?</P> Tue, 18 Aug 2015 17:36:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177317#M50980 richgalloway 2015-08-18T17:36:28Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177318#M50981 <P>Hi Rich and thanks for you're response,</P> <P>I just checked and I actually do have them extracted, I just was not sure where to go from here</P> Tue, 18 Aug 2015 17:40:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177318#M50981 splunkman341 2015-08-18T17:40:09Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177319#M50982 <P>Try this untested search:</P> <PRE><CODE>index = foo | top AOID by OOID | table OOID AOID </CODE></PRE> Tue, 18 Aug 2015 17:48:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177319#M50982 richgalloway 2015-08-18T17:48:59Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177320#M50983 <P>It is generating events but no statistics or a table</P> Tue, 18 Aug 2015 17:55:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177320#M50983 splunkman341 2015-08-18T17:55:37Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177321#M50984 <P>I've updated my answer.</P> Tue, 18 Aug 2015 18:31:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177321#M50984 richgalloway 2015-08-18T18:31:26Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177322#M50985 <P>I just need the number of AOIDS per OOID. The AOID name is not needed in this instace</P> Wed, 19 Aug 2015 14:23:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177322#M50985 splunkman341 2015-08-19T14:23:10Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177323#M50986 <P>Try this:</P> <PRE><CODE>index = foo | stats dc(AOID) AS AOIDs by OOID | sort 10 - AOIDs </CODE></PRE> <P>This judges "activity" not by raw activity but by the highest number of AOIDs that have any activity (which may not be correct); this judges by raw events:</P> <PRE><CODE>index = foo | stats count dc(AOID) AS AOIDs by OOID | sort 10 - count </CODE></PRE> Wed, 19 Aug 2015 15:59:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177323#M50986 woodcock 2015-08-19T15:59:09Z Re: How to find 10 most active folders by their action of uploading documents https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177324#M50987 <P>You crushed the nail through the plywood, exactly what I wanted!</P> Wed, 19 Aug 2015 17:13:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-10-most-active-folders-by-their-action-of-uploading/m-p/177324#M50987 splunkman341 2015-08-19T17:13:48Z