Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search to get count greater than 5 in 24 hour for 1 month?

Abhineet
Loves-to-Learn Everything
‎07-17-2023 06:23 AM

HI, 

I am looking for splunk query which gives table having count field value greater than 5 in last 24 hr.

if my name log count is greater than 5 in last 24 hr for specific search condition then it should be available in table, if tomorrow again in last 24 hr log count on my name is greater than 5 then again my name should be available in table for last two days time range.

Below mentioned is query for last 24 hour.

EXTERNAL_AUTH_COMPLETE deviceType=AnixisPPCProvider AND wsModel != "Microsoft Corporation / Virtual Machine" earliest=-24h@h latest=now
| rex field=machineUserName "[A-Za-z-]+(?<empNo>\d+)"
| rex field=machineUserName "(?<eMail>.*@.*)"
| lookup WorkdayData.csv empNum AS empNo OUTPUTNEW country OCGRP OCSGRP name email
| lookup WorkdayData.csv email AS eMail OUTPUTNEW country OCGRP OCSGRP name email
| eval country = if (country == "Korea, Republic of","South Korea",country)
| eval country = if (country == "United States of America","United States",country)
| eval empType = if (like(email,"%@contractor.amat.com%"),"Contractor","RFT")
| rename OCGRP as Department OCSGRP as BusinessUnit name as Name email as Email country as Country empType as EmployeeType
| search Department = "*" AND Country="*"
| stats count by Name Email Country Department BusinessUnit EmployeeType
| where count > 5

Provide me query to get table where log count greaten than 5 on daily basis.

Thanks

Abhineet Kumar

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 06:30 AM

What do you mean by "log count greater than 5 on daily basis".

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-17-2023 06:37 AM

"log count greater than 5 on daily basis" 

if event count greater than 5 in 24 hr duration.

below mentioned is sample screenshot of query mentioned in my last post for 24 hr duration.

[screenshot removed]

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 06:45 AM

I'm not sure these people would appreciate you posting their details (name/email) on the internet. Next time please anonymize the screenshot. I did remove your screenshot.

And the question was because it could have been interpreted twofold.

Either:

- you wanted a list of each 24-hour period during which the count was more than 5 or

- you wanted a list of those people for which there was a count over 5 for every 24-hour long period.

These are two different requirements.

Anyway, your search will be easiest done with

| bin _time span=1d

in the middle (before stats) and adding _time as another field in the BY clause.

So instead of

| stats count by Name Email Country Department BusinessUnit EmployeeType

you do

| bin _time span=1d
| stats count by Name Email Country Department BusinessUnit EmployeeType _time

 And of course you run the search over your whole 30 days back.

Depending on which of the options I mentioned at the beginning you want, you might do with either your "where" command or you'd have to do some additional magic to find only those which have more than 5 over the whole month.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...