Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk search to get count greater than 5 in 24 hour for 1 month?

Abhineet
Loves-to-Learn Everything
‎07-17-2023 06:23 AM

HI, 

I am looking for splunk query which gives table having count field value greater than 5 in last 24 hr.

if my name log count is greater than 5 in last 24 hr for specific search condition then it should be available in table, if tomorrow again in last 24 hr log count on my name is greater than 5 then again my name should be available in table for last two days time range.

Below mentioned is query for last 24 hour.

EXTERNAL_AUTH_COMPLETE deviceType=AnixisPPCProvider AND wsModel != "Microsoft Corporation / Virtual Machine" earliest=-24h@h latest=now
| rex field=machineUserName "[A-Za-z-]+(?<empNo>\d+)"
| rex field=machineUserName "(?<eMail>.*@.*)"
| lookup WorkdayData.csv empNum AS empNo OUTPUTNEW country OCGRP OCSGRP name email
| lookup WorkdayData.csv email AS eMail OUTPUTNEW country OCGRP OCSGRP name email
| eval country = if (country == "Korea, Republic of","South Korea",country)
| eval country = if (country == "United States of America","United States",country)
| eval empType = if (like(email,"%@contractor.amat.com%"),"Contractor","RFT")
| rename OCGRP as Department OCSGRP as BusinessUnit name as Name email as Email country as Country empType as EmployeeType
| search Department = "*" AND Country="*"
| stats count by Name Email Country Department BusinessUnit EmployeeType
| where count > 5

Provide me query to get table where log count greaten than 5 on daily basis.

Thanks

Abhineet Kumar

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 06:30 AM

What do you mean by "log count greater than 5 on daily basis".

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-17-2023 06:37 AM

"log count greater than 5 on daily basis" 

if event count greater than 5 in 24 hr duration.

below mentioned is sample screenshot of query mentioned in my last post for 24 hr duration.

[screenshot removed]

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 06:45 AM

I'm not sure these people would appreciate you posting their details (name/email) on the internet. Next time please anonymize the screenshot. I did remove your screenshot.

And the question was because it could have been interpreted twofold.

Either:

- you wanted a list of each 24-hour period during which the count was more than 5 or

- you wanted a list of those people for which there was a count over 5 for every 24-hour long period.

These are two different requirements.

Anyway, your search will be easiest done with

| bin _time span=1d

in the middle (before stats) and adding _time as another field in the BY clause.

So instead of

| stats count by Name Email Country Department BusinessUnit EmployeeType

you do

| bin _time span=1d
| stats count by Name Email Country Department BusinessUnit EmployeeType _time

 And of course you run the search over your whole 30 days back.

Depending on which of the options I mentioned at the beginning you want, you might do with either your "where" command or you'd have to do some additional magic to find only those which have more than 5 over the whole month.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...