Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk search to get count greater than 5 in 24 hour for 1 month?

Abhineet
Loves-to-Learn Everything
‎07-17-2023 06:23 AM

HI, 

I am looking for splunk query which gives table having count field value greater than 5 in last 24 hr.

if my name log count is greater than 5 in last 24 hr for specific search condition then it should be available in table, if tomorrow again in last 24 hr log count on my name is greater than 5 then again my name should be available in table for last two days time range.

Below mentioned is query for last 24 hour.

EXTERNAL_AUTH_COMPLETE deviceType=AnixisPPCProvider AND wsModel != "Microsoft Corporation / Virtual Machine" earliest=-24h@h latest=now
| rex field=machineUserName "[A-Za-z-]+(?<empNo>\d+)"
| rex field=machineUserName "(?<eMail>.*@.*)"
| lookup WorkdayData.csv empNum AS empNo OUTPUTNEW country OCGRP OCSGRP name email
| lookup WorkdayData.csv email AS eMail OUTPUTNEW country OCGRP OCSGRP name email
| eval country = if (country == "Korea, Republic of","South Korea",country)
| eval country = if (country == "United States of America","United States",country)
| eval empType = if (like(email,"%@contractor.amat.com%"),"Contractor","RFT")
| rename OCGRP as Department OCSGRP as BusinessUnit name as Name email as Email country as Country empType as EmployeeType
| search Department = "*" AND Country="*"
| stats count by Name Email Country Department BusinessUnit EmployeeType
| where count > 5

Provide me query to get table where log count greaten than 5 on daily basis.

Thanks

Abhineet Kumar

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 06:30 AM

What do you mean by "log count greater than 5 on daily basis".

0 Karma
Reply

Abhineet
Loves-to-Learn Everything
‎07-17-2023 06:37 AM

"log count greater than 5 on daily basis" 

if event count greater than 5 in 24 hr duration.

below mentioned is sample screenshot of query mentioned in my last post for 24 hr duration.

[screenshot removed]

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2023 06:45 AM

I'm not sure these people would appreciate you posting their details (name/email) on the internet. Next time please anonymize the screenshot. I did remove your screenshot.

And the question was because it could have been interpreted twofold.

Either:

- you wanted a list of each 24-hour period during which the count was more than 5 or

- you wanted a list of those people for which there was a count over 5 for every 24-hour long period.

These are two different requirements.

Anyway, your search will be easiest done with

| bin _time span=1d

in the middle (before stats) and adding _time as another field in the BY clause.

So instead of

| stats count by Name Email Country Department BusinessUnit EmployeeType

you do

| bin _time span=1d
| stats count by Name Email Country Department BusinessUnit EmployeeType _time

 And of course you run the search over your whole 30 days back.

Depending on which of the options I mentioned at the beginning you want, you might do with either your "where" command or you'd have to do some additional magic to find only those which have more than 5 over the whole month.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...