Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Advanced Search

hartfoml
Motivator
‎11-23-2011 01:35 PM

I have a top ten search fpor windows Errors that I run each day.

My bose want to to know how many days each of the top ten have been on the top ten list

The report should look like this:

Event_ID | Num_Days_On_List | Count

256 | 5 | 256

1056 | 1 | 194

Tags (1)
0 Karma
Reply

eelisio2
Path Finder
‎11-24-2011 03:46 AM

I think Summary Indexing would work for this.

Create a new index for your summary (e.g., summarytopstatus).

Create search to use the sitop command instead of top.
(sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d

Edit the search to have it run on a scheduled basis. (every day at midnight)

Check 'Enable Summary Indexing'.
Select your new index.

The following should give your the results you are looking for:

index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID

Reply

eelisio2
Path Finder
‎11-24-2011 05:30 AM

Note the field in the sum() should be "cvp" underscore "reserved" underscore "count".

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:30 PM

Matt,

Thanks for asking

I use something like this to get a tale with host ahd event ID for one day

"source="WinEventLog:*" Type="Error" | top host event_id | Table host event_id count"

0 Karma
Reply

hartfoml
Motivator
‎11-28-2011 06:23 AM

Yes I will start with once a day as the operations team meets every morning to disuse direction and progress

0 Karma
Reply

MHibbin
Influencer
‎11-24-2011 03:57 AM

Will this be run once a day? - Scheduled?

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:34 PM

I might have to put the results in a summary and then go back and get the count of days on the list from there or in a lookup table but I have never done that before.

0 Karma
Reply

RicoSuave
Builder
‎11-23-2011 02:11 PM

This isn't exactly what you want, but i think it will get you close enough. 

yoursearch | bucket _time span=1d as day | eval day=strftime(day, "%Y-%m-%d") | chart count over Event_ID by day

This should produce a nice table with the dates on the top. Then you can sort the counts by day by clicking on them. Run this search over a timeframe of at least 24 hours or greater. My security analysts love this search for security related events.

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:26 PM

OH Ya this is good stuff. I like it but it is not realy what I'm lloking for here. I will be sure to keep this jem for later. Thanks much this is a great peace of code.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...