Splunk Search

Advanced Search

hartfoml
Motivator

I have a top ten search fpor windows Errors that I run each day.

My bose want to to know how many days each of the top ten have been on the top ten list

The report should look like this:

Event_ID | Num_Days_On_List | Count

256 | 5 | 256

1056 | 1 | 194

Tags (1)
0 Karma

eelisio2
Path Finder

I think Summary Indexing would work for this.

Create a new index for your summary (e.g., summarytopstatus).

Create search to use the sitop command instead of top.
(sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d

Edit the search to have it run on a scheduled basis. (every day at midnight)

Check 'Enable Summary Indexing'.
Select your new index.

The following should give your the results you are looking for:

index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID

eelisio2
Path Finder

Note the field in the sum() should be "cvp" underscore "reserved" underscore "count".

0 Karma

hartfoml
Motivator

Matt,

Thanks for asking

I use something like this to get a tale with host ahd event ID for one day

"source="WinEventLog:*" Type="Error" | top host event_id | Table host event_id count"

0 Karma

hartfoml
Motivator

Yes I will start with once a day as the operations team meets every morning to disuse direction and progress

0 Karma

MHibbin
Influencer

Will this be run once a day? - Scheduled?

0 Karma

hartfoml
Motivator

I might have to put the results in a summary and then go back and get the count of days on the list from there or in a lookup table but I have never done that before.

0 Karma

RicoSuave
Builder

This isn't exactly what you want, but i think it will get you close enough.

yoursearch | bucket _time span=1d as day | eval day=strftime(day, "%Y-%m-%d") | chart count over Event_ID by day

This should produce a nice table with the dates on the top. Then you can sort the counts by day by clicking on them. Run this search over a timeframe of at least 24 hours or greater. My security analysts love this search for security related events.

0 Karma

hartfoml
Motivator

OH Ya this is good stuff. I like it but it is not realy what I'm lloking for here. I will be sure to keep this jem for later. Thanks much this is a great peace of code.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...