Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Advanced Search

hartfoml
Motivator
‎11-23-2011 01:35 PM

I have a top ten search fpor windows Errors that I run each day.

My bose want to to know how many days each of the top ten have been on the top ten list

The report should look like this:

Event_ID | Num_Days_On_List | Count

256 | 5 | 256

1056 | 1 | 194

Tags (1)
0 Karma
Reply

eelisio2
Path Finder
‎11-24-2011 03:46 AM

I think Summary Indexing would work for this.

Create a new index for your summary (e.g., summarytopstatus).

Create search to use the sitop command instead of top.
(sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d

Edit the search to have it run on a scheduled basis. (every day at midnight)

Check 'Enable Summary Indexing'.
Select your new index.

The following should give your the results you are looking for:

index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID

Reply

eelisio2
Path Finder
‎11-24-2011 05:30 AM

Note the field in the sum() should be "cvp" underscore "reserved" underscore "count".

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:30 PM

Matt,

Thanks for asking

I use something like this to get a tale with host ahd event ID for one day

"source="WinEventLog:*" Type="Error" | top host event_id | Table host event_id count"

0 Karma
Reply

hartfoml
Motivator
‎11-28-2011 06:23 AM

Yes I will start with once a day as the operations team meets every morning to disuse direction and progress

0 Karma
Reply

MHibbin
Influencer
‎11-24-2011 03:57 AM

Will this be run once a day? - Scheduled?

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:34 PM

I might have to put the results in a summary and then go back and get the count of days on the list from there or in a lookup table but I have never done that before.

0 Karma
Reply

RicoSuave
Builder
‎11-23-2011 02:11 PM

This isn't exactly what you want, but i think it will get you close enough. 

yoursearch | bucket _time span=1d as day | eval day=strftime(day, "%Y-%m-%d") | chart count over Event_ID by day

This should produce a nice table with the dates on the top. Then you can sort the counts by day by clicking on them. Run this search over a timeframe of at least 24 hours or greater. My security analysts love this search for security related events.

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:26 PM

OH Ya this is good stuff. I like it but it is not realy what I'm lloking for here. I will be sure to keep this jem for later. Thanks much this is a great peace of code.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
li.common.scroll-to.top