Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Advanced Search

hartfoml
Motivator
‎11-23-2011 01:35 PM

I have a top ten search fpor windows Errors that I run each day.

My bose want to to know how many days each of the top ten have been on the top ten list

The report should look like this:

Event_ID | Num_Days_On_List | Count

256 | 5 | 256

1056 | 1 | 194

Tags (1)
0 Karma
Reply

eelisio2
Path Finder
‎11-24-2011 03:46 AM

I think Summary Indexing would work for this.

Create a new index for your summary (e.g., summarytopstatus).

Create search to use the sitop command instead of top.
(sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d

Edit the search to have it run on a scheduled basis. (every day at midnight)

Check 'Enable Summary Indexing'.
Select your new index.

The following should give your the results you are looking for:

index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID

Reply

eelisio2
Path Finder
‎11-24-2011 05:30 AM

Note the field in the sum() should be "cvp" underscore "reserved" underscore "count".

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:30 PM

Matt,

Thanks for asking

I use something like this to get a tale with host ahd event ID for one day

"source="WinEventLog:*" Type="Error" | top host event_id | Table host event_id count"

0 Karma
Reply

hartfoml
Motivator
‎11-28-2011 06:23 AM

Yes I will start with once a day as the operations team meets every morning to disuse direction and progress

0 Karma
Reply

MHibbin
Influencer
‎11-24-2011 03:57 AM

Will this be run once a day? - Scheduled?

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:34 PM

I might have to put the results in a summary and then go back and get the count of days on the list from there or in a lookup table but I have never done that before.

0 Karma
Reply

RicoSuave
Builder
‎11-23-2011 02:11 PM

This isn't exactly what you want, but i think it will get you close enough. 

yoursearch | bucket _time span=1d as day | eval day=strftime(day, "%Y-%m-%d") | chart count over Event_ID by day

This should produce a nice table with the dates on the top. Then you can sort the counts by day by clicking on them. Run this search over a timeframe of at least 24 hours or greater. My security analysts love this search for security related events.

0 Karma
Reply

hartfoml
Motivator
‎11-23-2011 02:26 PM

OH Ya this is good stuff. I like it but it is not realy what I'm lloking for here. I will be sure to keep this jem for later. Thanks much this is a great peace of code.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top