Splunk Search

Advanced Search

hartfoml
Motivator

I have a top ten search fpor windows Errors that I run each day.

My bose want to to know how many days each of the top ten have been on the top ten list

The report should look like this:

Event_ID | Num_Days_On_List | Count

256 | 5 | 256

1056 | 1 | 194

Tags (1)
0 Karma

eelisio2
Path Finder

I think Summary Indexing would work for this.

Create a new index for your summary (e.g., summarytopstatus).

Create search to use the sitop command instead of top.
(sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d

Edit the search to have it run on a scheduled basis. (every day at midnight)

Check 'Enable Summary Indexing'.
Select your new index.

The following should give your the results you are looking for:

index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID

eelisio2
Path Finder

Note the field in the sum() should be "cvp" underscore "reserved" underscore "count".

0 Karma

hartfoml
Motivator

Matt,

Thanks for asking

I use something like this to get a tale with host ahd event ID for one day

"source="WinEventLog:*" Type="Error" | top host event_id | Table host event_id count"

0 Karma

hartfoml
Motivator

Yes I will start with once a day as the operations team meets every morning to disuse direction and progress

0 Karma

MHibbin
Influencer

Will this be run once a day? - Scheduled?

0 Karma

hartfoml
Motivator

I might have to put the results in a summary and then go back and get the count of days on the list from there or in a lookup table but I have never done that before.

0 Karma

RicoSuave
Builder

This isn't exactly what you want, but i think it will get you close enough.

yoursearch | bucket _time span=1d as day | eval day=strftime(day, "%Y-%m-%d") | chart count over Event_ID by day

This should produce a nice table with the dates on the top. Then you can sort the counts by day by clicking on them. Run this search over a timeframe of at least 24 hours or greater. My security analysts love this search for security related events.

0 Karma

hartfoml
Motivator

OH Ya this is good stuff. I like it but it is not realy what I'm lloking for here. I will be sure to keep this jem for later. Thanks much this is a great peace of code.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...