Splunk Search

Calculate stats over a percentage of the data

gpburgett
Splunk Employee
Splunk Employee

I got a challenging request from a customer regarding their access logs. They want to monitor access patterns across all the the access points in their network by user. Particularly, they are interested in stats for the top 10% of users for each access point. (10%- the top ten out of 100 users). I've managed to get most of the info that they want using pretty simple searches, but I'm still stumped on this one:

total number of logins for the top 10% of users by access point

I've tried some things using subsearches and the perc() function, but the search string gets too complicated or I end up doing something that Splunk doesn't like. Maybe I'm overthinking it.

Here's my latest failure(the appendcols and where commands cause the problems):

sourcetype="access_log" |stats count as EVNT by APNUM USERID 
|appendcols [search sourcetype="access_log" | stats count AS EVNTCNT by APNUM USERID
             | stats p90(EVNTCNT) as LIM by APIP| fields APIP LIM ]
| eval USE=if(EVNT<LIM, "NO", "YES")| table APIP, EVNT, LIM, USE| stats sum(EVNT) by APIP| where USE=YES
Tags (1)

steveyz
Splunk Employee
Splunk Employee
sourcetype=wims_auth | stats count as EVNT by APIP MACID | eventstats perc90(EVNT) as cutoff by APIP | where EVNT>=cutoff | stats sum(EVNT) by APIP
0 Karma

gpburgett
Splunk Employee
Splunk Employee

Thanks for the formatting help!

Yes, I mean the same thing when I say "access" and "login". I have a set of access logs and I want to find the total count of accesses for the top 10% of users per access point.

0 Karma

sideview
SplunkTrust
SplunkTrust

One note is that "| where USE=YES" is going to look for rows where the value of the USE field is equal to the value of the YES field. If you mean the literal 3-character value YES, you have to put the YES in quotes. Where is a little different from search and that's one of the ways.

0 Karma

jrodman
Splunk Employee
Splunk Employee

Are logins and accesses the same?
Are we starting with the set of logins, and wanting to find, for each access point, the top 10% of users and their count of logins?

0 Karma

jrodman
Splunk Employee
Splunk Employee

Just tried to hack up the searchstring to be a bit more readable in answers

0 Karma

gpburgett
Splunk Employee
Splunk Employee

The search string got cut off. Here's the complete search:

sourcetype="wims_auth" |stats count as EVNT by APIP MACID |appendcols [search sourcetype="wims_auth" | stats count AS EVNTCNT by APIP MACID| stats p90(EVNTCNT) as LIM by APIP| fields APIP LIM ]| eval USE=if(EVNT<LIM, "NO", "YES")| table APIP, EVNT, LIM, USE| stats sum(EVNT) by APIP| where USE=YES

0 Karma

gpburgett
Splunk Employee
Splunk Employee

It looks like the "where" command can only be used after a search string and not after a function. Correct?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...