Splunk Search

Calculate stats over a percentage of the data

Splunk Employee
Splunk Employee

I got a challenging request from a customer regarding their access logs. They want to monitor access patterns across all the the access points in their network by user. Particularly, they are interested in stats for the top 10% of users for each access point. (10%- the top ten out of 100 users). I've managed to get most of the info that they want using pretty simple searches, but I'm still stumped on this one:

total number of logins for the top 10% of users by access point

I've tried some things using subsearches and the perc() function, but the search string gets too complicated or I end up doing something that Splunk doesn't like. Maybe I'm overthinking it.

Here's my latest failure(the appendcols and where commands cause the problems):

sourcetype="access_log" |stats count as EVNT by APNUM USERID 
|appendcols [search sourcetype="access_log" | stats count AS EVNTCNT by APNUM USERID
             | stats p90(EVNTCNT) as LIM by APIP| fields APIP LIM ]
| eval USE=if(EVNT<LIM, "NO", "YES")| table APIP, EVNT, LIM, USE| stats sum(EVNT) by APIP| where USE=YES
Tags (1)

Splunk Employee
Splunk Employee
sourcetype=wims_auth | stats count as EVNT by APIP MACID | eventstats perc90(EVNT) as cutoff by APIP | where EVNT>=cutoff | stats sum(EVNT) by APIP
0 Karma

Splunk Employee
Splunk Employee

Thanks for the formatting help!

Yes, I mean the same thing when I say "access" and "login". I have a set of access logs and I want to find the total count of accesses for the top 10% of users per access point.

0 Karma

SplunkTrust
SplunkTrust

One note is that "| where USE=YES" is going to look for rows where the value of the USE field is equal to the value of the YES field. If you mean the literal 3-character value YES, you have to put the YES in quotes. Where is a little different from search and that's one of the ways.

0 Karma

Splunk Employee
Splunk Employee

Are logins and accesses the same?
Are we starting with the set of logins, and wanting to find, for each access point, the top 10% of users and their count of logins?

0 Karma

Splunk Employee
Splunk Employee

Just tried to hack up the searchstring to be a bit more readable in answers

0 Karma

Splunk Employee
Splunk Employee

The search string got cut off. Here's the complete search:

sourcetype="wims_auth" |stats count as EVNT by APIP MACID |appendcols [search sourcetype="wims_auth" | stats count AS EVNTCNT by APIP MACID| stats p90(EVNTCNT) as LIM by APIP| fields APIP LIM ]| eval USE=if(EVNT<LIM, "NO", "YES")| table APIP, EVNT, LIM, USE| stats sum(EVNT) by APIP| where USE=YES

0 Karma

Splunk Employee
Splunk Employee

It looks like the "where" command can only be used after a search string and not after a function. Correct?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!