Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I sort log event patterns by their source types?

alanzchan
Path Finder
‎11-16-2018 12:09 PM

I am trying to identify which source types produce data with the same log format. Currently, I am using this query to show the highest percentage log pattern for access logs in my domain:

sourcetype=*access*| cluster t=.7 labelonly=t | findkeywords labelfield=cluster_label | table sampleEvent percentInInputGroup| sort - percentInInputGroup  |top limit=10 percentInInputGroup

How do I show which source types are being used to produce logs in that pattern group?

Am I approaching this the correct way?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
SplunkTrust
SplunkTrust
‎11-17-2018 05:29 PM

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
SplunkTrust
SplunkTrust
‎11-17-2018 05:29 PM

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

View solution in original post

Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎11-17-2018 12:37 PM

Try using the punct field. This pulls out all of the punctuation in an event, which can be helpful in identifying similar events.

Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!