Solved: Can I sort log event patterns by their source type...

alanzchan · ‎11-16-2018

I am trying to identify which source types produce data with the same log format. Currently, I am using this query to show the highest percentage log pattern for access logs in my domain:

sourcetype=*access*| cluster t=.7 labelonly=t | findkeywords labelfield=cluster_label | table sampleEvent percentInInputGroup| sort - percentInInputGroup  |top limit=10 percentInInputGroup

How do I show which source types are being used to produce logs in that pattern group?

Am I approaching this the correct way?

adonio · ‎11-17-2018

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

View solution in original post

adonio · ‎11-17-2018

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

kmorris_splunk · ‎11-17-2018

Try using the punct field. This pulls out all of the punctuation in an event, which can be helpful in identifying similar events.

Can I sort log event patterns by their source types?

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...