Splunk Search

Can I sort log event patterns by their source types?

alanzchan
Path Finder

I am trying to identify which source types produce data with the same log format. Currently, I am using this query to show the highest percentage log pattern for access logs in my domain:

sourcetype=*access*| cluster t=.7 labelonly=t | findkeywords labelfield=cluster_label | table sampleEvent percentInInputGroup| sort - percentInInputGroup  |top limit=10 percentInInputGroup

How do I show which source types are being used to produce logs in that pattern group?

Am I approaching this the correct way?

0 Karma
1 Solution

adonio
Ultra Champion

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

View solution in original post

adonio
Ultra Champion

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

kmorris_splunk
Splunk Employee
Splunk Employee

Try using the punct field. This pulls out all of the punctuation in an event, which can be helpful in identifying similar events.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...