Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Can I sort log event patterns by their source types?

alanzchan
Path Finder
โ€Ž11-16-2018 12:09 PM

I am trying to identify which source types produce data with the same log format. Currently, I am using this query to show the highest percentage log pattern for access logs in my domain:

sourcetype=*access*| cluster t=.7 labelonly=t | findkeywords labelfield=cluster_label | table sampleEvent percentInInputGroup| sort - percentInInputGroup  |top limit=10 percentInInputGroup

How do I show which source types are being used to produce logs in that pattern group?

Am I approaching this the correct way?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
SplunkTrust
SplunkTrust
โ€Ž11-17-2018 05:29 PM

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

View solution in original post

Reply
Solved! Jump to solution
Solution

adonio
SplunkTrust
SplunkTrust
โ€Ž11-17-2018 05:29 PM

@kmorris comment is spot on imho.
you can start like that for example:
| tstats count as event_count where index=* sourcetype=*access* by punct sourcetype

hope it helps

View solution in original post

Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
โ€Ž11-17-2018 12:37 PM

Try using the punct field. This pulls out all of the punctuation in an event, which can be helpful in identifying similar events.

Reply