Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me with the following stats data query?

jip31
Motivator
‎10-19-2018 06:48 AM

Hello,

I use the request below

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | eval time = strftime(_time, "%m/%d/%Y %H:%M")  | dedup time | sort -time | table time host Type EventCode Message

I try to do a count by type and by time, but for time, i just need to take into account the month.

I need the same things but by type, by host, and by month.

could you help me please???

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-19-2018 07:07 AM

@jip31,
Try extracting the month(with year)and do the stats

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | eval time = strftime(_time, "%m/%d/%Y %H:%M")  | dedup time | sort -time | eval mon=strftime(_time,"%Y-%m")|stats count by mon,type

Also, if you are using dedup by time , then it deletes all duplicates just based on time and might affect your count

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

landen99
Motivator
‎10-22-2018 05:18 AM

To remove duplicates on time and count by eventcode:

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | dedup _time | bin span=1mon  _time| stats count values(Message)  by EventCode Type host _time

If the field date_month is available, you could use that instead of _time, if you wished.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-21-2018 01:29 PM

Try this-

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | bin span=1mon  _time| stats count values(Message) values(EventCode) by Type host _time
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-21-2018 10:50 PM

hi its close of want i want but there is mistake in the count
on my computer i have :
- october : 3 Avertissement with EventCode 51
- September : 2 Avertissement with EventCode 51 and 4 Erreurs with EventCode 11
So i have 9 events
In your count i have for example 386 Avertissements with EventCode 51 in September!

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-22-2018 12:21 AM

Yes but my main problem is the count which is false
when i look my events i have a lot of events which the same time
for example : 10/04/2018 05:44:47 AM
due to this piece of code bin span=1mon _time i cant do a dedup time
have you an idea please??

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎10-21-2018 10:54 PM

@jip31 If you want to do the count by Eventcode then try the below code 

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | bin span=1mon  _time| stats count values(Message)  by EventCode Type host _time
0 Karma
Reply
Solved! Jump to solution

3no
Communicator
‎10-19-2018 07:10 AM

I'm not sure to understand your request, but I think it should look like someting like that : 

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | timechart span=1month count by Type

Is that what you're looking for ?

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎10-19-2018 07:07 AM

@jip31,
Try extracting the month(with year)and do the stats

index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | eval time = strftime(_time, "%m/%d/%Y %H:%M")  | dedup time | sort -time | eval mon=strftime(_time,"%Y-%m")|stats count by mon,type

Also, if you are using dedup by time , then it deletes all duplicates just based on time and might affect your count

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-21-2018 10:32 PM

Hi i have no result with your query even if when i do index=windows sourcetype="wineventlog:system" SourceName="Disk" (EventCode=7 OR EventCode=11 OR EventCode=51 OR EventCode=52) Type="Critique" OR Type="Avertissement" OR Type="Erreur" | i have results

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-22-2018 04:05 AM

@jip31,
are you getting results after eval mon=strftime(_time,"%Y-%m") and also change type to Type

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-22-2018 04:49 AM

yes it was due to Type renjith, many thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...