Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting how often the mode() value occurs in a result set

moffitt
Engager
‎08-15-2013 08:45 AM

I want to query my access logs to learn where the majority of my traffic is coming from in 1 second buckets. This is my query.

sourcetype="access*" | timechart span=1s values(clientip) as ips, mode(clientip) as mode, count(mode) as hits

I get good data results for ips and mode. The first is a list of ip addresses and the second is the most frequent value in that list. The problem with this query is that hits is always zero. Can anyone please tell me how I can count the number of times the mode value appears in the result set?

Reply

sideview
SplunkTrust
SplunkTrust
‎08-15-2013 11:38 AM

This should work and it is all in a single search pipeline (no subsearches).

sourcetype="access*" | bin _time span="1s" | eventstats mode(clientip) as modeClientip by _time | eval isModeValue=if(clientip=modeClientip,1,0) | timechart span=1s values(clientip) as ips, mode(clientip) as mode, sum(isModeValue) as hits

eventstats makes a pass through the entire incoming set, and paints a little "modeClientip" field on each row. the value of modeClientip will be the mode(clientip) within the given 1second time bucket. Then we make a little boolean field called isModeValue, then at the end timechart has a very easy job.

Note that the span of the bin command and the span of the timechart command have to match or confusing things might happen.

Reply

lguinn2
Legend
‎08-15-2013 06:21 PM

Nice - just couldn't think of that!

0 Karma
Reply

moffitt
Engager
‎08-15-2013 02:05 PM

This works very well. Thank you.

0 Karma
Reply

lguinn2
Legend
‎08-15-2013 10:38 AM

I don't think there is a way to do this in a simple search. The only way I can think of uses a subsearch.

sourcetype="access*" 
| eval modeValue = [ search sourcetype="access*"  |
   | timechart span=1s mode(clientip) as mode | return $mode ]
| timechart span=1s values(clientip) as ips, mode(clientip) as mode, count(eval(clientip=modeValue)) as hits

This actually runs through the data twice. The subsearch returns the clientip value that is the most frequent value.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...