Splunk Search

Extract count of search field(SPL) by re-search?

syloee
Explorer

hello

index=_audit user=admin action=search info=granted search=* | table search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search

I extracted the following result with this command.

search_id search
[ID1] [SPL1]
[ID2] [SPL2]
[ID3] [SPL3]

I want to extract count of search field by re-search.

search_id search  count
[ID1]         [SPL1]   [SPL1-count]
[ID2]         [SPL2]   [SPL2-count]
[ID3]         [SPL3]   [SPL3-count]

I'd appreciate it if you could help me.

Labels (1)
0 Karma

gcusello
Esteemed Legend

Hi @syloee,

is it mandatory for you to have the ID_Search?

because every search has a different id so the count will always be 1.

if you want to know how many times a search was executed you could use:

index=_audit user=admin action=search info=granted search=* 
| stats count BY search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search
| sort -count

Ciao.

Giuseppe

0 Karma

gcusello
Esteemed Legend

Hi @syloee,

let me understand: do you want to know the count of searches?

if this is your need, you could use stats instead table:

index=_audit user=admin action=search info=granted search=* 
| stats count BY search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search

Ciao.

Giuseppe

0 Karma

syloee
Explorer

EX>

search_id search                                                                 count
[ID1]          index=_internal sourcetype=splunkd    10 ( count of index=_internal sourcetype=splunkd)
[ID2]           index=_internal sourcetype=splunk*    100( count of index=_internal sourcetype=splunk*)

NOT _audit log result_count, by re-search

I'd appreciate it if you could help me.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...