Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract count of search field(SPL) by re-search?

syloee
Explorer
‎10-31-2022 11:26 PM

hello

index=_audit user=admin action=search info=granted search=* | table search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search

I extracted the following result with this command.

search_id search
[ID1] [SPL1]
[ID2] [SPL2]
[ID3] [SPL3]

I want to extract count of search field by re-search.

search_id search  count
[ID1]         [SPL1]   [SPL1-count]
[ID2]         [SPL2]   [SPL2-count]
[ID3]         [SPL3]   [SPL3-count]

I'd appreciate it if you could help me.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-01-2022 02:57 AM

Hi @syloee,

is it mandatory for you to have the ID_Search?

because every search has a different id so the count will always be 1.

if you want to know how many times a search was executed you could use:

index=_audit user=admin action=search info=granted search=* 
| stats count BY search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search
| sort -count

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2022 11:48 PM

Hi @syloee,

let me understand: do you want to know the count of searches?

if this is your need, you could use stats instead table:

index=_audit user=admin action=search info=granted search=* 
| stats count BY search_id search
| replace "'search *" WITH "*" IN search
| replace "*'" WITH "*" IN search

Ciao.

Giuseppe

0 Karma
Reply

syloee
Explorer
‎11-01-2022 12:02 AM

EX>

search_id search                                                                 count
[ID1]          index=_internal sourcetype=splunkd    10 ( count of index=_internal sourcetype=splunkd)
[ID2]           index=_internal sourcetype=splunk*    100( count of index=_internal sourcetype=splunk*)

NOT _audit log result_count, by re-search

I'd appreciate it if you could help me.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...