Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding Events That Occur A Minimum Number of Times per Month

lboro_garyp
Path Finder
‎03-30-2023 07:05 AM

Hi folks, I'm analysing Cisco CallManager telephone call details records that have  been ingested to Splunk. I need to find the extensions that make and receive a minimum number of external calls per month, every month, in the last calendar year to evaluate who should continue to receive PSTN telephone service.

I've managed to identify external calls, classify their callType (in a new field) as Incoming or Outgoing, and create a new field in each event called "activeNumber" that represents the internal number making or receiving the call.

Using

| chart count by activeNumber date_month


I can see a chart of calls per number per month.

 

Using

| stats count by date_month activeNumber | where count > 10


 I can see the same data, but only where the count for any given month is greater than 10.

 

I'm stuck where to go next, though, and I suspect this may not have been entirely the correct route to take. I need to find the activeNumber values that appear at least 10 times *every* month within the search period (12 months, for example). I toyed with the idea of concatenating the month and the activeNumber into a new field in each event that made the activeNumber's appearance in each month unique, but, again, didn't know where to go from there. My other idea was to make a list of activeNumber values for each month and then compare the lists, but wasn't sure how to do that. I suspect that a subsearch may be necessary.

Does anyone have an idea how I'd go about this?

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 07:17 AM

I think you're close.  Building on your stats command, another stats will show the activeNumbers with counts greater than 10 for 12 months.

| stats count by date_month activeNumber | where count > 10
| stats count by activeNumber | where count >= 12

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

lboro_garyp
Path Finder
‎03-30-2023 08:08 AM

Thanks for the replies, both of you!

I was, indeed, close. I didn't realise you could continue to process the output of a stats command further, so @richgalloway's solution is pretty obvious when you grok that.

@ITWhisperer, I'd not used eventstats before, so this was a good one to learn. Your code outputs a line for each activeNumber per month, though. So where Rich's outputs a line for every activeNumber that is active in all the months, yours output a line per month per activeNumber. So the overall number of activeNumbers, multiplied by the number of months searched for.

Both answers are great, though, I understand how they work and why they give different values. Thanks both again!

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2023 08:18 AM

Yes, it depends on whether you want to keep all the information created by your stats command or roll it up

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 07:17 AM

I think you're close.  Building on your stats command, another stats will show the activeNumbers with counts greater than 10 for 12 months.

| stats count by date_month activeNumber | where count > 10
| stats count by activeNumber | where count >= 12

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2023 07:15 AM

Try something like this

| stats count by date_month activeNumber | where count > 10
| eventstats count as active_months by actveNumber
| eventstats dc(date_month) as all_months
| where active_months == all_months
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...