It will not let me post a comment on the http://splunk-base.splunk.com/answers/70576/break-a-search-down-per-day answer as it says it is too many letters so I have to create a new post (sorry if there is a way to post the comment but could not see how!)
I have created the below search, but I get the following error when I try to run the search but I can not see what I have done wrong.
"Error in 'stats' command: The number of wildcards between field specifier '' and rename specifier 'dailyfailurecount' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum()"
source="secure" sshd "pamldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count sshd "pamldap: error trying to bind as user" AS dailyfailurecount by uid time | where dailyfailurecount =>5 | tabletime uid dailyfailurecount
well you need to run stats against a field, you can't just run it against a series of words. Just remove the text and run it as a stats count.
source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count
Thanks it now lets me run it but it now does not return any results and says "No matching fields exist"
But it does say 147 matching events but it will not show them.
But I know there should be results to see.
Sorry, I just corrected the error but didn't really read the search. Think it through, you are using top which does a count - how can you then bucket this by time? there is no time element to it anymore as each result has been summarised with a count. Remove the top. Perhaps do something like this;
SEARCHTERMS | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count>4 | table_time uid daily_failure_count | top uid limit=8
Thanks very much it now works!
I still have lots to learn about splunk 🙂 although I now know a bit more about Top and bucket.
The most important thing to remember is that when you pipe to a command you pass the results of the previous command over, so if you do a statistical command that strips away the time element then you cannot do anything against time in the following commands (well, unless you do some other magic but lets not overcomplicate at the moment 😉 ) Good luck!